aws_iam_role_policy Documentation Inconsistencies
1,908 views
Skip to first unread message
Mark Vlcek
Jun 1, 2018, 4:42:18 PM6/1/18
to Terraform
I'm new to Terraform, but I recently ran into some errors when trying a "terraform plan" that were essentially all the same:
Now the confusion came into play because the aws_iam_role_policy documentation example shows
* aws_iam_role_policy.suspend_user_iam_role_policy: Error putting IAM role policy list-mfa-devices-delete-login-profile-policy: ValidationError: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-
Some of the relevant Terraform config was:
resource "aws_iam_role_policy" "suspend_user_iam_role_policy" {
name = "list-mfa-devices-delete-login-profile-policy"
role = "${aws_iam_role.suspend_user_iam_role.arn}"
policy = "${data.aws_iam_policy_document.suspend_user_iam_policy_document.json}"
}
resource "aws_iam_role_policy_attachment" "suspend_user_iam_role_policy_attachment" {
role = "${aws_iam_role.suspend_user_iam_role.arn}"
policy_arn = "${data.aws_iam_policy.aws_managed_lambda_basic_execution_iam_policy.arn}"
}
Now the confusion came into play because the aws_iam_role_policy documentation example shows
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = "${aws_iam_role.test_role.id}"While the aws_iam_role documentation doesn't even show "id" as being a valid or existing attribute of an aws_iam_role resource. So, seeing that "arn" was a valid attribute and is often a drop-in replacement for the "id" attribute, I used the "arn" attribute to specify my roles.
The error shows that it's actually looking for a roleName, not a role ARN. So, I went back and changed all my Terraform config to use the aws_iam_role resource "name" attribute instead wherever I was creating an awes_iam_role_policy or aws_iam_role_policy_attachment resource and sure enough all my errors were fixed.
It would be great to get the documentation and examples updated to avoid confusion such as this! This would involve cleaning up the examples that reference things like ${aws_iam_role.test_role.id} (since "id" isn't a valid attribute according to documentation) and also clarify that the "role" argument for resources iam_role_policy and aws_iam_role_policy_attachment are looking for role names (the documentation currently just says "The IAM role to attach to the policy." and "The role the policy should be applied to." for resources iam_role_policy and aws_iam_role_policy_attachment respectively).
Reply all
Reply to author
Forward
0 new messages