Creating IAM roles and policy

7,218 views
Skip to first unread message

MCraig

unread,
May 16, 2016, 2:40:26 PM5/16/16
to Terraform
Hello,

I am attempting to use Terraform to create and manage IAM roles and policies. Is this supported? The IAM role I'm generating this from in AWS has a Resource section.

Error:
1 error(s) occurred:

* aws_iam_role.VCI-FlowLogs2: Error creating IAM Role VCI-FlowLogs2: MalformedPolicyDocument: Has prohibited field Resource
        status code: 400, request id: c0b6bdd9-1b94-11e6-bfc5-4926377f24b7




From the example below:



########## IAM Roles ##########
resource "aws_iam_role" "LAB-FlowLogs" {
    name = "LAB-FlowLogs"
    assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Effect": "Allow",
            "Resource": ["arn:aws:logs:*:*:*"]
        }
    ]
}
EOF
}

########## IAM Role Policy ##########
resource "aws_iam_role_policy" "LAB-FlowLogs-TrustRelationship" {
    name = "LAB-FlowLogs-TrustRelationship"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

David Adams

unread,
May 16, 2016, 3:17:51 PM5/16/16
to terrafo...@googlegroups.com
These things are super confusing (Amazon's fault, not Terraform), but you have your policies backwards. The one with "sts:AssumeRole" needs to be assigned to the `assume_role_policy` field of `aws_iam_role` and the one with the `Resource` goes under `policy` in `aws_iam_role_policy`.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/ef573b8d-b281-402f-b051-269ee812f1ac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
David Adams | Systems Administrator

MCraig

unread,
May 16, 2016, 3:35:35 PM5/16/16
to Terraform
Wow! No kidding that is confusing, Thank you very much for the quick response!

Mike
Reply all
Reply to author
Forward
0 new messages