Iam_role assume_role_policy with loop of account ids

cdenneen · February 16, 2023, 5:33pm

I can’t seem to create a loop for the Principal statement like the following due to syntax issues.

If I do slightly different and use for_each I basically end up creating 4 roles instead of just 1 role with 4 Principals

  resource "aws_iam_role" "external-dns-cross-account" {
    count = local.dns_account

    name  = "external-dns-cross-account"

    assume_role_policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"
          Principal = {
            AWS = [
              for ( id in module.ap-globals.ap_accounts ) {
                "arn:aws:iam::${id}:role/external-dns*"·
              }
            ]
          }
          Action = "sts:AssumeRole"
        }
      ]
    })

    inline_policy {
      name = "route53"

      policy = jsonencode({
        Version = "2012-10-17",
        Statement = [
          {
            Action = "route53:*",
            Resource = var.zones,
            Effect = "Allow"
          }
        ]
      })
    }

    tags = local.tags
  }

maxb · February 16, 2023, 6:16pm

For Expressions - Configuration Language | Terraform | HashiCorp Developer documents the correct syntax to use - you’re just using different punctuation characters to what the Terraform language syntax defines, for some reason.

cdenneen · February 16, 2023, 8:28pm

Thanks I was able to fix the syntax with [for id in modue.ap-global.ap_account : "arn:aws:iam::${id}:role/external-dns*" ]
but that led to a MalformedDocument realized the wildcard was blowing things up so ended up changing to this for completeness:

  resource "aws_iam_role" "external-dns-cross-account" {
    count = local.dns_account

    name  = "external-dns-cross-account"

    # assume_role_policy = data.aws_iam_policy_document.external-dns_assume_role_policy.json
    assume_role_policy = jsonencode({
      Version   = "2012-10-17"
      Statement = [
        {
        Effect    = "Allow"
        Principal = {
          AWS = [ for id in module.ap-globals.ap_accounts : "arn:aws:iam::${id}:root" ]
        }
        Action    = "sts:AssumeRole"
        Condition = {
          StringLike = {
            "aws:PrincipalArn" = [ for id in module.ap-globals.ap_accounts : "arn:aws:iam::${id}:role/external-dns*" ]
          }
        }
        }
      ]
    })

    inline_policy {
      name = "route53"

      policy = jsonencode({
        Version = "2012-10-17",
        Statement = [
          {
            Action = "route53:*",
            Resource = var.zones,
            Effect = "Allow"
          }
        ]
      })
    }

    tags = local.tags
  }

Topic		Replies	Views
Iam policy, multiple resources, and for_each Terraform	2	9001	May 4, 2021
Crossaccount IAM role stopped working with terraform AWS	1	112	October 16, 2024
Terraform: is there a way to create iam policy statements dynamically? AWS k8s	1	3271	December 6, 2022
CrossAccount IAM Role in AWS Terraform	2	1084	June 18, 2020
Json syntax iam role policy Terraform	3	712	October 26, 2023

Iam_role assume_role_policy with loop of account ids

Related topics