LoginSignup
4
2

More than 5 years have passed since last update.

@h-imaoka(Hisatoshi Imaoka)infreee

terraform note

Last updated at Posted at 2015-12-02

Use managed iam policy @ ec2-role

iam.tf
resource "aws_iam_instance_profile" "test_profile" {
    name = "test_profile"
    roles = ["${aws_iam_role.role.name}"]
}

resource "aws_iam_role" "role" {
    name = "test_role"
    path = "/"
    assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {"Service": "ec2.amazonaws.com"},
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOF
}

resource "aws_iam_policy_attachment" "test-attach" {
    name = "test-attachment"
    roles = ["${aws_iam_role.role.name}"]
    policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
}

How to get the managed iam policy's arn inventory

aws iam list-policies --query "Policies[][Arn]" --output text

arn:aws:iam::aws:policy/AWSDirectConnectReadOnlyAccess
arn:aws:iam::aws:policy/AmazonGlacierReadOnlyAccess
arn:aws:iam::aws:policy/AWSMarketplaceFullAccess
arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role
arn:aws:iam::aws:policy/service-role/AWSQuickSightListIAM
arn:aws:iam::aws:policy/AmazonRDSFullAccess
arn:aws:iam::aws:policy/AmazonEC2FullAccess
arn:aws:iam::aws:policy/AWSElasticBeanstalkReadOnlyAccess
arn:aws:iam::aws:policy/AWSCertificateManagerReadOnly
arn:aws:iam::aws:policy/AWSCodeCommitPowerUser
arn:aws:iam::aws:policy/AWSCodeCommitFullAccess
arn:aws:iam::aws:policy/AmazonSQSFullAccess
arn:aws:iam::aws:policy/AWSLambdaFullAccess
arn:aws:iam::aws:policy/service-role/AWSIoTLogging
arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
arn:aws:iam::aws:policy/service-role/AWSCloudHSMRole
arn:aws:iam::aws:policy/IAMFullAccess
arn:aws:iam::aws:policy/AmazonInspectorFullAccess
arn:aws:iam::aws:policy/AmazonElastiCacheFullAccess
arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeploy
arn:aws:iam::aws:policy/AWSMobileHub_ReadOnly
arn:aws:iam::aws:policy/service-role/CloudWatchEventsBuiltInTargetExecutionAccess
arn:aws:iam::aws:policy/AWSOpsWorksFullAccess
arn:aws:iam::aws:policy/AWSApplicationDiscoveryAgentAccess
arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole
arn:aws:iam::aws:policy/AmazonRoute53DomainsReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AWSOpsWorksRole
arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess
arn:aws:iam::aws:policy/SimpleWorkflowFullAccess
arn:aws:iam::aws:policy/AmazonS3FullAccess
arn:aws:iam::aws:policy/AWSStorageGatewayReadOnlyAccess
arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role
arn:aws:iam::aws:policy/AmazonRedshiftReadOnlyAccess
arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth
arn:aws:iam::aws:policy/AmazonElasticMapReduceReadOnlyAccess
arn:aws:iam::aws:policy/AWSDirectoryServiceReadOnlyAccess
arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess
arn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess
arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess
arn:aws:iam::aws:policy/AmazonMobileAnalyticsFullAccess
arn:aws:iam::aws:policy/AWSMobileHub_FullAccess
arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs
arn:aws:iam::aws:policy/service-role/AWSDataPipelineRole
arn:aws:iam::aws:policy/CloudWatchFullAccess
arn:aws:iam::aws:policy/ServiceCatalogAdminFullAccess
arn:aws:iam::aws:policy/service-role/AmazonRDSDirectoryServiceAccess
arn:aws:iam::aws:policy/AWSCodePipelineReadOnlyAccess
arn:aws:iam::aws:policy/ReadOnlyAccess
arn:aws:iam::aws:policy/AmazonMachineLearningBatchPredictionsAccess
arn:aws:iam::aws:policy/AWSCodeDeployReadOnlyAccess
arn:aws:iam::aws:policy/CloudSearchFullAccess
arn:aws:iam::aws:policy/AWSCloudHSMFullAccess
arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetRole
arn:aws:iam::aws:policy/AmazonElasticTranscoderJobsSubmitter
arn:aws:iam::aws:policy/AWSDirectoryServiceFullAccess
arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
arn:aws:iam::aws:policy/AmazonSESReadOnlyAccess
arn:aws:iam::aws:policy/AWSWAFReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AutoScalingNotificationAccessRole
arn:aws:iam::aws:policy/AmazonMechanicalTurkReadOnly
arn:aws:iam::aws:policy/AmazonKinesisReadOnlyAccess
arn:aws:iam::aws:policy/AWSCodeDeployFullAccess
arn:aws:iam::aws:policy/CloudWatchActionsEC2Access
arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole
arn:aws:iam::aws:policy/AmazonRoute53DomainsFullAccess
arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess
arn:aws:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess
arn:aws:iam::aws:policy/CloudFrontFullAccess
arn:aws:iam::aws:policy/service-role/AmazonMachineLearningRoleforRedshiftDataSource
arn:aws:iam::aws:policy/AmazonMobileAnalyticsNon-financialReportAccess
arn:aws:iam::aws:policy/AWSCloudTrailFullAccess
arn:aws:iam::aws:policy/AmazonCognitoDeveloperAuthenticatedIdentities
arn:aws:iam::aws:policy/service-role/AWSConfigRole
arn:aws:iam::aws:policy/AmazonRedshiftFullAccess
arn:aws:iam::aws:policy/AmazonZocaloReadOnlyAccess
arn:aws:iam::aws:policy/AWSCloudHSMReadOnlyAccess
arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess
arn:aws:iam::aws:policy/AmazonEC2ReportsAccess
arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole
arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier
arn:aws:iam::aws:policy/AmazonSQSReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AWSMobileHub_ServiceUseOnly
arn:aws:iam::aws:policy/AmazonKinesisFullAccess
arn:aws:iam::aws:policy/AmazonMachineLearningReadOnlyAccess
arn:aws:iam::aws:policy/service-role/RDSCloudHsmAuthorizationRole
arn:aws:iam::aws:policy/AmazonMachineLearningFullAccess
arn:aws:iam::aws:policy/AdministratorAccess
arn:aws:iam::aws:policy/AmazonMachineLearningRealTimePredictionOnlyAccess
arn:aws:iam::aws:policy/AWSConfigUserAccess
arn:aws:iam::aws:policy/AWSIoTConfigAccess
arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess
arn:aws:iam::aws:policy/AmazonSNSReadOnlyAccess
arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess
arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess
arn:aws:iam::aws:policy/AmazonWorkSpacesAdmin
arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole
arn:aws:iam::aws:policy/AmazonSESFullAccess
arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess
arn:aws:iam::aws:policy/AmazonKinesisFirehoseReadOnlyAccess
arn:aws:iam::aws:policy/AWSOpsWorksRegisterCLI
arn:aws:iam::aws:policy/AmazonDynamoDBFullAccesswithDataPipeline
arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforDataPipelineRole
arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker
arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess
arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator
arn:aws:iam::aws:policy/ServiceCatalogEndUserAccess
arn:aws:iam::aws:policy/AmazonMobileAnalyticsWriteOnlyAccess
arn:aws:iam::aws:policy/AWSMarketplaceMeteringFullAccess
arn:aws:iam::aws:policy/AWSConnector
arn:aws:iam::aws:policy/ServiceCatalogAdminReadOnlyAccess
arn:aws:iam::aws:policy/AmazonSSMFullAccess
arn:aws:iam::aws:policy/AWSCodeCommitReadOnly
arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess
arn:aws:iam::aws:policy/AmazonCognitoReadOnly
arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole
arn:aws:iam::aws:policy/AWSApplicationDiscoveryServiceFullAccess
arn:aws:iam::aws:policy/AmazonVPCFullAccess
arn:aws:iam::aws:policy/AWSImportExportFullAccess
arn:aws:iam::aws:policy/AmazonMechanicalTurkFullAccess
arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser
arn:aws:iam::aws:policy/AmazonMachineLearningCreateOnlyAccess
arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess
arn:aws:iam::aws:policy/AWSLambdaExecute
arn:aws:iam::aws:policy/service-role/AWSIoTRuleActions
arn:aws:iam::aws:policy/service-role/AWSQuickSightDescribeRedshift
