I am using terragrunt to call my terraform module.I have one terragrunt.hcl for my dev and another for testing environment.I would like to be able to attach AWS Managed policy(AdministratorAccess) to my Dev account and (AmazonEC2FullAccess) to my testing account using input variable so that I can remove the policy line in my aws_iam_role_policy section
terragrunt.hcl
terraform {
source = "..//module/vpc"
}
include {
path = find_in_parent_folders()
}
inputs = {
}
main.tf
resource "aws_iam_role" "GitHubActions" {
name = var.GithubAction_role
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Principal":{
"Federated": "${aws_iam_openid_connect_provider.github_oidc_github_actions.arn}"
}
}
EOF
}
resource "aws_iam_role_policy" "GitHubActions"{
name = var.policy
role = aws_iam_role.GitHubActions.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement":[
{
"Sid": "",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
EOF
}
CodePudding user response:
I'm not sure to fully understand your question. You cannot attach an IAM Policy
to an account. However, you can attach it to an IAM Role
which seems to be your goal here? If yes, you can use a data source
:
data "aws_iam_policy" "AmazonEC2FullAccess" {
arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}
resource "aws_iam_role_policy_attachment" "attachment" {
role = aws_iam_role.GitHubActions.name
policy_arn = data.aws_iam_policy.AmazonEC2FullAccess.arn
}
See iam_role_policy_attachment and iam policy data source.