Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you dynamically create an AWS IAM policy document with a variable number of resource blocks using terraform?

In my current terraform configuration I am using a static JSON file and importing into terraform using the file function to create an AWS IAM policy.

Terraform code:

resource "aws_iam_policy" "example" {
  policy = "${file("policy.json")}"
}

AWS IAM Policy definition in JSON file (policy.json):

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-2",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::777788889999:root"
                ]
            },
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::444455556666:root"
                ]
            },
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "*"
        }
    ]
}

My goal is to use a list of account numbers stored in a terraform variable and use that to dynamically build the aws_iam_policy resource in terraform. My first idea was to try and use the terraform jsonencode function. However, it looks like there might be a way to implement this using the new terraform dynamic expressions foreach loop.

The sticking point seems to be appending a variable number of resource blocks in the IAM policy.

Pseudo code below:

var account_number_list = ["123","456","789"]
policy = {"Statement":[]}
for each account_number in account_number_list:
    policy["Statement"].append(policy block with account_number var reference)

Any help is appreciated.

Best, Andrew

like image 1000
andrew citera Avatar asked Sep 06 '19 15:09

andrew citera


People also ask

What is dynamic function in Terraform?

Terraform dynamic blocks are a special Terraform block type that provide the functionality of a for expression by creating multiple nested blocks. The need to create identical (or similar) infrastructure resources is common.


1 Answers

The aws_iam_policy_document data source from aws gives you a way to create json policies all in terraform, without needing to import raw json from a file or from a multiline string.

Because you define your policy statements all in terraform, it has the benefit of letting you use looping/filtering on your principals array.

In your example, you could do something like:

data "aws_iam_policy_document" "example_doc" {
  statement {
    sid = "Enable IAM User Permissions"
    effect = "Allow"

    actions = [
      "kms:*"
    ]

    resources = [
      "*"
    ]

    principals {
      type = "AWS"
      identifiers = [
        for account_id in account_number_list:
        account_id
      ]
    }
  }

  statement {
    ...other statements...
  }
}

resource "aws_iam_policy" "example" {
  // For terraform >=0.12
  policy = data.aws_iam_policy_document.example_doc.json

  // For terraform <0.12
  policy = "${data.aws_iam_policy_document.example_doc.json}"
}
like image 108
David Mattia Avatar answered Sep 22 '22 14:09

David Mattia