From 40590a3a13f5c3d94348aa3f001c2cb16c5e380a Mon Sep 17 00:00:00 2001 From: Viacheslav Artamonov Date: Mon, 29 May 2023 14:11:48 +0300 Subject: [PATCH 1/6] Add direct policy attachment to IAM user --- modules/iam-user/README.md | 2 ++ modules/iam-user/main.tf | 7 +++++++ modules/iam-user/outputs.tf | 5 +++++ modules/iam-user/variables.tf | 6 ++++++ 4 files changed, 20 insertions(+) diff --git a/modules/iam-user/README.md b/modules/iam-user/README.md index bbb492bf..3e8fc2e1 100644 --- a/modules/iam-user/README.md +++ b/modules/iam-user/README.md @@ -67,6 +67,7 @@ No modules. | [ssh\_public\_key](#input\_ssh\_public\_key) | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | `string` | `""` | no | | [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | | [upload\_iam\_user\_ssh\_key](#input\_upload\_iam\_user\_ssh\_key) | Whether to upload a public ssh key to the IAM user | `bool` | `false` | no | +| [custom_iam_policy_arns](#input\_custom\_iam\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | `list(string)` | `[]` | no | ## Outputs @@ -94,4 +95,5 @@ No modules. | [keybase\_ses\_smtp\_password\_v4\_decrypt\_command](#output\_keybase\_ses\_smtp\_password\_v4\_decrypt\_command) | Decrypt SES SMTP password command | | [keybase\_ses\_smtp\_password\_v4\_pgp\_message](#output\_keybase\_ses\_smtp\_password\_v4\_pgp\_message) | Encrypted SES SMTP password | | [pgp\_key](#output\_pgp\_key) | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) | +| [custom_iam_policy_arns](#output\_custom\_iam\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | `list(string)` | `[]` | no | diff --git a/modules/iam-user/main.tf b/modules/iam-user/main.tf index 8768da99..12ba6d3f 100644 --- a/modules/iam-user/main.tf +++ b/modules/iam-user/main.tf @@ -45,3 +45,10 @@ resource "aws_iam_user_ssh_key" "this" { encoding = var.ssh_key_encoding public_key = var.ssh_public_key } + +resource "aws_iam_user_policy_attachment" "this" { + for_each = toset(var.custom_iam_policy_arns) + + user = aws_iam_user.this[0].name + policy_arn = each.value +} diff --git a/modules/iam-user/outputs.tf b/modules/iam-user/outputs.tf index 98dadef0..dd3fb940 100644 --- a/modules/iam-user/outputs.tf +++ b/modules/iam-user/outputs.tf @@ -149,3 +149,8 @@ output "iam_user_ssh_key_fingerprint" { description = "The MD5 message digest of the SSH public key" value = try(aws_iam_user_ssh_key.this[0].fingerprint, "") } + +output "custom_iam_policy_arns" { + description = "The list of ARNs of policies directly assigned to the IAM user" + value = var.custom_iam_policy_arns +} diff --git a/modules/iam-user/variables.tf b/modules/iam-user/variables.tf index 58d58448..ad80058a 100644 --- a/modules/iam-user/variables.tf +++ b/modules/iam-user/variables.tf @@ -81,6 +81,12 @@ variable "permissions_boundary" { default = "" } +variable "custom_iam_policy_arns" { + description = "The list of ARNs of policies directly assigned to the IAM user" + type = list(string) + default = [] +} + variable "tags" { description = "A map of tags to add to all resources." type = map(string) From e3fa755b0121e1ff6094292b16d5b4f3040e5d64 Mon Sep 17 00:00:00 2001 From: Viacheslav Artamonov Date: Mon, 29 May 2023 16:43:21 +0300 Subject: [PATCH 2/6] changes after linting --- examples/iam-user/README.md | 1 + examples/iam-user/main.tf | 18 ++++++++++++++++++ examples/iam-user/outputs.tf | 5 +++++ modules/iam-user/README.md | 5 +++-- 4 files changed, 27 insertions(+), 2 deletions(-) diff --git a/examples/iam-user/README.md b/examples/iam-user/README.md index c56406b4..0298b686 100644 --- a/examples/iam-user/README.md +++ b/examples/iam-user/README.md @@ -34,6 +34,7 @@ No providers. | [iam\_user](#module\_iam\_user) | ../../modules/iam-user | n/a | | [iam\_user2](#module\_iam\_user2) | ../../modules/iam-user | n/a | | [iam\_user3](#module\_iam\_user3) | ../../modules/iam-user | n/a | +| [iam\_user3](#module\_iam\_user4) | ../../modules/iam-user | n/a | ## Resources diff --git a/examples/iam-user/main.tf b/examples/iam-user/main.tf index 78ec44c7..855ccc63 100644 --- a/examples/iam-user/main.tf +++ b/examples/iam-user/main.tf @@ -46,3 +46,21 @@ module "iam_user3" { create_iam_access_key = true iam_access_key_status = "Inactive" } + +################################################################### +# IAM user with AmazonSNSReadOnlyAccess policy assigned +################################################################### + +data "aws_iam_policy" "example" { + name = "AmazonS3ReadOnlyAccess" +} + +module "iam_user4" { + source = "../../modules/iam-user" + + name = "vasya.pupkin6" + + create_iam_user_login_profile = false + create_iam_access_key = true + custom_iam_policy_arns = [data.aws_iam_policy.example.arn] +} diff --git a/examples/iam-user/outputs.tf b/examples/iam-user/outputs.tf index 72975c1d..6e5a6103 100644 --- a/examples/iam-user/outputs.tf +++ b/examples/iam-user/outputs.tf @@ -85,3 +85,8 @@ output "keybase_secret_key_pgp_message" { description = "Encrypted access secret key" value = module.iam_user.keybase_secret_key_pgp_message } + +output "custom_iam_policy_arns" { + description = "The list of ARNs of policies directly assigned to the IAM user" + value = module.iam_user.custom_iam_policy_arns +} diff --git a/modules/iam-user/README.md b/modules/iam-user/README.md index 3e8fc2e1..398e561b 100644 --- a/modules/iam-user/README.md +++ b/modules/iam-user/README.md @@ -46,6 +46,7 @@ No modules. | [aws_iam_access_key.this_no_pgp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource | | [aws_iam_user.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource | | [aws_iam_user_login_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource | +| [aws_iam_user_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource | | [aws_iam_user_ssh_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_ssh_key) | resource | ## Inputs @@ -55,6 +56,7 @@ No modules. | [create\_iam\_access\_key](#input\_create\_iam\_access\_key) | Whether to create IAM access key | `bool` | `true` | no | | [create\_iam\_user\_login\_profile](#input\_create\_iam\_user\_login\_profile) | Whether to create IAM user login profile | `bool` | `true` | no | | [create\_user](#input\_create\_user) | Whether to create the IAM user | `bool` | `true` | no | +| [custom\_iam\_policy\_arns](#input\_custom\_iam\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | `list(string)` | `[]` | no | | [force\_destroy](#input\_force\_destroy) | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force\_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | `bool` | `false` | no | | [iam\_access\_key\_status](#input\_iam\_access\_key\_status) | Access key status to apply. | `string` | `null` | no | | [name](#input\_name) | Desired name for the IAM user | `string` | n/a | yes | @@ -67,12 +69,12 @@ No modules. | [ssh\_public\_key](#input\_ssh\_public\_key) | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | `string` | `""` | no | | [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | | [upload\_iam\_user\_ssh\_key](#input\_upload\_iam\_user\_ssh\_key) | Whether to upload a public ssh key to the IAM user | `bool` | `false` | no | -| [custom_iam_policy_arns](#input\_custom\_iam\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | `list(string)` | `[]` | no | ## Outputs | Name | Description | |------|-------------| +| [custom\_iam\_policy\_arns](#output\_custom\_iam\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | | [iam\_access\_key\_encrypted\_secret](#output\_iam\_access\_key\_encrypted\_secret) | The encrypted secret, base64 encoded | | [iam\_access\_key\_encrypted\_ses\_smtp\_password\_v4](#output\_iam\_access\_key\_encrypted\_ses\_smtp\_password\_v4) | The encrypted secret access key converted into an SES SMTP password by applying AWS's Sigv4 conversion algorithm | | [iam\_access\_key\_id](#output\_iam\_access\_key\_id) | The access key ID | @@ -95,5 +97,4 @@ No modules. | [keybase\_ses\_smtp\_password\_v4\_decrypt\_command](#output\_keybase\_ses\_smtp\_password\_v4\_decrypt\_command) | Decrypt SES SMTP password command | | [keybase\_ses\_smtp\_password\_v4\_pgp\_message](#output\_keybase\_ses\_smtp\_password\_v4\_pgp\_message) | Encrypted SES SMTP