Terraform Version
1.1.6
Terraform Configuration Files
I have created dynamic configuration TF files to create IAM roles for multiple Environments.
Code Block
main.tf
resource "aws_iam_role" "iam_role" {
count = (upper(var.test) == "TRUE" ? 1:0)
name = "test"
assume_role_policy = data.aws_iam_policy_document.assume-role-policy[count.index].json
permissions_boundary = var.permissions_boundary
tags = {
name = var.name
env = var.env
cost = var.cost
}
}
data.tf
data "aws_iam_policy_document" "assume-role-policy" {
count = (upper(var.test) == "TRUE" ? 1:0)
statement {
actions = ["sts:AssumeRole"]
principals {
type = var.principle
identifiers = flatten([var.identifiers])
}
dynamic "condition" {
for_each = length(keys(var.condition)) == 0 ? [] : [
var.condition]
content {
test = lookup(condition.value, "test", null)
variable = lookup(condition.value, "variable", null)
values = condition.value.values
}
}
}
}
variables.tf
variable "condition" {
type = any
default = {
test = ""
variable = ""
values = [""]
}
}
variable "test" {
default = "false"
}
terraform.tfvars for condition apply. this is working while applying.
condition = {
test = "ArnLike"
variable = "aws:PrincipalArn"
values = ["arn:aws:iam::111111111:role/abc]
}
for another env IAM role, I don’t want condition and not defining inside terraform.tfvars file, and it’s getting me an error.
~ resource "aws_iam_role" "iam_role" {
~ assume_role_policy = jsonencode(
~ {
~ Statement = [
~ {
+ Condition = {
+ = {
+ = ""
}
}
~ Principal = {
~ AWS = [
- "arn:aws:iam::1111111:role/ABC",
"arn:aws:iam::22222222:role/abc2",
]
Error: error updating IAM Role (test-iam) assume role policy: MalformedPolicyDocument: Invalid Condition type :
status code: 400, request id: xxxxxxxxxx
can someone help with this?