How to attach multiple policies to a role


the seemingly simple situation that I can’t overcome.

Given :
a. number of policies managed by terra in this same module
b. a few AWS-managed policies.

add all these policies to a role.


Error: Invalid for_each argument
│   on line 26, in resource "aws_iam_role_policy_attachment" "this":
│   26:   for_each = toset( [ aws_iam_policy.ESource_S3_Trove_LADWP.arn,
│   27:                       aws_iam_policy.esource_s3_int_esource_client_apc.arn,
│   28:                       data.aws_iam_policy.AWSGlueRole.arn
│   29:                     ])
│     ├────────────────
│     │ aws_iam_policy.ESource_S3_Trove_LADWP.arn is a string, known only after apply
│     │ aws_iam_policy.esource_s3_int_esource_client_apc.arn is a string, known only after apply
│     │ data.aws_iam_policy.AWSGlueRole.arn is "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"


data aws_iam_policy AWSGlueRole {
  arn = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"

resource "aws_iam_role" "this" {
  name = var.role_name
  assume_role_policy = data.aws_iam_policy_document.AWSGlueTrustPolicy.json
  description = "The Glue role for APC project"

resource "aws_iam_role_policy_attachment" "this" {
  role       =
  for_each = toset( [ aws_iam_policy.ESource_S3_Trove_LADWP.arn,
  policy_arn = each.key


terraform --version
Terraform v1.0.11
on linux_amd64
+ provider v3.47.0

I appreciate your guidance.

the way to get the above to work is to either:

  1. hardcode “policy_attachement” for each arn
  2. create policy on the first run of the code, and add the policy to toset() (so it will be automatically attached) on the second run of terraform apply.

Either case is less than desirable.