Defining IAM Policies with Terraform safely

Are you still defining IAM policies using heredoc syntax (<<EOF ... EOF) or jsonencode()? You can do better! As a result, terraform validate can tell you about typos before you apply them, and you get better auto-complete support from your IDE. Read on to learn how to define IAM policies in Terraform safely.

When looking at Terraform code I still see the following two ways to define IAM policies:

resource "aws_iam_policy" "inline" {
  name        = "tf-inline"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "${aws_s3_bucket.example.arn}/*"
    }
  ]
}
EOF
}

The second approach looks like this:

resource "aws_iam_policy" "jsonencode" {
  name        = "tf-jsonencode"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect   = "Allow"
        Action   = [
          "s3:GetObject",
          "s3:PutObject"
        ]
        Resource = [
          "${aws_s3_bucket.example.arn}/*"
        ]
      }
    ]
  })
}

The problem with both approaches: If your policy is malformed, you have to terraform apply before you realize the mistake. Besides that, your IDE’s auto-complete can not help you much when using those approaches.

How can we do better? The following video demonstrates using the data source aws_iam_policy_document. This way, Terraform can validate your IAM policy (at least from a structural perspective), and your IDE can do a much better job of increasing your productivity.

resource "aws_iam_policy" "policydocument" {
  name        = "tf-policydocument"
  policy      = data.aws_iam_policy_document.example.json
}

data "aws_iam_policy_document" "example" {
  statement {
    effect = "Allow"
    actions = [
      "s3:ListBucket"
    ]
    resources = [
      aws_s3_bucket.example.arn
    ]
  }
  statement {
    effect = "Allow"
    actions = [
      "s3:GetObject",
      "s3:PutObject"
    ]
    resources = [
      "${aws_s3_bucket.example.arn}/*"
    ]
  }
}

Like this:

Related

Articles on the same topic:

DevOps and Security #c9d9

Designing asynchronous event systems with AWS IoT and Serverless Application Model (SAM)

Deploying Self-Hosted Runners for GitHub Enterprise Server on AWS: A Guide to Efficient CI/CD

Delivery Pipeline as Code: AWS CloudFormation and AWS CodePipeline

A Deep Dive into AWS CloudTrail

Debugging a VPC: Security Groups, Network ACLs, and Routing Tables

Dead man’s switch with CloudWatch

Day 2 at the AWS re:Invent – what we learned

Day 1 at the AWS re:Invent – what we learned

Databases on AWS

Customized rate limiting for API Gateway by path parameter, query parameter, and more

Cronjob at the edge with AWS IoT

Create a serverless RESTful API with the Serverless Framework powered by API Gateway, Lambda, and DynamoDB

CloudWatch Metrics & Alarms reloaded

Create a serverless RESTful API with API Gateway, Swagger, Lambda, and DynamoDB

Create a serverless RESTful API with API Gateway, CloudFormation, Lambda, and DynamoDB

Leave a Reply Cancel reply