DEVHIDE
Login Or Sign up

How to create multiple policies and policy attachments for each iam group terraform

1k Views Asked by At

So I have multiple IAM groups which I am looping through as follows :

resource "aws_iam_group" "all_iam_groups" {
  for_each = var.iam_user_groups
  name     = "${local.csi}-${each.key}"
  path     = "/"

}

This will create multiple IAM groups. Now for each IAM groups I will have an IAM Policy which I will attatch. Rather than having to do it manually and create multiple resources what is the best approach to take here. So far I have been doing it as follows :

resource "aws_iam_policy" "finance_read_only" {
        name   = "${local.csi}-finance-read-only"
        path   = "/"
        policy = data.aws_iam_policy_document.finance_read_only.json
}



resource "aws_iam_policy" "security_read_only" {
        name   = "${local.csi}-security-read-only"
        path   = "/"
        policy = data.aws_iam_policy_document.security_read_only.json
}



 resource "aws_iam_group_policy_attachment" "security_read_only" {
  group      = aws_iam_group.security_team.name
   policy_arn = aws_iam_policy.security_read_only.arn
  }

  resource "aws_iam_group_policy_attachment" "finance_read_only" {
  group      = aws_iam_group.finance_team.name
   policy_arn = aws_iam_policy.finance_read_only.arn
  }

For example purposes I have added in the group names but I know i can use a for-each loop to go through the names but am not sure how I would be able to look through the IAM Policies and policy attatchments.

I do understand that I will have multiple aws_iam_policy_document which is fine.

amazon-web-services foreach terraform amazon-iam policies
Original Q&A
1

There are 1 best solutions below

1
javierlga On

There's a direct relationship between the following resources: aws_iam_policy , the data source for aws_iam_policy_document, the aws_iam_group_policy_attachment and the aws_iam_group resource.

My suggestion is to create a variable of a list of objects type, where you define different attributes that are needed for the resources required.

Example:

variable "policies" {
  type = list(object({
    name      = string
    statement = object
  }))
  default = [
    {
      name = "finance-read-only"
      statement = {
        sid       = "XXX"
        actions   = ["ec2:XXX"]
        resources = ["XXX"]
      }
    },
    {
      name = "security-read-only"
      statement = {
        sid       = "XXX"
        actions   = ["ec2:XXX"]
        resources = ["XXX"]
      }
    }
  ]
}

data "aws_iam_policy_document" "this" {
  for_each = { for policy in var.policies : policy.name => policy }

  statement = each.value.statement
}

resource "aws_iam_policy" "this" {
  for_each = { for policy in var.policies : policy.name => policy }

  name   = format("${local.csi}-%s", each.key)
  path   = "/"
  policy = data.aws_iam_policy_document.this[each.key].json
}

resource "aws_iam_group" "this" {
  for_each = { for policy in var.policies : policy.name => policy }

  name = each.key
}

resource "aws_iam_group_policy_attachment" "security_read_only" {
  for_each = { for policy in var.policies : policy.name => policy }

  group      = aws_iam_group.this[each.key].name
  policy_arn = aws_iam_policy.this[each.key].arn
}

Related Questions in AMAZON-WEB-SERVICES

Related Questions in FOREACH

Related Questions in TERRAFORM

Related Questions in AMAZON-IAM

Related Questions in POLICIES

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.