Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add aws_iam_assume_role_policy resource #6399

Closed
ctreatma opened this issue Nov 8, 2018 · 3 comments · May be fixed by #6612
Closed

Add aws_iam_assume_role_policy resource #6399

ctreatma opened this issue Nov 8, 2018 · 3 comments · May be fixed by #6612
Labels
new-resource Introduces a new resource. proposal Proposes new design or functionality. service/iam Issues and PRs that pertain to the iam service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.

Comments

@ctreatma
Copy link
Contributor

ctreatma commented Nov 8, 2018

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In some companies, teams do not have the ability to create their own IAM roles, but they are able to manage the permissions & assume role policy for those roles once the roles are created by a governance team. Such teams cannot easily use the aws_iam_role resource, since it will attempt (and fail) to create the role on first run. Teams can manually import the role, but that adds an error-prone manual step to infrastructure automation and discourages the use of more roles that have fewer permissions (encouraging, instead, the use of over-permissioned roles that are shared between components).

While it's possible to manage the assume role policy directly with a null_resource and the aws CLI, this does not react to changes made outside of terraform, so that solution requires added monitoring to ensure the assume role policy is kept in line with terraform configuration.

The introduction of an aws_iam_assume_role_policy resource would enable teams working under similar governance policies to manage the assume role policy for any of their IAM roles without relying on manually importing roles or additional monitoring to keep real resources aligned with configuration.

New or Affected Resource(s)

  • aws_iam_assume_role_policy

Potential Terraform Configuration

data "aws_iam_role" "my_role_for_lambda" {
  name = "governance-lambda-role"
}

data "aws_iam_policy_document" "allow_lambda" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
  }
}

resource "aws_iam_assume_role_policy" "my_role_for_lambda" {
  role_name          = "${data.aws_iam_role.my_role_for_lambda.name}"
  assume_role_policy = "${data.aws_iam_policy_document.allow_lambda.json}"
}

References
@bflad bflad added new-resource Introduces a new resource. proposal Proposes new design or functionality. service/iam Issues and PRs that pertain to the iam service. labels Nov 8, 2018
@monkey-jeff
Copy link

I might recommend that the resource is called "aws_iam_assume_role_policy_attachment" or something to keep consistent with other naming conventions in terraform

@ctreatma ctreatma mentioned this issue Nov 27, 2018
Open
3 tasks
ctreatma added a commit to ctreatma/terraform-provider-aws that referenced this issue Jan 3, 2020
@ctreatma
Closes hashicorp#6399: Adds an aws_iam_assume_role_policy resource
12464f3 
This adds a resource that can be used to update the assume role
policy for an IAM role created outside of terraform, without the
need to import that role into terraform state manually.

This is useful in cases where a team using terraform is allowed
to manage permissions for IAM roles, but does not have access to
create or delete IAM roles.
@github-actions
Copy link

github-actions bot commented Nov 3, 2020

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

@github-actions github-actions bot added the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Nov 3, 2020
@github-actions github-actions bot closed this as completed Dec 4, 2020
@ghost
Copy link

ghost commented Jan 4, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Jan 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
new-resource Introduces a new resource. proposal Proposes new design or functionality. service/iam Issues and PRs that pertain to the iam service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Closes #6399: Adds an aws_iam_assume_role_policy resource ctreatma/terraform-provider-aws
3 participants
@bflad @ctreatma @monkey-jeff