-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build own policy instead of using AWSLambdaBasicExecutionRole #13
Comments
The problem is aws_iam_policy_attachment not aws_iam_role_policy_attachment Had that fun today! |
Ooh double issue. Possibly my internet fail |
Also, I don't trust |
Why's that? |
It seems to break more easily than a normal |
Really? Strange! |
Are you mixing |
yes, that's why I don't use |
I guess I’ve gone down the “only use `aws_iam_role_policy_attachment`”
instead.
TF is pretty blatant about it snot being a great approach.
*WARNING:* The aws_iam_policy_attachment resource creates *exclusive* attachments
of IAM policies. Across the entire AWS account, all of the
users/roles/groups to which a single policy is attached must be declared by
a single aws_iam_policy_attachment resource. This means that even any
users/roles/groups that have the attached policy via any other mechanism
(including other Terraform resources) will have that attached policy
revoked by this resource. Consider aws_iam_role_policy_attachment,
aws_iam_user_policy_attachment, or aws_iam_group_policy_attachmentinstead.
These resources do not enforce exclusive attachment of an IAM policy.
https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html
On Wed, 29 Apr 2020 at 17:22, Stuart Auld ***@***.***> wrote:
yes, that's why I don't use aws_iam_role_policy_attachment
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAEAYNMSMX4AR2SRE2QMMDRO7IURANCNFSM4MTMULNQ>
.
--
————————————————
Joel Courtney – ACE Teknologi
Architect, Developer, Engineer, Founder, Manager, Product
📱 +61 401 501 625
📧 joel@aceteknologi.com
🕸 aceteknologi.com
<https://aceteknologi.com/?utm_source=joel&utm_medium=email>
🐦 @joelmcourtney <https://twitter.com/joelmcourtney>
📃 in/joelcourtney <https://www.linkedin.com/in/joelcourtney>
|
Are you allowed more than one `aws_iam_role_policy_attachment` per role?
From memory no, and that's what why I don't use it.
On Wed, 29 Apr 2020 at 20:16, Joel Courtney <notifications@github.com>
wrote:
… I guess I’ve gone down the “only use `aws_iam_role_policy_attachment`”
instead.
TF is pretty blatant about it snot being a great approach.
> *WARNING:* The aws_iam_policy_attachment resource creates *exclusive*
attachments
of IAM policies. Across the entire AWS account, all of the
users/roles/groups to which a single policy is attached must be declared by
a single aws_iam_policy_attachment resource. This means that even any
users/roles/groups that have the attached policy via any other mechanism
(including other Terraform resources) will have that attached policy
revoked by this resource. Consider aws_iam_role_policy_attachment,
aws_iam_user_policy_attachment, or aws_iam_group_policy_attachmentinstead.
These resources do not enforce exclusive attachment of an IAM policy.
https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html
On Wed, 29 Apr 2020 at 17:22, Stuart Auld ***@***.***>
wrote:
> yes, that's why I don't use aws_iam_role_policy_attachment
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <
#13 (comment)
>,
> or unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/AAAEAYNMSMX4AR2SRE2QMMDRO7IURANCNFSM4MTMULNQ
>
> .
>
--
————————————————
Joel Courtney – ACE Teknologi
Architect, Developer, Engineer, Founder, Manager, Product
📱 +61 401 501 625
📧 ***@***.***
🕸 aceteknologi.com
<https://aceteknologi.com/?utm_source=joel&utm_medium=email>
🐦 @joelmcourtney <https://twitter.com/joelmcourtney>
📃 in/joelcourtney <https://www.linkedin.com/in/joelcourtney>
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB6Z4N3L56FLT2QMAUJXUODRO746XANCNFSM4MTMULNQ>
.
|
Yep. You can. |
I think you need to make a new issue rather than reopening... this one is
already SOLVED
…On Wed, 29 Apr 2020 at 20:27, Joel Courtney ***@***.***> wrote:
Reopened #13 <#13>.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB6Z4N4V6ZADN4ZAX56AYWDRO76JZANCNFSM4MTMULNQ>
.
|
Terraform is pretty greedy with role attachments, so we should just create a standalone policy to avoid issues elsewhere.
The text was updated successfully, but these errors were encountered: