Roxyrob
November 12, 2021, 1:18am
1
There is a solution to convert some policies arn to a single iam policy ?
Example:
starting from 3 AWS Managed policy arns like these:
locals {
policies = {
pol1 = "arn:aws:iam::aws:policy/IAMFullAccess"
pol2 = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
pol3 = "arn:aws:iam::aws:policy/AmazonRoute53FullAccess"
}
}
I need to make a unique policy document containing all 3 policy documents ?
using data source aws_iam_policy:
data "aws_iam_policy" "merged" {
for_each = local.policies
arn = each.value
}
locals {
merged_policy = [
for polname, polcfg in data.aws_iam_policy.merged : [
polcfg.policy
]
]
}
I can make a list of policies statements but how to format merged_policy to be used in iam_policy or in aws_iam_policy_document ?
There is another solution ?
Roxyrob
November 12, 2021, 2:00am
2
I found a solution. If someone need it I write it below, write down if you have better solutions:
locals {
managed_policies = {
pol1 = "arn:aws:iam::aws:policy/IAMFullAccess"
pol2 = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
pol3 = "arn:aws:iam::aws:policy/AmazonRoute53FullAccess"
}
merged_policy = flatten ([
for polname, polcfg in data.aws_iam_policy.merged : [
jsondecode(polcfg.policy).Statement
]
])
}
data "aws_iam_policy" "merged" {
for_each = local.managed_policies
arn = each.value
}
resource "aws_iam_policy" "merged" {
name = "test_policy"
path = "/"
description = "Merged test policy"
policy = jsonencode({
"Version" = "2012-10-17",
"Statement" = local.merged_policy
})
}
This allow me to alleviate problems with “role attached policies limits” (quota: 20 max ) and If I get “LimitExceeded: Cannot exceed quota for PolicySize: …” I can quickly set smaller maps, working on sets of policies to be merged and attached to the role, so I can configure more simply: managed policies, static and dynamic custom policies.