I'm working on importing kms into terraform, I have imported these resources, but when i try to run a terraform plan its rearranging the arn's and hence the last arn has a comma. Thus my terraform apply is failing.
Is there anyway I can avoid this rearranging? I think in this case i should be using a data block instead of adding the policy directly. But i'm not sure how to pass the data block ..
Looks like i can't use a data block, Is there any way i can to avoid the rearranging on arn in Principal block?
I'm using terraform 0.12.20
policy.json.tpl
{
"Version": "2012-10-17",
"Id": "key-policy-1",
"Statement": [{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": ${allowed_resources}
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": ${allowed_resources}
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
main.tf
resource "aws_kms_key" "key" {
description = ""
tags = local.common_tags
policy = templatefile("${path.module}/policy.json.tpl", {
allowed_resources = var.allowed_resources
})
}
variables.tf
variable "allowed_resources" {
description = "list of all principal resources"
type = list(string)
default = [
"arn:aws:iam::xxxxxxxxxxxx:user/a",
"arn:aws:iam::xxxxxxxxxxxxx:user/b",
"arn:aws:iam::xxxxxxxxxx:user/c",
"arn:aws:iam::xxxxxxxxxx:role/abc
]
}
Error
10:53:19 Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
10:53:19
10:53:19 on main.tf line 8, in resource "kms_key" "key":
10:53:19 8: resource "aws_kms_key" "key" {
Terraform plan:
Terraform will perform the following actions:
# aws_kms_key.amp_key will be updated in-place
~ resource "aws_kms_key" "amp_key" {
arn = "arn:aws:kms:us-east-1:xxxx:key/xxx-xxx-xxx-xx-xxxxxxxx"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = false
id = "xxx-xxx-xxx-xx-xxxxxxxx"
is_enabled = true
key_id = "xxx-xxx-xxx-xx-xxxxxxxx"
key_usage = "ENCRYPT_DECRYPT"
~ policy = jsonencode(
~ {
Id = "key-policy-1"
~ Statement = [
{
Action = "kms:*"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::xxxxxxxx:root"
}
Resource = "*"
Sid = "Enable IAM User Permissions"
},
~ {
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
]
Effect = "Allow"
~ Principal = {
~ AWS = [
+ "arn:aws:iam::xxxxxx:user/c",
+ "arn:aws:iam::xxxxxx:user/a",
- "arn:aws:iam::xxxxxx:role/abc",
- "arn:aws:iam::xxxxxx:user/a",
- "arn:aws:iam::xxxxxx:user/c",
"arn:aws:iam::xxxxxx:user/b",
+ "arn:aws:iam::xxxxxx:role/abc",
]
}
]
Version = "2012-10-17"
}
)
When i tried to use data block
data "template_file" "temp_file" {
template = "${file("${path.module}/amp_key_policy.json.tpl")}"
vars = {
allowed_resources = "${var.allowed_resources}" //tried without quotes
}
}
resource "aws_kms_key" "amp_key" {
description = ""
tags = local.common_tags
policy = data.template_file.temp_file.rendered
}
Error: Incorrect attribute value type
on main.tf line 10, in data "template_file" "temp_file":
10: vars = {
11: allowed_resources = "${var.allowed_resources}"
12: }
Inappropriate value for attribute "vars": element "allowed_resources": string
required.
Updated:
i tried using aws_iam_policy_document.
data "aws_iam_policy_document" "amp_key_doc" {
for_each = toset(var.allowed_resources)
statement {
sid = "Enable IAM User Permissions"
effect = "Allow"
principals {
identifiers = ["arn:aws:iam::xxxxx:root"]
type = "AWS"
}
actions = ["kms:*"]
resources = ["*"]
}
statement {
sid = "Allow access for Key Administrators"
effect = "Allow"
principals {
identifiers = ["arn:aws:iam::xxxx:user/a"]
type = "AWS"
}
actions = [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"]
resources = ["*"]
}
statement {
sid = "Allow use of the key"
effect = "Allow"
principals {
identifiers = [var.allowed_resources]
type = "AWS"
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = ["*"]
}
statement {
sid = "Allow attachment of persistent resources"
effect = "Allow"
principals {
identifiers = [var.allowed_resources]
type = "AWS"
}
actions = [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
]
resources = ["*"]
condition {
test = "Bool"
values = ["true"]
variable = "kms:GrantIsForAWSResource"
}
}
}
resource "aws_kms_key" "key" {
description = ""
tags = local.common_tags
policy = data.aws_iam_policy_document.key_doc.json
Got an error , How do we pass the entire chunk of allowed_resources?
Error: Incorrect attribute value type
on data.tf line 43, in data "aws_iam_policy_document" "key_doc":
43: identifiers = [var.allowed_resources]
Inappropriate value for attribute "identifiers": element 0: string required.
Error: Incorrect attribute value type
on data.tf line 60, in data "aws_iam_policy_document" "key_doc":
60: identifiers = [var.allowed_resources]
Inappropriate value for attribute "identifiers": element 0: string required.
The error comes down to values of vars only supporting primitive types as stated in the documentation
Variables for interpolation within the template. Note that variables must all be primitives. Direct references to lists or maps will cause a validation error.
If you create your policy as a iam_policy_document you can use the json attribute of the resource to pass into your aws_kms_key resource.
Related
I want to create a resource policy for a Secrets Manager secret.
I am following the official example on the docs
resource "aws_secretsmanager_secret_policy" "this" {
count = var.create_resource_policy ? 1 : 0
secret_arn = aws_secretsmanager_secret.mysecret.arn
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableAnotherAWSAccountToReadTheSecret",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}
]
}
POLICY
}
Is there a way to pass the following as variables in the policy document things as the principal(s), the action the resources etc?
I want to be able to pass those things as terraform variables.
Yes, you can use the built-in functions in terraform for that with interpolation syntax. For example, if you had a data source to get the account ID, you could do the following:
data "aws_caller_identity" "current" {}
resource "aws_secretsmanager_secret_policy" "this" {
count = var.create_resource_policy ? 1 : 0
secret_arn = aws_secretsmanager_secret.mysecret.arn
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableAnotherAWSAccountToReadTheSecret",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.id}:root"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}
]
}
POLICY
}
You could then do the same for any other property you want/need. However, I find it easier to use the built-in data source [1] for creating policies. So for example, the policy you have could be written in the following way:
data "aws_iam_policy_document" "secrets_manager_policy" {
statement {
sid = "EnableAnotherAWSAccountToReadTheSecret"
effect = "Allow"
principals {
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.id}:root"]
type = "AWS"
}
actions = [
"secretsmanager:GetSecretValue"
]
resources = ["*"]
}
}
You could then tell actions argument to use a variable which would most preferably be a list(string) which would list all the actions necessary:
data "aws_iam_policy_document" "secrets_manager_policy" {
statement {
sid = "EnableAnotherAWSAccountToReadTheSecret"
effect = "Allow"
principals {
identifiers = "arn:aws:iam::${data.aws_caller_identity.current.id}:root"
type = "AWS"
}
actions = var.secrets_actions
resources = [ "*" ]
}
}
Then, you would only have to reference the output of the data source in the original resource:
resource "aws_secretsmanager_secret_policy" "this" {
count = var.create_resource_policy ? 1 : 0
secret_arn = aws_secretsmanager_secret.mysecret.arn
policy = data.aws_iam_policy_document.secrets_manager_policy.json
}
[1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
I do have the default policy for the SQS like below. Referred the documentation - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy
And if there is sns-subscription required, I would like to append the policy on top of the default policy.
Default policy is like below
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:SendMessage*"
],
"Resource": [
"${aws_sqs_queue.queue.arn}"
]
}
]
}
Additional policy like below
{
"Sid": "topic-subscription-arn-test",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SQS:SendMessage",
"Resource": ["${aws_sqs_queue.queue.arn}"],
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn-test"
}
}
}
I just tried, but the policy getting override. Any thoughts how policy can be appended using Terraform? Thanks in advance.
Looking for somekind of thought for this approach? It may be more than 2 policies, so I am trying to append these policies.
I would strongly suggest using the aws_iam_policy_document data source [1] for building policies in Terraform instead of JSON. Since the SQS queue has an argument policy [2], the resource aws_sqs_queue_policy does not have to be used, but it can also be combined with the data source mentioned above. So there are two options:
Create a policy using data source and attach it by using the policy argument
Create a policy using data source and attach it to the aws_sqs_queue_policy
If you decide for the first option, here is how the code should look like:
data "aws_iam_policy_document" "sqs_policy" {
statement {
sid = "FirstSQSPolicy"
effect = "Allow"
actions = [
"sqs:SendMessage*"
]
resources = [
aws_sqs_queue.queue.arn
]
}
statement {
sid = "topic-subscription-arn-test"
effect = "Allow"
actions = [
"sqs:SendMessage"
]
resources = [
aws_sqs_queue.queue.arn
]
condition {
test = "ArnLike"
variable = "aws:SourceArn"
values = [
"arn-test"
]
}
}
}
resource "aws_sqs_queue" "terraform_queue" {
...