password | | [pgp\_key](#output\_pgp\_key) | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) | -| [custom_iam_policy_arns](#output\_custom\_iam\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | `list(string)` | `[]` | no | From 2bd01938384a3366c13bba322225af29dcf7880a Mon Sep 17 00:00:00 2001 From: Viacheslav Artamonov Date: Fri, 14 Jul 2023 18:27:01 +0300 Subject: [PATCH 3/6] Commit difference --- examples/iam-user/README.md | 11 ++++++++--- wrappers/iam-user/main.tf | 1 + 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/examples/iam-user/README.md b/examples/iam-user/README.md index 0298b686..23118bc6 100644 --- a/examples/iam-user/README.md +++ b/examples/iam-user/README.md @@ -25,7 +25,9 @@ Run `terraform destroy` when you don't need these resources. ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.0 | ## Modules @@ -34,11 +36,13 @@ No providers. | [iam\_user](#module\_iam\_user) | ../../modules/iam-user | n/a | | [iam\_user2](#module\_iam\_user2) | ../../modules/iam-user | n/a | | [iam\_user3](#module\_iam\_user3) | ../../modules/iam-user | n/a | -| [iam\_user3](#module\_iam\_user4) | ../../modules/iam-user | n/a | +| [iam\_user4](#module\_iam\_user4) | ../../modules/iam-user | n/a | ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_iam_policy.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | ## Inputs @@ -48,6 +52,7 @@ No inputs. | Name | Description | |------|-------------| +| [custom\_iam\_policy\_arns](#output\_custom\_iam\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | | [iam\_access\_key\_encrypted\_secret](#output\_iam\_access\_key\_encrypted\_secret) | The encrypted secret, base64 encoded | | [iam\_access\_key\_id](#output\_iam\_access\_key\_id) | The access key ID | | [iam\_access\_key\_key\_fingerprint](#output\_iam\_access\_key\_key\_fingerprint) | The fingerprint of the PGP key used to encrypt the secret | diff --git a/wrappers/iam-user/main.tf b/wrappers/iam-user/main.tf index 533ea375..97b42b96 100644 --- a/wrappers/iam-user/main.tf +++ b/wrappers/iam-user/main.tf @@ -17,5 +17,6 @@ module "wrapper" { ssh_key_encoding = try(each.value.ssh_key_encoding, var.defaults.ssh_key_encoding, "SSH") ssh_public_key = try(each.value.ssh_public_key, var.defaults.ssh_public_key, "") permissions_boundary = try(each.value.permissions_boundary, var.defaults.permissions_boundary, "") + custom_iam_policy_arns = try(each.value.custom_iam_policy_arns, var.defaults.custom_iam_policy_arns, []) tags = try(each.value.tags, var.defaults.tags, {}) } From 78a224a5a385102f56e960ca745e35cc94d7b283 Mon Sep 17 00:00:00 2001 From: Viacheslav Artamonov Date: Wed, 19 Jul 2023 10:58:18 +0300 Subject: [PATCH 4/6] fix outputs and conditions --- examples/iam-user/outputs.tf | 2 +- modules/iam-user/README.md | 2 +- modules/iam-user/main.tf | 2 +- modules/iam-user/outputs.tf | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/iam-user/outputs.tf b/examples/iam-user/outputs.tf index 6e5a6103..035d8629 100644 --- a/examples/iam-user/outputs.tf +++ b/examples/iam-user/outputs.tf @@ -88,5 +88,5 @@ output "keybase_secret_key_pgp_message" { output "custom_iam_policy_arns" { description = "The list of ARNs of policies directly assigned to the IAM user" - value = module.iam_user.custom_iam_policy_arns + value = module.iam_user.policy_arns } diff --git a/modules/iam-user/README.md b/modules/iam-user/README.md index 398e561b..489a6697 100644 --- a/modules/iam-user/README.md +++ b/modules/iam-user/README.md @@ -74,7 +74,6 @@ No modules. | Name | Description | |------|-------------| -| [custom\_iam\_policy\_arns](#output\_custom\_iam\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | | [iam\_access\_key\_encrypted\_secret](#output\_iam\_access\_key\_encrypted\_secret) | The encrypted secret, base64 encoded | | [iam\_access\_key\_encrypted\_ses\_smtp\_password\_v4](#output\_iam\_access\_key\_encrypted\_ses\_smtp\_password\_v4) | The encrypted secret access key converted into an SES SMTP password by applying AWS's Sigv4 conversion algorithm | | [iam\_access\_key\_id](#output\_iam\_access\_key\_id) | The access