Skip to content

Resource: awsIamPolicyAttachment

Attaches a Managed IAM Policy to user(s), role(s), and/or group(s)

!> WARNING: The aws_iam_policy_attachment resource creates exclusive attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws_iam_policy_attachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other Terraform resources) will have that attached policy revoked by this resource. Consider awsIamRolePolicyAttachment, awsIamUserPolicyAttachment, or awsIamGroupPolicyAttachment instead. These resources do not enforce exclusive attachment of an IAM policy.

\~> NOTE: The usage of this resource conflicts with the awsIamGroupPolicyAttachment, awsIamRolePolicyAttachment, and awsIamUserPolicyAttachment resources and will permanently show a difference if both are defined.

\~> NOTE: For a given role, this resource is incompatible with using the awsIamRole resource managedPolicyArns argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and Terraform will show a permanent difference.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsIamGroupGroup = new aws.iamGroup.IamGroup(this, "group", {
  name: "test-group",
});
const awsIamUserUser = new aws.iamUser.IamUser(this, "user", {
  name: "test-user",
});
const dataAwsIamPolicyDocumentAssumeRole =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "assume_role",
    {
      statement: [
        {
          actions: ["sts:AssumeRole"],
          effect: "Allow",
          principals: [
            {
              identifiers: ["ec2.amazonaws.com"],
              type: "Service",
            },
          ],
        },
      ],
    }
  );
const dataAwsIamPolicyDocumentPolicy =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "policy", {
    statement: [
      {
        actions: ["ec2:Describe*"],
        effect: "Allow",
        resources: ["*"],
      },
    ],
  });
const awsIamPolicyPolicy = new aws.iamPolicy.IamPolicy(this, "policy_4", {
  description: "A test policy",
  name: "test-policy",
  policy: dataAwsIamPolicyDocumentPolicy.json,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamPolicyPolicy.overrideLogicalId("policy");
const awsIamRoleRole = new aws.iamRole.IamRole(this, "role", {
  assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
  name: "test-role",
});
new aws.iamPolicyAttachment.IamPolicyAttachment(this, "test-attach", {
  groups: [awsIamGroupGroup.name],
  name: "test-attachment",
  policyArn: awsIamPolicyPolicy.arn,
  roles: [awsIamRoleRole.name],
  users: [awsIamUserUser.name],
});

Argument Reference

The following arguments are supported:

  • name (Required) - The name of the attachment. This cannot be an empty string.
  • users (Optional) - The user(s) the policy should be applied to
  • roles (Optional) - The role(s) the policy should be applied to
  • groups (Optional) - The group(s) the policy should be applied to
  • policyArn (Required) - The ARN of the policy you want to apply

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The policy's ID.
  • name - The name of the attachment.