Home > OS >  add several rights to IAM role using Terraform
add several rights to IAM role using Terraform

Time:06-04

I am trying to adapt an existing TF file so that an IAM role can now have 2 roles/rights: AmazonSageMakerFullAccess AmazonEC2FullAccess. I have 2 files terraform.tfvars and iam.tf. The former contains:

iam_policy_arn = [
    "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess", 
    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess"
]

and the latter:

data "aws_iam_policy_document" "sm_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["sagemaker.amazonaws.com"]
    }
  } 
}

# so that sagemaker can push docker image(s) to ECR
# https://stackoverflow.com/questions/45486041/how-to-attach-multiple-iam-policies-to-iam-roles-using-terraform
# Define policy ARNs as list
variable "iam_policy_arn" {
  description = "IAM Policy to be attached to role"
  type = list(string)
}

# Then parse through the list using count
resource "aws_iam_role_policy_attachment" "role-policy-attachment" {
  role       = "${var.iam_role_name}"
  count      = "${length(var.iam_policy_arn)}"
  policy_arn = "${var.iam_policy_arn[count.index]}"
}

My github action produces now:

  on iam.tf line 19:
│  19: variable "iam_policy_arn" {
│
│The root module input variable "iam_policy_arn" is not set, and has no
│default value. Use a -var or -var-file command line argument to provide a
│value for this variable.
╵
Enter a value:
Error: Process completed with exit code 1.

Any idea? Thanks!

CodePudding user response:

Did you specify the tfvars file? If yes check for typos.

If your file name is correct. Apply the following

terraform apply -var-file="terrafrom.tfvars"

CodePudding user response:

The issue was that .gitignore prevents .tfvars file pushes and github actions would not get file. Otherwise, I adapted the original code as well (bare with me TF newby!):

data "aws_iam_policy_document" "sm_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["sagemaker.amazonaws.com"]
    }
  } 
}

resource "aws_iam_role" "notebook_iam_role" {
  name               = "blablabla"
  assume_role_policy = data.aws_iam_policy_document.sm_assume_role_policy.json
}

# so that sagemaker can push docker image(s) to ECR as well
# https://stackoverflow.com/questions/45486041/how-to-attach-multiple-iam-policies-to-iam-roles-using-terraform
# Define policy ARNs as list
variable "iam_policy_arn" {
  description = "IAM Policy to be attached to role"
  type = list(string)
}

# Then parse through the list using count
resource "aws_iam_role_policy_attachment" "sm_full_access_attach" {
  role      = "blablabla"
  count      = "${length(var.iam_policy_arn)}"
  policy_arn = "${var.iam_policy_arn[count.index]}"
}

Page link:https//www.codepudding.com/os/430252.html

Prev:How to Host a Flask website from localhost 5000
Next:Amazon Sagemaker JupiterLab Notebook - No matching distribution found for Pandas
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding