cli
cli copied to clipboard
Published
20 hours ago •
terraform-compliance
terraform-compliance
Steps skipped even if attribute is present / defined in plan.out.json
When running Terraform compliance command with required paths, it shows steps getting skipped even if the required attribute is defined in my module and present in plan.out.json. Am I doing something incorrectly? Note : I am running the terraform-compliance from my example folder calling the main module with the inputs.
My Main Module:
resource "aws_iam_policy" "this" {
count = var.iam_policy_permission == null ? 0 : 1
description = var.description_iam_policy
name = var.name == null ? null : var.name
name_prefix = var.name == null ? format("%s-%s-", var.customer_id, var.environment) : null
path = var.policy_path
policy = var.iam_policy_permission
}
Present in plan.out.json
My Example directory - calling the main module with inputs:
###################################################################
# AWS IAM role and policy
###################################################################
// IAM Role
module "iam_role" {
source = "../"
account_id = local.account_id
create_instance_profile = var.create_instance_profile
customer_id = local.customer_id
description_iam_role = var.description_iam_role
description_iam_policy = var.description_iam_policy
environment = local.environment
policy_path = var.policy_path
role = "web"
tags = local.common_tags
// Data source example - assume role policy
assume_role_policy = data.aws_iam_policy_document.iam_assume_role_policy_doc_ec2.json
// Uncomment EITHER the 'Data source example' OR the 'AWS Managed permission policy'.
// Data source example - permission policy
#iam_policy_permission = data.aws_iam_policy_document.clusterautoscaler.json
// AWS Managed permission policy
// As a result of 'The "count" value depends on resource attributes that cannot be determined until apply...', this MUST be the ARN path AND NOT an interpolation.
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
}
###################################################################
# AWS IAM Policy Attachment only
###################################################################
module "iam_ec2_cwa" {
source = "../policy-attachment/"
attached_role = module.iam_role.iam_role_name
policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
}
SKIPPING: Can not find aws_iam_policy defined in target terraform plan.
Hi @ranopriyo-neogy,
Thanks for reporting!
I am having trouble recreating the issue, is it possible to share an anonymized version of the plan?
Here is the state file:
{
"format_version":"0.1",
"terraform_version":"0.13.6",
"variables":{
"account_id":{
"value":"111111"
},
"aws_region":{
"value":"us-east-1"
},
"create_instance_profile":{
"value":false
},
"customer_id":{
"value":"sys"
},
"description_iam_policy":{
"value":"This is a POLICY description."
},
"description_iam_role":{
"value":"This is a ROLE description."
},
"environment":{
"value":"EXample"
},
"iam_policy_description":{
"value":null
},
"iam_policy_permission":{
"value":null
},
"policy_path":{
"value":"/ec2/"
},
"role":{
"value":null
},
"tags":{
"value":{
"Environment":"TAG VALUE",
"Name":"tag_key"
}
}
},
"planned_values":{
"outputs":{
"iam_instance_profile_id":{
"sensitive":false,
"value":""
},
"iam_role_arn":{
"sensitive":false
},
"iam_role_name":{
"sensitive":false
},
"tags":{
"sensitive":false,
"value":[
{
"account_id":"00000",
"environment":"exampl"
}
]
}
},
"root_module":{
"resources":[
{
"address":"data.aws_iam_policy_document.clusterautoscaler",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"clusterautoscaler",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"id":"1111111111111",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"kubernetesClusterautoscaler\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"autoscaling:TerminateInstanceInAutoScalingGroup\",\n \"autoscaling:SetDesiredCapacity\",\n \"autoscaling:DescribeTags\",\n \"autoscaling:DescribeLaunchConfigurations\",\n \"autoscaling:DescribeAutoScalingInstances\",\n \"autoscaling:DescribeAutoScalingGroups\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
],
"resources":[
"*"
],
"sid":"kubernetesClusterautoscaler"
}
],
"version":"2012-10-17"
}
},
{
"address":"data.aws_iam_policy_document.iam_assume_role_policy_doc_ec2",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"iam_assume_role_policy_doc_ec2",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"id":"0000000000",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ec2\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"sts:AssumeRole"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
{
"identifiers":[
"ec2.amazonaws.com"
],
"type":"Service"
}
],
"resources":[
],
"sid":"ec2"
}
],
"version":"2012-10-17"
}
}
],
"child_modules":[
{
"resources":[
{
"address":"module.iam_ec2_cwa.aws_iam_role_policy_attachment.this",
"mode":"managed",
"type":"aws_iam_role_policy_attachment",
"name":"this",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"policy_arn":"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
}
}
],
"address":"module.iam_ec2_cwa"
},
{
"resources":[
{
"address":"module.iam_role.aws_iam_role.this",
"mode":"managed",
"type":"aws_iam_role",
"name":"this",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"assume_role_policy":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ec2\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"description":"This is a ROLE description.",
"force_detach_policies":false,
"max_session_duration":3600,
"name_prefix":"sys-exampl-web-",
"path":"/ec2/",
"permissions_boundary":null,
"tags":{
"account_id":"00000",
"environment":"exampl"
},
"tags_all":{
"account_id":"00000",
"environment":"exampl"
}
}
},
{
"address":"module.iam_role.aws_iam_role_policy_attachment.this[0]",
"mode":"managed",
"type":"aws_iam_role_policy_attachment",
"name":"this",
"index":0,
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"policy_arn":"arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
}
}
],
"address":"module.iam_role"
}
]
}
},
"resource_changes":[
{
"address":"data.aws_iam_policy_document.clusterautoscaler",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"clusterautoscaler",
"provider_name":"registry.terraform.io/hashicorp/aws",
"change":{
"actions":[
"no-op"
],
"before":{
"id":"111111111",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"kubernetesClusterautoscaler\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"autoscaling:TerminateInstanceInAutoScalingGroup\",\n \"autoscaling:SetDesiredCapacity\",\n \"autoscaling:DescribeTags\",\n \"autoscaling:DescribeLaunchConfigurations\",\n \"autoscaling:DescribeAutoScalingInstances\",\n \"autoscaling:DescribeAutoScalingGroups\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
],
"resources":[
"*"
],
"sid":"kubernetesClusterautoscaler"
}
],
"version":"2012-10-17"
},
"after":{
"id":"1111111111111",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"kubernetesClusterautoscaler\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"autoscaling:TerminateInstanceInAutoScalingGroup\",\n \"autoscaling:SetDesiredCapacity\",\n \"autoscaling:DescribeTags\",\n \"autoscaling:DescribeLaunchConfigurations\",\n \"autoscaling:DescribeAutoScalingInstances\",\n \"autoscaling:DescribeAutoScalingGroups\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
],
"resources":[
"*"
],
"sid":"kubernetesClusterautoscaler"
}
],
"version":"2012-10-17"
},
"after_unknown":{
}
}
},
{
"address":"data.aws_iam_policy_document.iam_assume_role_policy_doc_ec2",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"iam_assume_role_policy_doc_ec2",
"provider_name":"registry.terraform.io/hashicorp/aws",
"change":{
"actions":[
"no-op"
],
"before":{
"id":"0000000000",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ec2\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"sts:AssumeRole"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
{
"identifiers":[
"ec2.amazonaws.com"
],
"type":"Service"
}
],
"resources":[
],
"sid":"ec2"
}
],
"version":"2012-10-17"
},
"after":{
"id":"00000000000",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ec2\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"sts:AssumeRole"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
{
"identifiers":[
"ec2.amazonaws.com"
],
"type":"Service"
}
],
"resources":[
],
"sid":"ec2"
}
],
"version":"2012-10-17"
},
"after_unknown":{
}
}
},
{
"address":"module.iam_ec2_cwa.aws_iam_role_policy_attachment.this",
