How to use managed policy with iam role-CodePudding

I am using terragrunt to call my terraform module.I have one terragrunt.hcl for my dev and another for testing environment.I would like to be able to attach AWS Managed policy(AdministratorAccess) to my Dev account and (AmazonEC2FullAccess) to my testing account using input variable so that I can remove the policy line in my aws_iam_role_policy section

terragrunt.hcl

terraform {
  source = "..//module/vpc"
}


include {
  path = find_in_parent_folders()
}

inputs = {

 
} 


main.tf
resource "aws_iam_role" "GitHubActions" {
  name = var.GithubAction_role

  assume_role_policy = <<EOF
{
  "Version":"2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Principal":{
      "Federated": "${aws_iam_openid_connect_provider.github_oidc_github_actions.arn}"
    }
}
EOF
}




resource "aws_iam_role_policy" "GitHubActions"{
  name = var.policy
  role = aws_iam_role.GitHubActions.id

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement":[
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}
EOF
}

CodePudding user response：

I'm not sure to fully understand your question. You cannot attach an IAM Policy to an account. However, you can attach it to an IAM Role which seems to be your goal here? If yes, you can use a data source:

data "aws_iam_policy" "AmazonEC2FullAccess" {
  arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}

resource "aws_iam_role_policy_attachment" "attachment" {
  role       = aws_iam_role.GitHubActions.name
  policy_arn = data.aws_iam_policy.AmazonEC2FullAccess.arn
}

See iam_role_policy_attachment and iam policy data source.