Resource: awsIamRolePolicyAttachment
Attaches a Managed IAM Policy to an IAM role
\~> NOTE: The usage of this resource conflicts with the awsIamPolicyAttachment
resource and will permanently show a difference if both are defined.
\~> NOTE: For a given role, this resource is incompatible with using the awsIamRole
resource managedPolicyArns
argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and Terraform will show a permanent difference.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentAssumeRole =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"assume_role",
{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [
{
identifiers: ["ec2.amazonaws.com"],
type: "Service",
},
],
}
);
const dataAwsIamPolicyDocumentPolicy =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "policy", {
statement: [
{
actions: ["ec2:Describe*"],
effect: "Allow",
resources: ["*"],
},
],
});
const awsIamPolicyPolicy = new aws.iamPolicy.IamPolicy(this, "policy_2", {
description: "A test policy",
name: "test-policy",
policy: dataAwsIamPolicyDocumentPolicy.json,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamPolicyPolicy.overrideLogicalId("policy");
const awsIamRoleRole = new aws.iamRole.IamRole(this, "role", {
assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
name: "test-role",
});
new aws.iamRolePolicyAttachment.IamRolePolicyAttachment(this, "test-attach", {
policyArn: awsIamPolicyPolicy.arn,
role: awsIamRoleRole.name,
});
Argument Reference
The following arguments are supported:
role
(Required) - The name of the IAM role to which the policy should be appliedpolicyArn
(Required) - The ARN of the policy you want to apply
Attributes Reference
No additional attributes are exported.
Import
IAM role policy attachments can be imported using the role name and policy arn separated by /
.