Question:
Terraform version: 12
We have a legacy, unmanaged by Terraform IAM role that I’d like to reference from an aws_iam_policy_attachment block and I attempted the following:
|
1 2 3 4 5 6 7 8 9 10 11 |
resource "aws_iam_policy_attachment" "example-attach" { name = "example-attach" roles = [ aws_iam_role.managed-role.name, "arn:aws:iam::1234567890:role/unmanaged-role" ] policy_arn = aws_iam_policy.example-policy.arn } |
Dry-run works fine but when applying TF says:
– ValidationError: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-
Is there a way I can just reference the unmanaged role without defining it in TF? Or is there some non-destructive way of declaring it that doesn’t change anything to do with the unmanaged role?
Answer:
In your roles, you are providing role ARN, not role name.
Therefore, instead of ARN, you should use its name:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
resource "aws_iam_policy_attachment" "example-attach" { name = "example-attach" roles = [ aws_iam_role.managed-role.name, "unmanaged-role" ] policy_arn = aws_iam_policy.example-policy.arn } |
You can also use data_source
|
1 2 3 4 |
data "aws_iam_role" "example" { name = "unmanaged-role" } |
and the reference it in your resource:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
resource "aws_iam_policy_attachment" "example-attach" { name = "example-attach" roles = [ aws_iam_role.managed-role.name, data.aws_iam_role.example.name ] policy_arn = aws_iam_policy.example-policy.arn } |