Skip to content

Resource: awsIamRolePolicyAttachment

Attaches a Managed IAM Policy to an IAM role

\~> NOTE: The usage of this resource conflicts with the awsIamPolicyAttachment resource and will permanently show a difference if both are defined.

\~> NOTE: For a given role, this resource is incompatible with using the awsIamRole resource managedPolicyArns argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and Terraform will show a permanent difference.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentAssumeRole =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "assume_role",
    {
      actions: ["sts:AssumeRole"],
      effect: "Allow",
      principals: [
        {
          identifiers: ["ec2.amazonaws.com"],
          type: "Service",
        },
      ],
    }
  );
const dataAwsIamPolicyDocumentPolicy =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "policy", {
    statement: [
      {
        actions: ["ec2:Describe*"],
        effect: "Allow",
        resources: ["*"],
      },
    ],
  });
const awsIamPolicyPolicy = new aws.iamPolicy.IamPolicy(this, "policy_2", {
  description: "A test policy",
  name: "test-policy",
  policy: dataAwsIamPolicyDocumentPolicy.json,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamPolicyPolicy.overrideLogicalId("policy");
const awsIamRoleRole = new aws.iamRole.IamRole(this, "role", {
  assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
  name: "test-role",
});
new aws.iamRolePolicyAttachment.IamRolePolicyAttachment(this, "test-attach", {
  policyArn: awsIamPolicyPolicy.arn,
  role: awsIamRoleRole.name,
});

Argument Reference

The following arguments are supported:

  • role (Required) - The name of the IAM role to which the policy should be applied
  • policyArn (Required) - The ARN of the policy you want to apply

Attributes Reference

No additional attributes are exported.

Import

IAM role policy attachments can be imported using the role name and policy arn separated by /.

$ terraform import aws_iam_role_policy_attachment.test-attach test-role/arn:aws:iam::xxxxxxxxxxxx:policy/test-policy