0 votes
1 view
in AWS by (18.2k points)

I've got this so far:

data "aws_iam_policy" "config_role" { 

  arn = "arn:aws:iam::aws:policy/service_role/AWSConfigRole"

}

But I'm not sure how to attach this to a group.

1 Answer

0 votes
by (42.4k points)

As mentioned in the aws_iam_policy_attachment resource docs this resource creates an exclusive attachment of that policy to specified users, groups and roles and isn't normally what you want so I'd recommend the aws_iam_group_policy_attachment resource.

It will look like this:

resource "aws_iam_group" "aws_config_group" {

  name = "AWSConfigGroup"

  path = "/"

}

resource "aws_iam_group_policy_attachment" "aws_config_attach" {

  group      = "${aws_iam_group.aws_config_group.name}"

  policy_arn = "arn:aws:iam::aws:policy/service_role/AWSConfigRole"

}

...