I also use the external data source for a similar use case.
data "external" "policy_document" {
program = ["bash", "${path.module}/get-policy-doc.bash"]
query = {
lb_cntrl_version = var.lb_cntrl_version
}
}
resource "aws_iam_policy" "this" {
name = local.identifier
policy = base64decode(data.external.policy_document.result.ecoded_doc)
}
And here is the script.
#!/usr/bin/env bash
set -euo pipefail
eval "$(jq -r '@sh "lb_cntrl_version=\(.lb_cntrl_version)"')"
policy_document=$(curl -sS https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v${lb_cntrl_version}/docs/install/iam_policy.json)
ecoded_doc=$(echo $policy_document | base64 -w 0)
jq -n --arg ecoded_doc "$ecoded_doc" '{"ecoded_doc":$ecoded_doc}'