Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Enables exclusive IAM policy management of IAM role with managed_policy_arns option #526

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: Enables exclusive IAM policy management of IAM role with managed_policy_arns option #526

wants to merge 2 commits into from

Conversation

sksmsWKd
Copy link

@sksmsWKd sksmsWKd commented Oct 10, 2024
edited
Loading

Description

This PR supports exclusive management of policy attachments on IAM role.

For prevent resource cycling error, managed_policy_arns can't be used with these resources : aws_iam_role_policy_attachment or aws_iam_role_policy.

Motivation and Context

When using aws_iam_role and this module with the moved command for refactoring (i mean refactor my resource with this module),
although my aws_iam_role already contains managed_policy_arns,
the managed_policy_arns could not be set, so the dependency between IAM role and IAM policy could not be left as code, so aws_iam_role_policy_attachment had to be added as resource.

To prevent unexpected IAM policy changes, i thought adding managed_policy_arns option to IAM role can be clear choice for exclusive management of IAM role's policy.

Breaking Changes

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@GedriteA
Copy link

+1 we could use this

@sksmsWKd
Copy link
Author

Hello @bryantbiggs, @antonbabenko, Cloud you review my PR, please.

@bryantbiggs
Copy link
Member

I don't understand the problem nor the changes proposed

@joan-s-molas
Copy link

joan-s-molas commented Oct 24, 2024
edited
Loading

I believe what @sksmsWKd is trying to achieve is to prevent manually made changes to the policy attachments for that role (via console or cli) to persist between terraform runs. I.e, someone attaches a policy to the terraformed role via the console - that gets reverted when terraform is applied again.

aws_iam_role.managed_policy_arns has been deprecated, so that would not be the best approach.

The way to go around this should probably be implementing the optional use of aws_iam_role_policy_attachments_exclusive or similar.

@GedriteA GedriteA mentioned this pull request Oct 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sksmsWKd @GedriteA @bryantbiggs @joan-s-molas