key ID | @@ -97,4 +96,5 @@ No modules. | [keybase\_ses\_smtp\_password\_v4\_decrypt\_command](#output\_keybase\_ses\_smtp\_password\_v4\_decrypt\_command) | Decrypt SES SMTP password command | | [keybase\_ses\_smtp\_password\_v4\_pgp\_message](#output\_keybase\_ses\_smtp\_password\_v4\_pgp\_message) | Encrypted SES SMTP password | | [pgp\_key](#output\_pgp\_key) | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) | +| [policy\_arns](#output\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | diff --git a/modules/iam-user/main.tf b/modules/iam-user/main.tf index 12ba6d3f..3feb3d02 100644 --- a/modules/iam-user/main.tf +++ b/modules/iam-user/main.tf @@ -47,7 +47,7 @@ resource "aws_iam_user_ssh_key" "this" { } resource "aws_iam_user_policy_attachment" "this" { - for_each = toset(var.custom_iam_policy_arns) + for_each = var.create_user ? toset(var.custom_iam_policy_arns) : [] user = aws_iam_user.this[0].name policy_arn = each.value diff --git a/modules/iam-user/outputs.tf b/modules/iam-user/outputs.tf index dd3fb940..021443b6 100644 --- a/modules/iam-user/outputs.tf +++ b/modules/iam-user/outputs.tf @@ -150,7 +150,7 @@ output "iam_user_ssh_key_fingerprint" { value = try(aws_iam_user_ssh_key.this[0].fingerprint, "") } -output "custom_iam_policy_arns" { +output "policy_arns" { description = "The list of ARNs of policies directly assigned to the IAM user" - value = var.custom_iam_policy_arns + value = [for policy_attachment in aws_iam_user_policy_attachment.this : policy_attachment.policy_arn] } From fef2359c8ebdc4c1edff03473e3600ed99d3e5e7 Mon Sep 17 00:00:00 2001 From: Viacheslav Artamonov Date: Wed, 19 Jul 2023 12:51:24 +0300 Subject: [PATCH 5/6] Change custom to policy_arn everywhere --- examples/iam-user/README.md | 2 +- examples/iam-user/main.tf | 2 +- examples/iam-user/outputs.tf | 2 +- modules/iam-user/README.md | 2 +- modules/iam-user/main.tf | 2 +- modules/iam-user/variables.tf | 2 +- wrappers/iam-user/main.tf | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/examples/iam-user/README.md b/examples/iam-user/README.md index 23118bc6..6ee8b258 100644 --- a/examples/iam-user/README.md +++ b/examples/iam-user/README.md @@ -52,7 +52,6 @@ No inputs. | Name | Description | |------|-------------| -| [custom\_iam\_policy\_arns](#output\_custom\_iam\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | | [iam\_access\_key\_encrypted\_secret](#output\_iam\_access\_key\_encrypted\_secret) | The encrypted secret, base64 encoded | | [iam\_access\_key\_id](#output\_iam\_access\_key\_id) | The access key ID | | [iam\_access\_key\_key\_fingerprint](#output\_iam\_access\_key\_key\_fingerprint) | The fingerprint of the PGP key used to encrypt the secret | @@ -70,4 +69,5 @@ No inputs. | [keybase\_secret\_key\_decrypt\_command](#output\_keybase\_secret\_key\_decrypt\_command) | Decrypt access secret key command | | [keybase\_secret\_key\_pgp\_message](#output\_keybase\_secret\_key\_pgp\_message) | Encrypted access secret key | | [pgp\_key](#output\_pgp\_key) | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) | +| [policy\_arns](#output\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | diff --git a/examples/iam-user/main.tf b/examples/iam-user/main.tf index 855ccc63..7cabb52c 100644 --- a/examples/iam-user/main.tf +++ b/examples/iam-user/main.tf @@ -62,5 +62,5 @@ module "iam_user4" { create_iam_user_login_profile = false create_iam_access_key = true - custom_iam_policy_arns = [data.aws_iam_policy.example.arn] + policy_arns = [data.aws_iam_policy.example.arn] } diff --git a/examples/iam-user/outputs.tf b/examples/iam-user/outputs.tf index 035d8629..0adaf17a 100644 --- a/examples/iam-user/outputs.tf +++ b/examples/iam-user/outputs.tf @@ -86,7 +86,7 @@ output "keybase_secret_key_pgp_message" { value = module.iam_user.keybase_secret_key_pgp_message } -output "custom_iam_policy_arns" { +output "policy_arns" { description = "The list of ARNs of policies directly assigned to the IAM user" value = module.iam_user.policy_arns } diff --git a/modules/iam-user/README.md b/modules/iam-user/README.md index 489a6697..f3631573 100644 --- a/modules/iam-user/README.md +++ b/modules/iam-user/README.md @@ -56,7 +56,6 @@ No modules. | [create\_iam\_access\_key](#input\_create\_iam\_access\_key) | Whether to create IAM access key | `bool` | `true` | no | | [create\_iam\_user\_login\_profile](#input\_create\_iam\_user\_login\_profile) | Whether to create IAM user login profile | `bool` | `true` | no | | [create\_user](#input\_create\_user) | Whether to create the IAM user | `bool` | `true` | no | -| [custom\_iam\_policy\_arns](#input\_custom\_iam\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | `list(string)` | `[]` | no | | [force\_destroy](#input\_force\_destroy) | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force\_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | `bool` | `false` | no | | [iam\_access\_key\_status](#input\_iam\_access\_key\_status) | Access key status to apply. | `string` | `null` | no | | [name](#input\_name) | Desired name for the IAM user | `string` | n/a | yes | @@ -65,6 +64,7 @@ No modules. | [path](#input\_path) | Desired path for the IAM user | `string` | `"/"` | no | | [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the user. | `string` | `""` | no | | [pgp\_key](#input\_pgp\_key) | Either a base-64 encoded PGP public key, or a keybase username in the form `keybase:username`. Used to encrypt password and access key. | `string` | `""` | no | +| [policy\_arns](#input\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | `list(string)` | `[]` | no | | [ssh\_key\_encoding](#input\_ssh\_key\_encoding) | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | `string` | `"SSH"` | no | | [ssh\_public\_key](#input\_ssh\_public\_key) | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | `string` | `""` | no | | [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | diff --git a/modules/iam-user/main.tf b/modules/iam-user/main.tf index 3feb3d02..c8e77d47 100644 --- a/modules/iam-user/main.tf +++ b/modules/iam-user/main.tf @@ -47,7 +47,7 @@ resource "aws_iam_user_ssh_key" "this" { } resource "aws_iam_user_policy_attachment" "this" { - for_each = var.create_user ? toset(var.custom_iam_policy_arns) : [] + for_each = var.create_user ? toset(var.policy_arns) : [] user = aws_iam_user.this[0].name policy_arn = each.value diff --git a/modules/iam-user/variables.tf b/modules/iam-user/variables.tf index ad80058a..9b08836d 100644 --- a/modules/iam-user/variables.tf +++ b/modules/iam-user/variables.tf @@ -81,7 +81,7 @@ variable "permissions_boundary" { default = "" } -variable "custom_iam_policy_arns" { +variable "policy_arns" { description = "The list of ARNs of policies directly assigned to the IAM user" type = list(string) default = [] diff --git a/wrappers/iam-user/main.tf b/wrappers/iam-user/main.tf index 97b42b96..dc7e7669 100644 --- a/wrappers/iam-user/main.tf +++ b/wrappers/iam-user/main.tf @@ -17,6 +17,6 @@ module "wrapper" { ssh_key_encoding = try(each.value.ssh_key_encoding, var.defaults.ssh_key_encoding, "SSH") ssh_public_key = try(each.value.ssh_public_key, var.defaults.ssh_public_key, "") permissions_boundary = try(each.value.permissions_boundary, var.defaults.permissions_boundary, "") - custom_iam_policy_arns = try(each.value.custom_iam_policy_arns, var.defaults.custom_iam_policy_arns, []) + policy_arns = try(each.value.policy_arns, var.defaults.policy_arns, []) tags = try(each.value.tags, var.defaults.tags, {}) } From b284ec6f13e8d4da1ab6d8241c06d3bd0bbf9d73 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Wed, 19 Jul 2023 12:12:33 +0200 Subject: [PATCH 6/6] Update examples/iam-user/main.tf --- examples/iam-user/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/iam-user/main.tf b/examples/iam-user/main.tf index 7cabb52c..53094831 100644 --- a/examples/iam-user/main.tf +++ b/examples/iam-user/main.tf @@ -48,7 +48,7 @@ module "iam_user3" { } ################################################################### -# IAM user with AmazonSNSReadOnlyAccess policy assigned +# IAM user with IAM policy attached ################################################################### data "aws_iam_policy" "example" {