arn:aws:iam::aws:policy/service-role/VMImportExportRoleForAWSConnector
arn:aws:iam::aws:policy/AWSCodePipelineCustomActionAccess
arn:aws:iam::aws:policy/AWSOpsWorksInstanceRegistration
arn:aws:iam::aws:policy/AWSStorageGatewayFullAccess
arn:aws:iam::aws:policy/AmazonElasticTranscoderReadOnlyAccess
arn:aws:iam::aws:policy/AWSIoTConfigReadOnlyAccess
arn:aws:iam::aws:policy/AmazonWorkMailReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole
arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole
arn:aws:iam::aws:policy/ResourceGroupsandTagEditorReadOnlyAccess
arn:aws:iam::aws:policy/ServiceCatalogEndUserFullAccess
arn:aws:iam::aws:policy/AmazonMachineLearningManageRealTimeEndpointOnlyAccess
arn:aws:iam::aws:policy/service-role/CloudWatchEventsInvocationAccess
arn:aws:iam::aws:policy/CloudFrontReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AmazonSNSRole
arn:aws:iam::aws:policy/AmazonMobileAnalyticsFinancialReportAccess
arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService
arn:aws:iam::aws:policy/IAMReadOnlyAccess
arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess
arn:aws:iam::aws:policy/AmazonCognitoPowerUser
arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess
arn:aws:iam::aws:policy/AmazonZocaloFullAccess
arn:aws:iam::aws:policy/AWSLambdaReadOnlyAccess
arn:aws:iam::aws:policy/AWSAccountUsageReportAccess
arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
arn:aws:iam::aws:policy/AmazonAppStreamFullAccess
arn:aws:iam::aws:policy/AWSIoTDataAccess
arn:aws:iam::aws:policy/AmazonESFullAccess
arn:aws:iam::aws:policy/AWSWAFFullAccess
arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess
arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
arn:aws:iam::aws:policy/ResourceGroupsandTagEditorFullAccess
arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser
arn:aws:iam::aws:policy/AWSImportExportReadOnlyAccess
arn:aws:iam::aws:policy/service-role/AmazonElasticTranscoderRole
arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole
arn:aws:iam::aws:policy/AWSDeviceFarmFullAccess
arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess
arn:aws:iam::aws:policy/AWSMarketplaceRead-only
arn:aws:iam::aws:policy/AWSCodePipelineFullAccess
arn:aws:iam::aws:policy/AmazonWorkSpacesApplicationManagerAdminAccess
arn:aws:iam::aws:policy/AmazonDRSVPCManagement
arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier
arn:aws:iam::aws:policy/AWSDirectConnectFullAccess
arn:aws:iam::aws:policy/AWSAccountActivityAccess
arn:aws:iam::aws:policy/AmazonGlacierFullAccess
arn:aws:iam::aws:policy/AmazonWorkMailFullAccess
arn:aws:iam::aws:policy/AWSMarketplaceManageSubscriptions
arn:aws:iam::aws:policy/AWSSupportAccess
arn:aws:iam::aws:policy/AWSLambdaInvocation-DynamoDB
arn:aws:iam::aws:policy/IAMUserSSHKeys
arn:aws:iam::aws:policy/AWSIoTFullAccess
arn:aws:iam::aws:policy/service-role/AWSQuickSightDescribeRDS
arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole
arn:aws:iam::aws:policy/AmazonESReadOnlyAccess
arn:aws:iam::aws:policy/AWSCodeDeployDeployerAccess
arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole
arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
arn:aws:iam::aws:policy/AWSDataPipelinePowerUser
arn:aws:iam::aws:policy/AmazonSNSFullAccess
arn:aws:iam::aws:policy/CloudSearchReadOnlyAccess
arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess
arn:aws:iam::aws:policy/AmazonRoute53FullAccess
arn:aws:iam::aws:policy/service-role/AWSLambdaRole
arn:aws:iam::aws:policy/AmazonAppStreamReadOnlyAccess
arn:aws:iam::aws:policy/AmazonInspectorReadOnlyAccess
arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess
arn:aws:iam::aws:policy/PowerUserAccess
arn:aws:iam::aws:policy/CloudWatchEventsFullAccess
arn:aws:iam::aws:policy/AWSDataPipelineFullAccess
4
2
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
4
2