-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ISSUE] MalformedPolicyDocument trying to use databricks_aws_crossaccount_policy #688
Comments
Hi! @iandelahorne did you try creating an inline policy? data "databricks_aws_assume_role_policy" "this" { resource "aws_iam_role" "cross_account_role" { data "databricks_aws_crossaccount_policy" "this" { resource "aws_iam_role_policy" "this" { |
@nfx No, I didn't since our security policies / terraform best practices don't allow this. |
@iandelahorne Where in TF best practices I can read that aws_iam_role_policy is not allowed?.. Would this example work for you? In the meantime, please use policy templates from official docs. resource "aws_iam_role_policy" "this" { |
@nfx Sorry I was confusing this with a different check which is "no inline policies on users" which Checkov/Bridgecrew will definitely barf on. That said: Our internal best practices at Patreon are to not use inline policies on roles with Now, does inlining a policy work? Yes, it does with the current version. Here's my current example file I just tested with in terraform 0.13.7: terraform {
required_providers {
databricks = {
source = "databrickslabs/databricks"
version = "0.3.5"
}
}
}
locals {
prefix = "databricks"
}
variable "databricks_account_id" {
default = "databricks-account-id"
}
data "databricks_aws_assume_role_policy" "this" {
external_id = var.databricks_account_id
}
resource "aws_iam_role" "cross_account_role" {
name = "${local.prefix}-crossaccount"
assume_role_policy = data.databricks_aws_assume_role_policy.this.json
}
data "databricks_aws_crossaccount_policy" "this" {
}
resource "aws_iam_role_policy" "this" {
name = "${local.prefix}-policy"
role = aws_iam_role.cross_account_role.id
policy = data.databricks_aws_crossaccount_policy.this.json
}
resource "aws_iam_policy" "databricks" {
name = "${local.prefix}-policy-standalone"
policy = data.databricks_aws_crossaccount_policy.this.json
} The Is there any reason why this can't just be bumped to 2012-10-07? I went in with the expectation that I could use this policy document in a policy resource - it certainly isn't documented that it only works with inline resources. |
Hm... bumping the version might happen, but only in 0.4.0 - imagine the surprise of folks seeing their cross-account roles updated :) |
@psg2 willing to help with this one? |
Yes, I can pick it by next week probably, this seems rather simple to fix. 😄 |
Terraform Version
Terraform v0.14.11 and Terraform v0.13.7
AWS provider 3.45
Affected Resource(s)
Terraform Configuration Files
Debug Output
Plan output:
Expected Behavior
An IAM policy to be created
Actual Behavior
The provider errored with:
This is due to the IAM policy document version being set to 2008-10-17 in data_aws_policies.go
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform apply
The text was updated successfully, but these errors were encountered: