Terraform-provider-aws: Add support for service-linked roles
AWS recently introduced "service-linked roles" - a more secure way of delegating permissions to other AWS services. Trust policy of such roles cannot be modified and only the linked service can assume such role.
Use Case
These roles are especially useful in AWS accounts where "powerful" services like CloudFormation, Elastic Beanstalk, etc. are used, but IAM admin wants to reduce chances of users/instances assuming traditional service roles.
Implementation
I'm not sure whether this an enhancement to existing aws_iam_role resource or best be treated as a new resource. While output of the API is the same Role object, API input parameters are different. It might be more straightforward for end users to create/import and configure this as a separate resource, especially since it cannot be attached to instance profile or assumed by principals other than AWS service.
References
sshvetsov
All 9 comments
Hi,
Any update on this?
tv-17
on 11 Aug 2017
Given the very different interface for CreateServiceLinkedRole compared to the general CreateRole, I think a new resource makes sense here. Ideally it'd export the attributes of the resulting role object using the same attribute names and types as aws_role uses for input, so that interpolations for attributes of both will be as similar as possible.
resource "aws_iam_service_linked_role" "example" {
aws_service_name = "elasticbeanstalk.amazonaws.com"
}
resource "aws_iam_role_policy" "example" {
name = "example"
role = "${aws_iam_service_linked_role.example.name}"
policy = ...
}
output "role_arn" {
value = "${aws_iam_service_linked_role.example.arn}"
}
The Terraform team at HashiCorp is not currently working on this particular issue. It's likely that we'll get to it at some point since it's a good general UX improvement for using a lot of AWS services -- how to write working assume role policies is a very common question! However, if someone else has the time and motivation to work on this sooner we'd be happy to review a PR for it.
apparentlymart
on 11 Aug 2017
It should be noted that service-linked roles are automatically created. Also, in at least some cases (certainly, for aws_appautoscaling_target), AWS also insists on overriding your choice of role and using the service-linked role instead. This has meant that newly created aws_appautoscaling_target resources are appearing as tainted every time.
jammycakes
on 9 Jan 2018
Cloudwatch events are affected as well:
does not create AWSServiceRoleForCloudWatchEvents.
terraform 0.11.2
bashoKa
on 7 Feb 2018
I just ran into this issue trying to setup a new ecs service. I cannot assign a regular role to a new ecs service anymore, it requires a service linked role.
toddbluhm
on 3 Mar 2018
+1 to this, would be something really useful.
ungureanuvladvictor
on 27 Mar 2018
The initial aws_iam_service_linked_role resource has been merged into master and will release with v1.15.0 of the AWS provider, likely in a week. 🎉
bflad
on 12 Apr 2018
This has been released in version 1.15.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 18 Apr 2018
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 6 Apr 2020
Related issues
andywirv
·
3Comments
reedloden
·
3Comments
hashibot
·
3Comments
hashibot
·
3Comments
carmas
·
3Comments
Most helpful comment
The initial
aws_iam_service_linked_roleresource has been merged into master and will release with v1.15.0 of the AWS provider, likely in a week. 🎉