"module_address":"module.iam_ec2_cwa",
"mode":"managed",
"type":"aws_iam_role_policy_attachment",
"name":"this",
"provider_name":"registry.terraform.io/hashicorp/aws",
"change":{
"actions":[
"create"
],
"before":null,
"after":{
"policy_arn":"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
},
"after_unknown":{
"id":true,
"role":true
}
}
},
{
"address":"module.iam_role.aws_iam_role.this",
"module_address":"module.iam_role",
"mode":"managed",
"type":"aws_iam_role",
"name":"this",
"provider_name":"registry.terraform.io/hashicorp/aws",
"change":{
"actions":[
"create"
],
"before":null,
"after":{
"assume_role_policy":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ec2\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"description":"This is a ROLE description.",
"force_detach_policies":false,
"max_session_duration":3600,
"name_prefix":"sys-exampl-web-",
"path":"/ec2/",
"permissions_boundary":null,
"tags":{
"account_id":"00000",
"environment":"exampl"
},
"tags_all":{
"account_id":"00000",
"environment":"exampl"
}
},
"after_unknown":{
"arn":true,
"create_date":true,
"id":true,
"inline_policy":true,
"managed_policy_arns":true,
"name":true,
"tags":{
},
"tags_all":{
},
"unique_id":true
}
}
},
{
"address":"module.iam_role.aws_iam_role_policy_attachment.this[0]",
"module_address":"module.iam_role",
"mode":"managed",
"type":"aws_iam_role_policy_attachment",
"name":"this",
"index":0,
"provider_name":"registry.terraform.io/hashicorp/aws",
"change":{
"actions":[
"create"
],
"before":null,
"after":{
"policy_arn":"arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
},
"after_unknown":{
"id":true,
"role":true
}
}
}
],
"output_changes":{
"iam_instance_profile_id":{
"actions":[
"create"
],
"before":null,
"after":"",
"after_unknown":false
},
"iam_role_arn":{
"actions":[
"create"
],
"before":null,
"after_unknown":true
},
"iam_role_name":{
"actions":[
"create"
],
"before":null,
"after_unknown":true
},
"tags":{
"actions":[
"create"
],
"before":null,
"after":[
{
"account_id":"00000",
"environment":"exampl"
}
],
"after_unknown":false
}
},
"prior_state":{
"format_version":"0.1",
"terraform_version":"0.13.6",
"values":{
"root_module":{
"resources":[
{
"address":"data.aws_iam_policy_document.clusterautoscaler",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"clusterautoscaler",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"id":"1111111111111",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"kubernetesClusterautoscaler\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"autoscaling:TerminateInstanceInAutoScalingGroup\",\n \"autoscaling:SetDesiredCapacity\",\n \"autoscaling:DescribeTags\",\n \"autoscaling:DescribeLaunchConfigurations\",\n \"autoscaling:DescribeAutoScalingInstances\",\n \"autoscaling:DescribeAutoScalingGroups\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
],
"resources":[
"*"
],
"sid":"kubernetesClusterautoscaler"
}
],
"version":"2012-10-17"
}
},
{
"address":"data.aws_iam_policy_document.iam_assume_role_policy_doc_ec2",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"iam_assume_role_policy_doc_ec2",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"id":"0000000000",
"json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ec2\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json":null,
"override_policy_documents":null,
"policy_id":null,
"source_json":null,
"source_policy_documents":null,
"statement":[
{
"actions":[
"sts:AssumeRole"
],
"condition":[
],
"effect":"Allow",
"not_actions":[
],
"not_principals":[
],
"not_resources":[
],
"principals":[
{
"identifiers":[
"ec2.amazonaws.com"
],
"type":"Service"
}
],
"resources":[
],
"sid":"ec2"
}
],
"version":"2012-10-17"
}
},
{
"address":"data.template_file.idpa",
"mode":"data",
"type":"template_file",
"name":"idpa",
"provider_name":"registry.terraform.io/hashicorp/template",
"schema_version":0,
"values":{
"filename":null,
"id":"0000000000",
"rendered":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"cognito-identity.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"cognito-identity.amazonaws.com:aud\": \"example\"\n },\n \"ForAnyValue:StringLike\": {\n \"cognito-identity.amazonaws.com:amr\": \"authenticated\"\n }\n }\n }\n ]\n}",
