Resource: awsIamPolicyAttachment
Attaches a Managed IAM Policy to user(s), role(s), and/or group(s)
!> WARNING: The aws_iam_policy_attachment resource creates exclusive attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws_iam_policy_attachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other Terraform resources) will have that attached policy revoked by this resource. Consider awsIamRolePolicyAttachment
, awsIamUserPolicyAttachment
, or awsIamGroupPolicyAttachment
instead. These resources do not enforce exclusive attachment of an IAM policy.
\~> NOTE: The usage of this resource conflicts with the awsIamGroupPolicyAttachment
, awsIamRolePolicyAttachment
, and awsIamUserPolicyAttachment
resources and will permanently show a difference if both are defined.
\~> NOTE: For a given role, this resource is incompatible with using the awsIamRole
resource managedPolicyArns
argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and Terraform will show a permanent difference.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsIamGroupGroup = new aws.iamGroup.IamGroup(this, "group", {
name: "test-group",
});
const awsIamUserUser = new aws.iamUser.IamUser(this, "user", {
name: "test-user",
});
const dataAwsIamPolicyDocumentAssumeRole =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"assume_role",
{
statement: [
{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [
{
identifiers: ["ec2.amazonaws.com"],
type: "Service",
},
],
},
],
}
);
const dataAwsIamPolicyDocumentPolicy =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "policy", {
statement: [
{
actions: ["ec2:Describe*"],
effect: "Allow",
resources: ["*"],
},
],
});
const awsIamPolicyPolicy = new aws.iamPolicy.IamPolicy(this, "policy_4", {
description: "A test policy",
name: "test-policy",
policy: dataAwsIamPolicyDocumentPolicy.json,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamPolicyPolicy.overrideLogicalId("policy");
const awsIamRoleRole = new aws.iamRole.IamRole(this, "role", {
assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
name: "test-role",
});
new aws.iamPolicyAttachment.IamPolicyAttachment(this, "test-attach", {
groups: [awsIamGroupGroup.name],
name: "test-attachment",
policyArn: awsIamPolicyPolicy.arn,
roles: [awsIamRoleRole.name],
users: [awsIamUserUser.name],
});
Argument Reference
The following arguments are supported:
name
(Required) - The name of the attachment. This cannot be an empty string.users
(Optional) - The user(s) the policy should be applied toroles
(Optional) - The role(s) the policy should be applied togroups
(Optional) - The group(s) the policy should be applied topolicyArn
(Required) - The ARN of the policy you want to apply
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- The policy's ID.name
- The name of the attachment.