How to attach IAM Policy to role using Terraform

This post explains how to attach IAM policy to IAM role usingTerraform. To follow steps described in this article you need have below prerequisites configured.

  • Terraform Installation
  • AWS CLI Installation
  • AWS Credentials Configuration
Follow Set up Terraform with AWS from scratch if you don't have these prerequisites configured.

Attach IAM Policy to Role using Terraform

Below are the steps to attach IAM policy to a IAM role.

Step 1: Create IAM role using aws_iam_role resource. In the main.tf write below configuration to create a role.

   
resource "aws_iam_role" "testRole" {
    name = "sample-role"
    
    assume_role_policy = <<EOF
    {
    "Version": "2012-10-17",
    "Statement": [
        {
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
        }
    ]
    }
    EOF
    }
     

Step 2: Create IAM policy using aws_iam_policy resource. In main.tf write below configuration to create a policy.

   
resource "aws_iam_policy" "testPolicy" {
    name        = "sample-policy"
    description = "A test policy"
    
    policy = <<EOF
    {
    "Version": "2012-10-17",
    "Statement": [
        {
        "Action": [
            "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
        }
    ]
    }
    EOF
    }
     

Step 3: Create attachment using aws_iam_role_policy_attachment resource. In main.tf write below configuration to create attachment.

   
resource "aws_iam_role_policy_attachment" "test-attach" {
    role       = aws_iam_role.testRole.name
    policy_arn = aws_iam_policy.testPolicy.arn
    }
     

After above steps main.tf should have below configuration.

   
terraform {
    required_providers {
        aws = {
        source  = "hashicorp/aws"
        version = "~> 3.27"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    profile = "default"
    region  = "us-east-1"
}

resource "aws_iam_role" "testRole" {
    name = "sample-role"

    assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Action": "sts:AssumeRole",
        "Principal": {
        "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
    }
    ]
}
EOF
}

resource "aws_iam_policy" "testPolicy" {
    name        = "sample-policy"
    description = "A test policy"

    policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Action": [
        "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
    }
    ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "test-attach" {
    role       = aws_iam_role.testRole.name
    policy_arn = aws_iam_policy.testPolicy.arn
}
     

Run below commands in order.

  • terraform fmt
  • terraform validate
  • terraform apply

After terraform apply type yes in "Do you want to perform these actions" prompt.

On successful execution it will attach a IAM policy to the role.


Category: AWS