"template":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"cognito-identity.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"cognito-identity.amazonaws.com:aud\": \"${idpa}\"\n },\n \"ForAnyValue:StringLike\": {\n \"cognito-identity.amazonaws.com:amr\": \"authenticated\"\n }\n }\n }\n ]\n}",
"vars":{
"idpa":"example"
}
}
}
]
}
}
},
"configuration":{
"provider_config":{
"aws":{
"name":"aws",
"expressions":{
"region":{
"references":[
"var.aws_region"
]
}
}
}
},
"root_module":{
"outputs":{
"iam_instance_profile_id":{
"expression":{
"references":[
"module.iam_role.iam_instance_profile_id"
]
}
},
"iam_role_arn":{
"expression":{
"references":[
"module.iam_role.iam_role_arn"
]
}
},
"iam_role_name":{
"expression":{
"references":[
"module.iam_role.iam_role_arn"
]
}
},
"tags":{
"expression":{
"references":[
"module.iam_role.tags"
]
},
"description":"The tags attached to the role"
}
},
"resources":[
{
"address":"data.aws_iam_policy_document.clusterautoscaler",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"clusterautoscaler",
"provider_config_key":"aws",
"expressions":{
"statement":[
{
"actions":{
"constant_value":[
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
]
},
"effect":{
"constant_value":"Allow"
},
"resources":{
"constant_value":[
"*"
]
},
"sid":{
"constant_value":"kubernetesClusterautoscaler"
}
}
]
},
"schema_version":0
},
{
"address":"data.aws_iam_policy_document.iam_assume_role_policy_doc_ec2",
"mode":"data",
"type":"aws_iam_policy_document",
"name":"iam_assume_role_policy_doc_ec2",
"provider_config_key":"aws",
"expressions":{
"statement":[
{
"actions":{
"constant_value":[
"sts:AssumeRole"
]
},
"principals":[
{
"identifiers":{
"constant_value":[
"ec2.amazonaws.com"
]
},
"type":{
"constant_value":"Service"
}
}
],
"sid":{
"constant_value":"ec2"
}
}
]
},
"schema_version":0
},
{
"address":"data.template_file.idpa",
"mode":"data",
"type":"template_file",
"name":"idpa",
"provider_config_key":"template",
"expressions":{
"template":{
"references":[
"path.module"
]
},
"vars":{
"constant_value":{
"idpa":"example"
}
}
},
"schema_version":0
}
],
"module_calls":{
"iam_ec2_cwa":{
"source":"../policy-attachment/",
"expressions":{
"attached_role":{
"references":[
"module.iam_role.iam_role_name"
]
},
"policy_arn":{
"constant_value":"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
}
},
"module":{
"resources":[
{
"address":"aws_iam_role_policy_attachment.this",
"mode":"managed",
"type":"aws_iam_role_policy_attachment",
"name":"this",
"provider_config_key":"iam_ec2_cwa:aws",
"expressions":{
"policy_arn":{
"references":[
"var.policy_arn"
]
},
"role":{
"references":[
"var.attached_role"
]
}
},
"schema_version":0
}
],
"variables":{
"attached_role":{
"description":"Custom variable: specify the role name where this policy will be attached."
},
"policy_arn":{
"default":null,
"description":"The ARN of the policy you want to apply."
}
}
}
},
"iam_role":{
"source":"../",
"expressions":{
"account_id":{
"references":[
"local.account_id"
]
},
"assume_role_policy":{
"references":[
"data.aws_iam_policy_document.iam_assume_role_policy_doc_ec2"
]
},
"create_instance_profile":{
"references":[
"var.create_instance_profile"
]
},
"customer_id":{
"references":[
"local.customer_id"
]
},
"description_iam_policy":{
"references":[
"var.description_iam_policy"
]
},
"description_iam_role":{
"references":[
"var.description_iam_role"
]
},
"environment":{
"references":[
"local.environment"
]
},
"policy_arn":{
"constant_value":"arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
},
"policy_path":{
"references":[
"var.policy_path"
]
},
"role":{
"constant_value":"web"
},
"tags":{
"references":[
"local.common_tags"
]
}
},
"module":{
"outputs":{
"iam_instance_profile_id":{
"expression":{
"references":[
"aws_iam_instance_profile.this"
]
},
"description":"The ID of the IAM instance"
},
"iam_permission_policy_arn":{
"expression":{
"references":[
"aws_iam_policy.this"
]
},
"description":"The ARN specifying the policy"
},
"iam_role_arn":{
"expression":{
"references":[
"aws_iam_role.this"
]
},
"description":"The ARN specifying the role"
},
"iam_role_name":{
"expression":{
"references":[
"aws_iam_role.this"
]
},
"description":"The name of the role"
},
"tags":{
