How do you add a managed policy to a group in terraform?

Question

I've got this so far:

data "aws_iam_policy" "config_role" { 

  arn = "arn:aws:iam::aws:policy/service_role/AWSConfigRole"

}

But I'm not sure how to attach this to a group.

Answer 1

As mentioned in the aws_iam_policy_attachment resource docs this resource creates an exclusive attachment of that policy to specified users, groups and roles and isn't normally what you want so I'd recommend the aws_iam_group_policy_attachment resource.

It will look like this:

resource "aws_iam_group" "aws_config_group" {

  name = "AWSConfigGroup"

  path = "/"

}

resource "aws_iam_group_policy_attachment" "aws_config_attach" {

  group      = "${aws_iam_group.aws_config_group.name}"

  policy_arn = "arn:aws:iam::aws:policy/service_role/AWSConfigRole"

}