aws_iam_policy as a data source #1346
Labels
enhancement
Requests to existing resources that expand the functionality or scope.
new-data-source
Introduces a new data source.
service/iam
Issues and PRs that pertain to the iam service.
Milestone
This issue was originally opened by @colout as hashicorp/terraform#15734. It was migrated here as a result of the provider split. The original body of the issue is below.
Hello,
Is it currently on your roadmap to create a data source for
aws_iam_policy
?I built some
aws_iam_policy
s in a single state, and I consume them in higher states (I plan to have dozens of states apply these shared policies).The specific use case is to generate some shared polices that every instance's
aws_iam_instance_profile
would apply a-la-carte (describing ec2 tags, access an s3 bucket, etc).I identified two ways of accomplishing this via Terraform, and neither are ideal:
We can define some
aws_iam_policy_document
s on the lower state and query for them using"${data.aws_iam_policy_document.policy_name.json}"
. This is far from ideal since we plan on spinning up hundreds of ASGs, and this creates a giant mess in the AWS console. On top of this adding a single new single new policy to all instances could exponentially increase our policy count (we'll be forced to request less-than-sane aws account limits).The other option is to piece together the policy ARN using our namespacing prefix and our account number (which we'll have to input to the state as a variable now). This doesn't feel like an ideal pattern for terraform, but it works:
arn:aws:iam::${var.aws_account_id}:policy/${var.environment_namespace}.ec2_describetags
Thanks, and keep up the great work!
Edit: I typo'd
aws_iam_role
in the first sentence when i meantaws_iam_policy
.The text was updated successfully, but these errors were encountered: