Defining IAM Policies with Terraform safely
Aug
Are you still defining IAM policies using heredoc syntax (<<EOF ... EOF) or jsonencode()? You can do better! As a result, terraform validate can tell you about typos before you apply them, and you get better auto-complete support from your IDE. Read on to learn how to define IAM policies in Terraform safely.
When looking at Terraform code I still see the following two ways to define IAM policies:
resource "aws_iam_policy" "inline" { |
The second approach looks like this:
resource "aws_iam_policy" "jsonencode" { |
The problem with both approaches: If your policy is malformed, you have to terraform apply before you realize the mistake. Besides that, your IDE’s auto-complete can not help you much when using those approaches.
How can we do better? The following video demonstrates using the data source aws_iam_policy_document. This way, Terraform can validate your IAM policy (at least from a structural perspective), and your IDE can do a much better job of increasing your productivity.
resource "aws_iam_policy" "policydocument" { |
Articles on the same topic:
-
Your single AWS account is a serious risk
-
Your Lambda function might execute twice. Be prepared!
-
Your AWS Account is a mess? Learn how to fix it!
-
Worldwide availability of EC2 instance types
-
Workaround: CodePipeline for GitHub Enterprise
-
WordPress Templates for AWS CloudFormation
-
WordPress on AWS: you are holding it wrong
-
WordPress on AWS: smooth and pain free
-
What’s the CO² footprint of your architecture?
-
What’s the best AWS Compute option for your project?
-
What’s new about AWS SDK for JavaScript v3?
-
What can you do with AWS?
-
What Architects Need to Know About Networking on AWS
-
We have a podcast!
-
VPC Templates for AWS CloudFormation
-
(Erratum) VPC Endpoint increases DynamoDB latency by 30%
