From 6fae202017b54475171ffa243fa309bcd677b119 Mon Sep 17 00:00:00 2001 From: Adam Dehnel Date: Sun, 29 Jan 2017 09:55:46 -0600 Subject: [PATCH] Adding details around using a data source (#11494) landed on https://github.com/hashicorp/terraform/issues/5541 and wanted to take a shot at adding the appropriate details to the iam role page. --- .../providers/aws/r/iam_role.html.markdown | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/website/source/docs/providers/aws/r/iam_role.html.markdown b/website/source/docs/providers/aws/r/iam_role.html.markdown index 3ee8cd0a8..94a68ebdf 100644 --- a/website/source/docs/providers/aws/r/iam_role.html.markdown +++ b/website/source/docs/providers/aws/r/iam_role.html.markdown @@ -40,6 +40,9 @@ The following arguments are supported: * `name` - (Optional, Forces new resource) The name of the role. * `name_prefix` - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with `name`. * `assume_role_policy` - (Required) The policy that grants an entity permission to assume the role. + +~> **NOTE:** This `assume_role_policy` is very similar but slightly different than just a standard IAM policy and cannot use an `aws_iam_policy` resource. If _can_ however, use an `aws_iam_policy_document` [data source](https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html), see example below for how this could work. + * `path` - (Optional) The path to the role. See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) for more information. @@ -51,10 +54,31 @@ The following attributes are exported: * `create_date` - The creation date of the IAM role. * `unique_id` - The stable and unique string identifying the role. +## Example of Using Data Source for Assume Role Policy + +``` +data "aws_iam_policy_document" "instance-assume-role-policy" { + statement { + actions = [ "sts:AssumeRole" ] + + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + +resource "aws_iam_role" "instance" { + name = "instance_role" + path = "/system/" + assume_role_policy = "${data.aws_iam_policy_document.instance-assume-role-policy.json}" +} +``` + ## Import IAM Roles can be imported using the `name`, e.g. ``` $ terraform import aws_iam_role.developer developer_name -``` \ No newline at end of file +```