-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iam_role_additional_policies and external IAM Roles #30
Comments
@ZhijieWang Thanks for raising this issue. Would you be able to raise a PR with the solution you mentioned? |
I ended up creating a pull request for this. I implemented the proposed solution- the the chain-wrapping of toset(), concat() etc were unnecessary in the end, since if the data type is |
Would be good to merge this PR soon. Currently, it seems there is no way to grant additional permissions to the IAM role, since |
What is the intended way to add policies, currently (v0.0.5)? data "aws_iam_policy" "secretsmanager_read_write" {
arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
}
module "mwaa" {
...
create_iam_role = true # optional, added for clarity
iam_role_additional_policies = {
"does_this_key_have_any_significance" = data.aws_iam_policy.secretsmanager_read_write.arn
}
} I that correct? |
Yes, looks correct and how we have been doing it as well. The key does not have much significance, apart from that it has to be unique, I think. |
When bringing external iam role with below config
TF throws below error
Upon verification, terraform-aws-eks uses a similar pattern, but with different variable types
iam_role_additional_policies
in var should bemap(string)
rather thanlist(string)
Also, the
if
conditional should not be checking external role, it should be checkingcreate_iam_role
The concact should enclose
var.iam_role_additional_policies
with[]
. Detail see below screenshotif needed, we can discuss about the detail using aws internal channels.
The text was updated successfully, but these errors were encountered: