Assume polocies as aws_iam_policy_document data source
959 views
Skip to first unread message
Andrew Hodgson
Jan 12, 2017, 10:46:50 AM1/12/17
to terrafo...@googlegroups.com
Hi all,
I want to convert the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
Into a data source aws_iam_policy_document.
However I am coming up with the issue that I need to assign a service principal not an AWS principal. When I try to do this using the following document:
data "aws_iam_policy_document" "my_policy" {
statement {
actions= ["sts:AssumeRole"]
principals {
type = "service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
I get a malformed policy document in AWS.
Anyone else tried to do this? It is a common enough policy document.
Thanks.
Andrew.
I want to convert the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
Into a data source aws_iam_policy_document.
However I am coming up with the issue that I need to assign a service principal not an AWS principal. When I try to do this using the following document:
data "aws_iam_policy_document" "my_policy" {
statement {
actions= ["sts:AssumeRole"]
principals {
type = "service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
I get a malformed policy document in AWS.
Anyone else tried to do this? It is a common enough policy document.
Thanks.
Andrew.
Teemu Matilainen
Jan 12, 2017, 3:50:53 PM1/12/17
to terrafo...@googlegroups.com
Hi,
I think the the documentation is wrong as principals seems to be an argument and not a nested block, i.e. this should work:
principals = {
Cheers,
- Teemu
Andrew.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/AM5PR0401MB2628A32FF11A4A18D33330EBC5790%40AM5PR0401MB2628.eurprd04.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.
Andrew Hodgson
Jan 30, 2017, 12:06:55 PM1/30/17
to terrafo...@googlegroups.com
Hi,
I have tried various types of this again and still no joy. Here is what I have currently:
resource "aws_iam_role" "base" {
name = "${var.project}_base"
assume_role_policy = "${data.aws_iam_policy_document.ec2_assume_role_policy.json}"
}
data "aws_iam_policy_document" "ec2_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
Plan (moving from an inline policy in the configuration file to a data source) gives me this:
~ aws_iam_role.base
assume_role_policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\
",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Actio
n\":\"sts:AssumeRole\"}]}" => "{\n \"Version\": \"2012-10-17\",\n \"Statement\
": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\
": \"sts:AssumeRole\",\n \"Principal\": {\n \"service\": \"ec2.amazo
naws.com\"\n }\n }\n ]\n}"
That then errors with:
* aws_iam_role.base: Error Updating IAM Role ([...]_base) Assume Role Poli
cy: MalformedPolicyDocument: Syntax error at position (9,21)
status code: 400, request id: 41468dd8-e70e-11e6-a020-351aba6c4bf4
Any suggestions?
Thanks,
Andrew.
________________________________________
From: tmat...@gmail.com [tmat...@gmail.com] on behalf of Teemu Matilainen [teemu.ma...@iki.fi]
Sent: 12 January 2017 20:50
To: terrafo...@googlegroups.com
Subject: Re: [terraform] Assume polocies as aws_iam_policy_document data source
Hi,
I think the the documentation<https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html> is wrong as principals seems to be an argument and not a nested block, i.e. this should work:
principals = {
type = "service"
identifiers = ["ec2.amazonaws.com<http://ec2.amazonaws.com>"]
}
Cheers,
- Teemu
On Thu, Jan 12, 2017 at 5:46 PM, Andrew Hodgson <and...@hodgsonfamily.org<mailto:and...@hodgsonfamily.org>> wrote:
Hi all,
I want to convert the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com<http://ec2.amazonaws.com>"
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAGjbznd6aZgWMjKTQZFwD1mXEAtACuW33WWwy_OhEmPM8wyaMw%40mail.gmail.com<https://groups.google.com/d/msgid/terraform-tool/CAGjbznd6aZgWMjKTQZFwD1mXEAtACuW33WWwy_OhEmPM8wyaMw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
I have tried various types of this again and still no joy. Here is what I have currently:
resource "aws_iam_role" "base" {
name = "${var.project}_base"
assume_role_policy = "${data.aws_iam_policy_document.ec2_assume_role_policy.json}"
}
data "aws_iam_policy_document" "ec2_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
Plan (moving from an inline policy in the configuration file to a data source) gives me this:
~ aws_iam_role.base
assume_role_policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\
",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Actio
n\":\"sts:AssumeRole\"}]}" => "{\n \"Version\": \"2012-10-17\",\n \"Statement\
": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\
": \"sts:AssumeRole\",\n \"Principal\": {\n \"service\": \"ec2.amazo
naws.com\"\n }\n }\n ]\n}"
That then errors with:
* aws_iam_role.base: Error Updating IAM Role ([...]_base) Assume Role Poli
cy: MalformedPolicyDocument: Syntax error at position (9,21)
status code: 400, request id: 41468dd8-e70e-11e6-a020-351aba6c4bf4
Any suggestions?
