{"id":9,"date":"2022-03-20T10:34:00","date_gmt":"2022-03-20T15:34:00","guid":{"rendered":"https:\/\/34.82.124.6\/?p=9"},"modified":"2022-04-29T10:36:40","modified_gmt":"2022-04-29T15:36:40","slug":"terraform-difference-between-data-aws_iam_policy_document-and-in-line-json-policy","status":"publish","type":"post","link":"https:\/\/cloudlearning365.com\/?p=9","title":{"rendered":"Terraform \u2013 difference between data.aws_iam_policy_document and in-line JSON policy"},"content":{"rendered":"\n

So I\u2019ve got this block of terraform code, which simply just allow the role to assume role<\/p>\n\n\n\n

data \"aws_iam_policy_document\" \"bootstrap_role\" {\n  statement {\n    actions = [\"sts:AssumeRole\"]\n\n    principals {\n      type        = \"Service\"\n      identifiers = [\"ec2.amazonaws.com\"]\n    }\n  }\n}\n\nresource \"aws_iam_role\" \"bootstrap\" {\n  name               = \"bootstrap-${random_string.bucket.result}\"\n  assume_role_policy = data.aws_iam_policy_document.bootstrap_role.json\n}<\/code><\/pre>\n\n\n\n
When check in AWS Console, I can see following Trust relationships created with:
\u201cSid\u201d: \u201c\u201d<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
When I would create the role in AWS Console, I would not have this section:
\u201cSid\u201d: \u201c\u201d<\/p>\n\n\n\n
Tried to update the terraform code to following, and it made no difference:<\/p>\n\n\n\n
data \"aws_iam_policy_document\" \"bootstrap_role\" {\n  statement {\n    actions = [\"sts:AssumeRole\"]\n\n    principals {\n      type        = \"Service\"\n      identifiers = [\"ec2.amazonaws.com\"]\n    }\n\n    sid = null<\/mark>\n  }\n}\n\nresource \"aws_iam_role\" \"bootstrap\" {\n  name               = \"bootstrap-${random_string.bucket.result}\"\n  assume_role_policy = data.aws_iam_policy_document.bootstrap_role.json\n}<\/code><\/pre>\n\n\n\n
After some research, I\u2019ve settled with this code with incline JSON policy instead<\/p>\n\n\n\n
resource \"aws_iam_role\" \"bootstrap\" {\n  name = \"bootstrap-${random_string.bucket.result}\"\n  assume_role_policy = jsonencode(\n    {\n      \"Version\" : \"2012-10-17\",\n      \"Statement\" : [\n        {\n          \"Effect\" : \"Allow\",\n          \"Principal\" : {\n            \"Service\" : \"ec2.amazonaws.com\"\n          },\n          \"Action\" : \"sts:AssumeRole\"\n        }\n      ]\n    }\n  )\n}<\/code><\/pre>\n\n\n\n
Now it\u2019s nice and clean<\/p>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
So I\u2019ve got this block of terraform code, which simply just allow the role to assume role When check in AWS Console, I can see following Trust relationships created with:\u201cSid\u201d: \u201c\u201d When I would create the role in AWS Console, … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[8],"tags":[],"class_list":["post-9","post","type-post","status-publish","format-standard","hentry","category-terraform"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts\/9","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9"}],"version-history":[{"count":1,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts\/9\/revisions"}],"predecessor-version":[{"id":10,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts\/9\/revisions\/10"}],"wp:attachment":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}