"expression":{
"references":[
"aws_iam_role.this"
]
},
"description":"The tags attached to the role"
}
},
"resources":[
{
"address":"aws_iam_instance_profile.this",
"mode":"managed",
"type":"aws_iam_instance_profile",
"name":"this",
"provider_config_key":"iam_role:aws",
"expressions":{
"name":{
"references":[
"var.name",
"var.name"
]
},
"name_prefix":{
"references":[
"var.name",
"var.customer_id",
"var.environment"
]
},
"role":{
"references":[
"aws_iam_role.this"
]
}
},
"schema_version":0,
"count_expression":{
"references":[
"var.create_instance_profile"
]
}
},
{
"address":"aws_iam_policy.this",
"mode":"managed",
"type":"aws_iam_policy",
"name":"this",
"provider_config_key":"iam_role:aws",
"expressions":{
"description":{
"references":[
"var.description_iam_policy"
]
},
"name":{
"references":[
"var.name",
"var.name"
]
},
"name_prefix":{
"references":[
"var.name",
"var.customer_id",
"var.environment"
]
},
"path":{
"references":[
"var.policy_path"
]
},
"policy":{
"references":[
"var.iam_policy_permission"
]
}
},
"schema_version":0,
"count_expression":{
"references":[
"var.iam_policy_permission"
]
}
},
{
"address":"aws_iam_role.this",
"mode":"managed",
"type":"aws_iam_role",
"name":"this",
"provider_config_key":"iam_role:aws",
"expressions":{
"assume_role_policy":{
"references":[
"var.assume_role_policy"
]
},
"description":{
"references":[
"var.description_iam_role"
]
},
"name":{
"references":[
"var.name",
"var.name"
]
},
"name_prefix":{
"references":[
"var.name",
"var.customer_id",
"var.environment",
"var.role"
]
},
"path":{
"references":[
"var.policy_path"
]
},
"tags":{
"references":[
"var.tags"
]
}
},
"schema_version":0
},
{
"address":"aws_iam_role_policy_attachment.this",
"mode":"managed",
"type":"aws_iam_role_policy_attachment",
"name":"this",
"provider_config_key":"iam_role:aws",
"expressions":{
"policy_arn":{
"references":[
"var.iam_policy_permission",
"aws_iam_policy.this[0]",
"var.policy_arn"
]
},
"role":{
"references":[
"aws_iam_role.this"
]
}
},
"schema_version":0,
"count_expression":{
"references":[
"var.iam_policy_permission",
"var.policy_arn"
]
}
}
],
"variables":{
"account_id":{
"description":"Custom variable: specify a `account_id`, or `111111` (six one) for internal use."
},
"assume_role_policy":{
"description":"The policy that grants an entity permission to assume the role."
},
"create_instance_profile":{
"default":false,
"description":"Custom variable: boolean - specify `true` to create and IAM instance profile. Default is `false`."
},
"customer_id":{
"description":"Custom variable: specify the 3-character customer ID."
},
"description_iam_policy":{
"default":null,
"description":"The description of the role policy."
},
"description_iam_role":{
"default":null,
"description":"The description of the role."
},
"environment":{
"description":"Specify the environment. Can be one of `dev`, `stg`, `uat`, `oat`, `prd`."
},
"force_detach_policies":{
"default":null,
"description":"Specifies to force detaching any policies the role has before destroying it. Defaults to false."
},
"iam_policy_permission":{
"default":null,
"description":"Custom variable: The permission policy document."
},
"max_session_duration":{
"default":12,
"description":"(Optional) The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours."
},
"name":{
"default":null,
"description":"The name of the resource. This is an override."
},
"path":{
"default":null,
"description":"The path to the role."
},
"policy_arn":{
"default":null,
"description":"The ARN of the policy you want to apply."
},
"policy_path":{
"default":null,
"description":"The path of the policy in IAM."
},
"role":{
"default":null,
"description":"Custom variable: specify a descriptive role / purpose for the resource."
},
"tags":{
"default":{
},
"description":"Specify a map of tags."
}
}
}
}
},
"variables":{
"account_id":{
"description":"Specify the 5-digit customer account ID below."
},
"aws_region":{
"description":"Instantiate the `aws_region` variable. This will be passed either from the CLI or Terraform Enterprise Workspace Terraform variables."
},
"create_instance_profile":{
"default":false,
"description":"Custom variable: boolean - specify `true` to create and IAM instance profile. Default is `false`."