Thanks,
Andrew.
________________________________________
From: tmat...@gmail.com [tmat...@gmail.com] on behalf of Teemu Matilainen [teemu.ma...@iki.fi]
Sent: 12 January 2017 20:50
To: terrafo...@googlegroups.com
Subject: Re: [terraform] Assume polocies as aws_iam_policy_document data source
Hi,
I think the the documentation<https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html> is wrong as principals seems to be an argument and not a nested block, i.e. this should work:
principals = {
type = "service"
}
Cheers,
- Teemu
On Thu, Jan 12, 2017 at 5:46 PM, Andrew Hodgson <and...@hodgsonfamily.org<mailto:and...@hodgsonfamily.org>> wrote:
Hi all,
I want to convert the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
},
"Effect": "Allow",
"Sid": ""
}
]
}
Into a data source aws_iam_policy_document.
However I am coming up with the issue that I need to assign a service principal not an AWS principal. When I try to do this using the following document:
data "aws_iam_policy_document" "my_policy" {
statement {
actions= ["sts:AssumeRole"]
principals {
type = "service"
identifiers = ["ec2.amazonaws.com<http://ec2.amazonaws.com>"]
"Effect": "Allow",
"Sid": ""
}
]
}
Into a data source aws_iam_policy_document.
However I am coming up with the issue that I need to assign a service principal not an AWS principal. When I try to do this using the following document:
data "aws_iam_policy_document" "my_policy" {
statement {
actions= ["sts:AssumeRole"]
principals {
type = "service"
}
}
}
I get a malformed policy document in AWS.
Anyone else tried to do this? It is a common enough policy document.
Thanks.
Andrew.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-tool%2Bunsu...@googlegroups.com>.
}
}
I get a malformed policy document in AWS.
Anyone else tried to do this? It is a common enough policy document.
Thanks.
Andrew.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/AM5PR0401MB2628A32FF11A4A18D33330EBC5790%40AM5PR0401MB2628.eurprd04.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.
For more options, visit https://groups.google.com/d/optout.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-too...@googlegroups.com>.
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAGjbznd6aZgWMjKTQZFwD1mXEAtACuW33WWwy_OhEmPM8wyaMw%40mail.gmail.com<https://groups.google.com/d/msgid/terraform-tool/CAGjbznd6aZgWMjKTQZFwD1mXEAtACuW33WWwy_OhEmPM8wyaMw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Andrew Hodgson
Jan 30, 2017, 12:11:18 PM1/30/17
to terrafo...@googlegroups.com
Hi,
Case issue :(
The working code is:
data "aws_iam_policy_document" "ec2_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
________________________________________
From: terrafo...@googlegroups.com [terrafo...@googlegroups.com] on behalf of Andrew Hodgson [and...@hodgsonfamily.org]
Sent: 30 January 2017 17:06
To: terrafo...@googlegroups.com
Subject: RE: [terraform] Assume polocies as aws_iam_policy_document data source
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/AM5PR0401MB2628D833A73E71973BDBBD3BC54B0%40AM5PR0401MB2628.eurprd04.prod.outlook.com.
Case issue :(
The working code is:
data "aws_iam_policy_document" "ec2_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
________________________________________
From: terrafo...@googlegroups.com [terrafo...@googlegroups.com] on behalf of Andrew Hodgson [and...@hodgsonfamily.org]
Sent: 30 January 2017 17:06
To: terrafo...@googlegroups.com
Subject: RE: [terraform] Assume polocies as aws_iam_policy_document data source
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/AM5PR0401MB2628D833A73E71973BDBBD3BC54B0%40AM5PR0401MB2628.eurprd04.prod.outlook.com.
Reply all
Reply to author
Forward
0 new messages