タダです.
terraform-aws-provider 5.68.0 で以下の引用文にあるように aws_iam_role
にて inline_policy
を使用するのが非推奨になり aws_iam_role_policy
が代替先になりました.この記事では,そのリソースの改修を行った備忘録を書きます.
resource/aws_iam_role: The inline_policy argument is deprecated. Use the aws_iam_role_policy resource instead.
inline_policy
から aws_iam_role_policy
へ書き換え
aws_iam_role
のinline_policy
を使用していた下記の IAM リソースがあったとします.この状況で terraform plan
を試すと Warning: Argument is deprecated
が表示されます.
data "aws_iam_policy_document" "ecs_task_assume" { statement { effect = "Allow" actions = [ "sts:AssumeRole", ] principals { type = "Service" identifiers = [ "ecs-tasks.amazonaws.com", ] } } } resource "aws_iam_role" "blog_role" { name = "blog-role" assume_role_policy = data.aws_iam_policy_document.ecs_task_assume.json inline_policy { name = "blog-role-inline-policy" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "s3:*", ] Effect = "Allow" Resource = [ "arn:aws:s3:::somebucket", "arn:aws:s3:::somebucket/*", ] }, ] }) } }
terraform plan 実行結果
Warning: Argument is deprecated with aws_iam_role.blog_role, on blog_role.tf line 15, in resource "aws_iam_role" "blog_role": 15: resource "aws_iam_role" "blog_role" { Use the aws_iam_role_policy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws_iam_role_policies_exclusive resource as well.
この状態で inline_policy
から aws_iam_role_polcy
へ書き換えしてみます.
resource "aws_iam_role" "blog_role" { name = "blog-role" assume_role_policy = data.aws_iam_policy_document.ecs_task_assume.json } resource "aws_iam_role_policy" "blog_role_inline_policy" { name = "blog-role-inline-policy" role = aws_iam_role.blog_role.id policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "s3:*", ] Effect = "Allow" Resource = [ "arn:aws:s3:::somebucket", "arn:aws:s3:::somebucket/*", ] }, ] }) }
この状態で terraform plan
を実行してみるとインラインポリシーが削除されず新規リソースが追加される結果になりました.
# aws_iam_role_policy.blog_role_inline_policy will be created + resource "aws_iam_role_policy" "blog_role_inline_policy" { + id = (known after apply) + name = "blog-role-inline-policy" + name_prefix = (known after apply) + policy = jsonencode( { + Statement = [ + { + Action = [ + "s3:*", ] + Effect = "Allow" + Resource = [ + "arn:aws:s3:::somebucket", + "arn:aws:s3:::somebucket/*", ] }, ] + Version = "2012-10-17" } ) + role = "blog-role" } Plan: 1 to add, 0 to change, 0 to destroy.
この状態だと既存リソースとコンフリクトしてしまうため,import ブロックを追加します.これで既存のリソースに影響が出ない形で Deperecated なコードの対応ができました.
import { to = aws_iam_role_policy.blog_role_inline_policy id = "blog-role:blog-role-inline-policy" }
まとめ
aws_iam_role
の inline_policy
を使用するのが非推奨になったため aws_iam_role_policy
に書き換えを行ったときの対応を備忘録にしました.