1

I am creating an IAM role for task execution. I have already done in cloudformation and now I am doing it in terraform but the problem that I am stuck on is in cloudformation there is an attribute to give ManagedPolicyArns but how would you give it in terraform. I am attaching both the scripts. Terraform script is incomplete in which I need help while cloudformation script is complete and I want to replicate it to terraform.

Terraform:

resource "aws_iam_role" "task_execution" {
  name               = "task-execution-${terraform.workspace}"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": "ecs-tasks.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": "",
        "path": "/",
        }
  ]
}
EOF

  tags = {
    tag-key = "tag-value"
  }
}

Cloudformation

---
AWSTemplateFormatVersion: 2010-09-09 
Parameters:
  Env:
    Type: String
Resources:
  ExRole:
      Type: 'AWS::IAM::Role'
      Properties:
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - ecs-tasks.amazonaws.com
              Action:
                - 'sts:AssumeRole'
        Path: /
        RoleName: !Sub "excutionrole-${Env}"
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
        Policies: 
          - PolicyName: AccessECR
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Action: 
                    - ecr:BatchGetImage
                    - ecr:GetAuthorizationToken
                    - ecr:GetDownloadUrlForLayer 
                  Resource: '*'
marc_s
  • 675,133
  • 158
  • 1,253
  • 1,388
  • Does this answer your question? [Terraform: correct way to attach AWS managed policies to a role?](https://stackoverflow.com/questions/45002292/terraform-correct-way-to-attach-aws-managed-policies-to-a-role) – Lamanus Aug 16 '20 at 13:53

2 Answers2

3

In Terraform, you can attach policies to a role using the iam_role_policy_attachment resource:

resource "aws_iam_role_policy_attachment" "test-attach" {
    role       = aws_iam_role.test_role.name
    policy_arn = // ARN of the managed policy
}
Dennis Traub
  • 46,924
  • 7
  • 81
  • 102
1

assume_role_policy is used for only trust relationship (i.e. who/what can assume the role). Thus, your aws_iam_role should be:

resource "aws_iam_role" "test_role" {
  name = "s3_access"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
              "Service": "ecs-tasks.amazonaws.com"
              },
            "Action": "sts:AssumeRole"            
        }
    ]
}
EOF

  tags = {
    tag-key = "tag-value"
  }
}

Then, the required permissions could be attached to the role as follows:

resource "aws_iam_role_policy_attachment" "ecs-task-permissions" {
    role       = aws_iam_role.test_role.name
    policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}


resource "aws_iam_role_policy" "ecr-access" {

  name = "ecs-access"
  
  role = aws_iam_role.test_role.name

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "2",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": "*"
        }
    ]
}
EOF

}
Marcin
  • 108,294
  • 7
  • 83
  • 138
  • it gives an error `Error: "assume_role_policy" contains an invalid JSON: invalid character '}' looking for beginning of object key string` –  Aug 17 '20 at 02:22
  • @aws-noob Does it say which line? – Marcin Aug 17 '20 at 02:24
  • ``` on modules/Iam_role/main.tf line 1, in resource "aws_iam_role" "task_execution": 1: resource "aws_iam_role" "task_execution" { ``` –  Aug 17 '20 at 02:26
  • @aws-noob I double checked now, and the code in the answer deploys. What is `task_execution`? Its not in the answer nor in the question? Maybe different role? – Marcin Aug 17 '20 at 02:27
  • just changed the role name from `test-role` to `task-execution` role –  Aug 17 '20 at 02:28
  • 1
    Can you update the question with your changes. Seems something else must have changed as well, probably by mistake. – Marcin Aug 17 '20 at 02:28
  • @aws-noob I see you added a `Path`?. Can you maybe copy-and-paste the policy from my answer? – Marcin Aug 17 '20 at 02:35
  • @aws-noob No problem. Glad it worked. And have you had a chance to look at the other question of yours? I wonder if the there are still some issue there. – Marcin Aug 17 '20 at 02:36
  • I usually have trouble with IAM roles other than that I am learning quite well, but get stucked in IAM roles usually –  Aug 17 '20 at 03:07
  • 1
    @aws-noob No drama. If you have any questions please feel free to ask:-) I or others will try to help. – Marcin Aug 17 '20 at 03:09