Creating an AWS Service Role with Terraform

Question

I don't get how to configure role policies with Terraform for AWS.

First things first:

$ terraform version
Terraform v0.12.0
+ provider.aws v2.18.0

Now I need to create a service role and as far as I understood, first I need to create the role with aws_iam_role and use aws_iam_role_policy_attachment to attach CodeDeploy's AWSCodeDeployRole policy.

resource "aws_iam_role" "codedeploy_service_role" {
  name = "CodeDeployServiceRole"
}
resource "aws_iam_role_policy_attachment" "codedeploy_service_role_policy_attach" {
   role       = "${aws_iam_role.codedeploy_service_role.name}"
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole"
}

But it's not working because the aws_iam_role resource doesn't have a mandatory field, "assume_role_policy". And the "assume_role_policy " field only accepts JSON formatted policy fields. I don't understand why I can not create a role without setting policies during the initialization of this role.

Answer 1

Correction as I mis-read your question:

You can create a iam_policy as below:

data "aws_iam_policy" "codedeploy_service_policy" {
  arn = "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole"
}

Then in your policy attachment:

resource "aws_iam_role_policy_attachment" "codedeploy_service_role_policy_attach" {
   role       = "${aws_iam_role.codedeploy_service_role.name}"
   policy_arn = "${data.aws_iam_policy.codedeploy_service_policy.arn}"
}

AWS iam role with assume role policy (with trust relationship) ** when creating a role in AWS, you MUST provide a trust relationship (the service which this particular role will utilize).

resource "aws_iam_role" "codedeploy_service_role" {
  name = "CodeDeployServiceRole"
  assume_role_policy = <<EOF
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Action": "sts:AssumeRole",
     "Principal": {
       "Service": "ec2.amazonaws.com"
     },
     "Effect": "Allow",
     "Sid": ""
   }
 ]
}
EOF
}