How to Create IAM Role Using Terraform

In this guide, you will learn to Terraform IAM role creation using step by step guide.

To create a IAM role for using it with the ec2 instance you need to do the following.

1. Create IAM Policy with the required permission to AWS resources.
2. Create IAM Role
3. Attach the policy to the role.
4. Create an instance profile and attach it to the role.

Note: Manually we attach IAM Role to instances. When you create instances through CLI or terraform, you need to attach a instance profile.

Terraform IAM Role Script

Here is the full terraform script to create an IAM role and instance profile with policy.

To use Terraform configuration for your specific needs, you’ll need to replace the names and policy statements highlighted in bold with values that suit your requirements. You can use the AWS Policy Generator to create the required policy document.

provider "aws" {
  region = "us-west-2"
}

variable "instance_profile_name" {
  type    = string
  default = "example-instance-profile"
}

variable "iam_policy_name" {
  type    = string
  default = "example-policy"
}

variable "role_name" {
  type    = string
  default = "example-role"
}

# Create an IAM policy
resource "aws_iam_policy" "jenkins_iam_policy" {
  name = var.iam_policy_name

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "secretsmanager:GetSecretValue",
          "ssm:GetParameter",
          "ssm:GetParameters",
          "ssm:GetParametersByPath"
        ]
        Resource = "*"
      }
    ]
  })
}

# Create an IAM role
resource "aws_iam_role" "jenkins_role" {
  name = var.role_name

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Service = "ec2.amazonaws.com"
        }
        Action = "sts:AssumeRole"
      }
    ]
  })
}

# Attach the IAM policy to the IAM role
resource "aws_iam_policy_attachment" "jenkins_role_policy_attachment" {
  name = "Policy Attachement"
  policy_arn = aws_iam_policy.jenkins_iam_policy.arn
  roles       = [aws_iam_role.jenkins_role.name]
}

# Create an IAM instance profile
resource "aws_iam_instance_profile" "jenkins_instance_profile" {
  name = var.instance_profile_name
  role = aws_iam_role.jenkins_role.name
}

Additionally, you may want to consider converting this configuration into a module format for easier reuse and maintainability across your infrastructure.

Create IAM Role Using Terraform

To execute the script, first, you need to initialize Terraform from the folder you have the Terraform script.

This will download the necessary provider plugins.

terraform init

Now execute the plan. It will show a summary of the actions Terraform intends to take and any potential issues or conflicts that it detects with your configuration.

terraform plan

If you are ok with the plan summary, you can apply the configuration using the following command.

terraform apply --auto-approve

Attach Instance Profile to ec2 Instance

Here is an example terraform script to attach an instance profile to the ec2 instance.

Replace instance_profile_name with the instance profile name you added in the terraform iam role script.

resource "aws_instance" "example_instance" {
  ami           = "ami-1234567890"
  instance_type = "t2.micro"
  key_name      = "key_pair_name"
  subnet_id     = "subnet-058a7514ba8adbb07"

  iam_instance_profile {
    name = instance_profile_name
  }

  tags = {
    Name = "example_instance"
  }
}

Conclusion

In this guide, we looked at IAM role provisioning using Terraform.

If you are working on RDS, take a look at Terraform AWS rds provisioning guide.