Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

option to create an inline policy #21

Open
nitrocode opened this issue Dec 13, 2022 · 4 comments
Open

option to create an inline policy #21

nitrocode opened this issue Dec 13, 2022 · 4 comments
Labels
wontfix This will not be worked on

Comments

@nitrocode
Copy link
Member

nitrocode commented Dec 13, 2022
edited
Loading

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Slack Community

Describe the Feature

Option to create an inline policy and attach it to a role. If that is implemented, we currently create a managed policy here and it would be good to also optionally to attach it to a role. This will allow people to use one or the other for all of our modules.

Related pr https://github.com/cloudposse/terraform-aws-ec2-bastion-server/pull/102/files

Workaround for now is to set iam_policy_enabled = false and use the json output like in the example in the README.
@Nuru Nuru added the wontfix This will not be worked on label Aug 30, 2023
@Nuru
Copy link
Sponsor Contributor

Nuru commented Aug 30, 2023

Closing as wontfix because this module creates a policy, not a role. Having it create a role is feature creep and violates separation of concerns.

@Nuru Nuru closed this as completed Aug 30, 2023
@nitrocode
Copy link
Member Author

My hope was that instead of setting iam_policy_enabled = false and using the json output, we could instead do the following

module "iam_policy" {
  # ...
  inline_enabled = true

  role_arn = "arn:..."
}

which would disable the aws_iam_policy resource creation and instead add the aws_iam_role_policy_attachment resource to connect the inline policy to the role.

Please reconsider.

@nitrocode nitrocode reopened this Aug 30, 2023
@nitrocode
Copy link
Member Author

Oh nvm, maybe the readme already states that this is enough.

Thanks for considering.

resource "aws_iam_role" "example" {
  name               = "hello_role"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json

  inline_policy {
    name = "test_policy"

    policy = module.iam_policy.json
  }
}

@nitrocode
Copy link
Member Author

nitrocode commented Sep 17, 2024
edited
Loading

Just happened to come across this again because I was looking at https://github.com/cloudposse/terraform-aws-eks-iam-role and wanted to use an inline policy there. I looked inside and it wasn't using this module, so I went back here to look for the inline method and came across this issue again.

Rereading this thread, I noticed that we may have a misunderstanding.

Closing as wontfix because this module creates a policy, not a role. Having it create a role is feature creep and violates separation of concerns.

I wasn't suggesting creating a role, but instead, attaching the inline policy (instead of a managed policy) to an existing role which would then need to be provided.

See this aws_iam_role_policy for attaching inline policies to existing roles.

e.g.

module "iam_policy" {
  # ...
  inline_attach_role_name = module.role.name
}

Would you reconsider? If so, this would help other downstream modules to reuse this logic and easily toggle between inline and managed policies without needing to recreate the logic per module.

@nitrocode nitrocode reopened this Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Nuru @nitrocode