Nested Modules can’t pass down IAM policy from the top layer

I'm working with nested modules and having trouble passing down an IAM policy from the top level to the last layer. The goal is not to have this policy located in modules where it's being used by other things in the environment.

TF Version: 11.x

Currently my top layer is located here with the policy that I need to pass down and the module. Example initial location: env/prod/sns.tf

data "aws_iam_policy_document" "kms_iam" { statement { sid = "1" effect = "Allow" actions = [ "kms:*", ] principals { type = "AWS" identifiers = [ "*", ] } resources = [ "*", ] } } module "requests_topic" { source = "./all/generic/sns-topic" topic_name = "sns-topic" kms_json = "${data.aws_iam_policy_document.kms_iam.json}" } 

The second layer module (create_key) is located at ./all/generic/sns-topic which is called from the first module requests_topic.

locals { topic_name = "${var.topic_name}" } resource "aws_sns_topic" "main" { ... #bunch of logic to create topics } module "create_key" { source = "../../kms/key" description = "${local.topic_name} KMS" description = "KMS key" } 

The last layer module located in ../../kms/key is where I need the aws_iam_policy_document to be passed to. Ultimate goal is if I'm able to pass the policy to this layer, the policy will only be append if kms_json exists in the top layer using override_json

resource "aws_kms_key" "main" { policy = "${data.aws_iam_policy_document.key_policy.json}" } data "aws_iam_policy_document" "key_policy" { source_json = "${var.enable_sns ? data.aws_iam_policy_document.allow_sns.json : "{}"}" override_json = "${var.kms_iam_arn == "" ? "{}" : data.aws_iam_policy_document.allow_iam.json}" statement { effect = "Allow" actions = [ "kms:*", ] principals { type = "AWS" identifiers = [ "*", ] } resources = [ "*", ] } } 

Hope that makes sense :/

submitted by /u/shibax2
[link] [comments]

Read more here: https://www.reddit.com/r/Terraform/comments/nxa8w2/nested_modules_cant_pass_down_iam_policy_from_the/

Content Attribution

This content was originally published by /u/shibax2 at Terraform, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: