IAM Role

The following argument is required:

• assume_role_policy - (Required) Policy that grants an entity permission to assume the role.

NOTE:

The assume_role_policy is very similar to but slightly different than a standard IAM policy and cannot use an aws_iam_policy resource. However, it can use an aws_iam_policy_document data source. See the example above of how this works.

The following arguments are optional:

• description - (Optional) Description of the role.
• force_detach_policies - (Optional) Whether to force detaching any policies the role has before destroying it. Defaults to false.
• inline_policy - (Optional) Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Terraform will not manage any inline policies in this resource. Configuring one empty block (i.e., inline_policy {}) will cause Terraform to remove all inline policies added out of band on apply.
• managed_policy_arns - (Optional) Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Terraform will ignore policy attachments to this resource. When configured, Terraform will align the role's managed policy attachments with this set by attaching or detaching managed policies. Configuring an empty set (i.e., managed_policy_arns = []) will cause Terraform to remove all managed policy attachments.
• max_session_duration - (Optional) Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
• name - (Optional, Forces new resource) Friendly name of the role. If omitted, Terraform will assign a random, unique name. See IAM Identifiers for more information.
• name_prefix - (Optional, Forces new resource) Creates a unique friendly name beginning with the specified prefix. Conflicts with name.
• path - (Optional) Path to the role. See IAM Identifiers for more information.
• permissions_boundary - (Optional) ARN of the policy that is used to set the permissions boundary for the role.
• tags - Key-value mapping of tags for the IAM role. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

inline_policy

This configuration block supports the following:

NOTE:

Since one empty block (i.e., inline_policy {}) is valid syntactically to remove out of band policies on apply, name and policy are technically optional. However, they are both required in order to manage actual inline policies. Not including one or the other may not result in Terraform errors but will result in unpredictable and incorrect behavior.

• name - (Required) Name of the role policy.
• policy - (Required) Policy document as a JSON formatted string. For more information about building IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.

‍