},
"customer_id":{
"description":"Specify a customer name."
},
"description_iam_policy":{
"default":null,
"description":"The description of the role policy."
},
"description_iam_role":{
"default":null,
"description":"The description of the role."
},
"environment":{
"description":"Specify the environment. Can be one of `dev`, `stg`, `uat`, `oat`, `prd`."
},
"iam_policy_description":{
"default":null,
"description":"Description of the IAM policy (forces new resource)."
},
"iam_policy_permission":{
"default":null,
"description":"Custom variable: IAM permission policy (typically passed in from infrastructure module)."
},
"policy_path":{
"default":null,
"description":"Path in which to create the policy."
},
"role":{
"default":null,
"description":"Custom variable: specify a descriptive role / purpose for the resource."
},
"tags":{
"default":{
},
"description":"Specify a map of tags."
}
}
}
}
}
hello, went through the state file thoroughly, couldn't find any aws_iam_policy resource created. Yes, there is a reference within a module which is referencing to module.iam_role.iam_permission_policy_arn, but there is no resource record related with aws_iam_policy resource here. Either, I am seeing something wrong, or its referenced but not created.
Can you please confirm if you see module.iam_role.aws_iam_policy.this resource created/modified/deleted within your plan ?
hello, went through the state file thoroughly, couldn't find any
aws_iam_policyresource created. Yes, there is a reference within a module which is referencing tomodule.iam_role.iam_permission_policy_arn, but there is no resource record related withaws_iam_policyresource here. Either, I am seeing something wrong, or its referenced but not created.Can you please confirm if you see
module.iam_role.aws_iam_policy.thisresource created/modified/deleted within your plan ?
I don't see that in plan either, is there a way I can refer to aws_iam_policy below:
{
"address":"aws_iam_policy.this",
"mode":"managed",
"type":"aws_iam_policy",
"name":"this",
"provider_config_key":"iam_role:aws",
"expressions":{
"description":{
"references":[
"var.description_iam_policy"
]
},
"name":{
"references":[
"var.name",
"var.name"
]
},
"name_prefix":{
"references":[
"var.name",
"var.customer_id",
"var.environment"
]
},
"path":{
"references":[
"var.policy_path"
]
},
"policy":{
"references":[
"var.iam_policy_permission"
]
}
},
"schema_version":0,
"count_expression":{
"references":[
"var.iam_policy_permission"
]
}
},
I see something similar to this with an assume_role_policy setting when it points to another resource. It then ends up in expressions in the configuration section of the json plan file and not in the main variables of the role resource.
So it skips the check.
Attached is the zipped up json plan
And here is the actual terraform and the output from terraform-compliance showing the assume_role_policy getting completely missed.
Terraform:
resource "aws_iam_openid_connect_provider" "dummy" {
url = "https://dummy"
client_id_list = []
thumbprint_list = []
}
resource "aws_iam_role" "dummy" {
name = "dummy"
assume_role_policy = data.aws_iam_policy_document.dummy_assume_role_policy.json
}
data "aws_iam_policy_document" "dummy_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
identifiers = [aws_iam_openid_connect_provider.dummy.arn]
type = "Federated"
}
}
}
Terraform compliance output:
This feature checks stuff about the role Scenario: Reject if something about the role Given I have aws_iam_role definedPress enter to continue 💡 SKIPPING: Can not find any assume_role_policy property for aws_iam_role resource in terraform plan. 💡 SKIPPING: Skipping the step since resource type does not have assume_role_policy property. When it has assume_role_policy
Feature:
Scenario: Reject if something about the role
Given I have aws_iam_role defined
When it has assume_role_policy
Then it must contain assume_role_policy
So I believe it is because the link to the assume_role_policy document is not in the main resources section but in the configuration section which has this:
{
"address": "aws_iam_role.dummy",
"mode": "managed",
"type": "aws_iam_role",
"name": "dummy",
"provider_config_key": "secondary:aws",
"expressions": {
"assume_role_policy": {
"references": [
"data.aws_iam_policy_document.dummy_assume_role_policy.json",
"data.aws_iam_policy_document.dummy_assume_role_policy"
]
},
"name": { "constant_value": "dummy" }
},
"schema_version": 0
},