policy = data.aws_iam_policy_document.sqs_policy.json
}
For the second option, you can use the same data source and attach the JSON to the aws_sqs_queue_policy resource:
data "aws_iam_policy_document" "sqs_policy" {
statement {
sid = "FirstSQSPolicy"
effect = "Allow"
actions = [
"sqs:SendMessage*"
]
resources = [
aws_sqs_queue.queue.arn
]
}
statement {
sid = "topic-subscription-arn-test"
effect = "Allow"
actions = [
"sqs:SendMessage"
]
resources = [
aws_sqs_queue.queue.arn
]
condition {
test = "ArnLike"
variable = "aws:SourceArn"
values = [
"arn-test"
]
}
}
}
resource "aws_sqs_queue_policy" "sqs_queue_policy" {
queue_url = aws_sqs_queue.queue.id
policy = data.aws_iam_policy_document.sqs_policy.json
}
Using the data source for IAM policies you can add statements as you need them.
[1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
[2] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#policy
I am creating policy based on tags. The environment value differs for each resource, so I have to add them as multiple values. Unable to pass as list. Tried join,split and for loop. None of them works. Pls help. Below code just add the value as "beta,test" which will not work as expected
main.tf
locals{
workspaceValues = terraform.workspace == "dev" ? ["alpha", "dev"] : terraform.workspace == "test" ? ["beta", "test"] : ["prod", "staging"]
}
resource "aws_iam_group_policy" "inline_policy" {
name = "${terraform.workspace}_policy"
group = aws_iam_group.backend_admin.name
policy = templatefile("policy.tpl", { env = join(",", local.workspaceValues), region = "${data.aws_region.current.name}", account_id = "${data.aws_caller_identity.current.account_id}" })
}
policy.tpl:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"ForAllValues:StringLikeIfExists": {
"aws:ResourceTag/Environment": "${env}"
}
}
}
]
}
You can use jsonencode to properly format TF list as a list in json in your template:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"ForAllValues:StringLikeIfExists": {
"aws:ResourceTag/Environment": ${jsonencode(env)}
}
}
}
]
}
For that you would call the template as follows:
resource "aws_iam_group_policy" "inline_policy" {
name = "${terraform.workspace}_policy"
group = aws_iam_group.backend_admin.name
policy = templatefile("policy.tpl", {
env = local.workspaceValues
})
}
You are not using region nor account_id in your template, so there is no reason to pass them in.
An alternative solution to avoid this all together is to recreate the policy using the data component "aws_iam_policy_document" and then pass it to the aws_iam_policy resource like the following,
data "aws_iam_policy_document" "example" {
statement {
effect = "Allow"
actions = [
"ec2:*"
]
resources = [
"*"
]
condition {
test = "ForAllValues:StringLikeIfExists"
variable = "aws:ResourceTag/Environment"
values = local.workspaceValues
}
}
}
resource "aws_iam_policy" "example" {
name = "example_policy"
path = "/"
policy = data.aws_iam_policy_document.example.json
}
I want to create IAM Role and Policies automatically and attach policies to the role respectively:
variables.tf
variable "roles" {
type = map(object({
role_name = string
role_description = string
policies = map(object({ policy_name = string, policy_description = string }))
})
)}
terraform.tfvars
roles = {
"aws-config-role-1" = {
role_name = "aws-config-s3"
role_description = "Custom AWSConfig Service Role for the Recorder to record s3 only"
policies = {
"s3" = {
policy_name = "s3",
policy_description = "Custom policy for AWSConfigRecorder Service Role to allow record only S3 resources"
},
"policy" = {
policy_name = "policy",
policy_description = "Custom policy for AWSConfigRecorder Service Role"
}
}
policy_description = "S3 Policy to get list of all s3 buckets in the account"
}
"aws-config-role-2" = {
role_name = "aws-config-ebs"
role_description = "Custom AWSConfig Service Role for the Recorder to allow record only ec2 ebs resources"
policies = {
"ebs" = {
policy_name = "ebs",
policy_description = "Custom policy for AWSConfigRecorder Service Role to record ebs volumes"
}
}
policy_description = "EBS Policy to get list of all ec2 ebs volumes in the account"
}
}
Each role can have different amount of policies, in my example aws-config-role-1 has 2 policies(s3 and policy) and aws-config-role-2 has only 1 policy(ebs)
Now I need to use locals and flatten function so each role has a list of policies respectively
locals.tf
locals {
policies = flatten([
for role_key, role in var.roles : [
for policy_key, policy in role.policies : {
role_key = role_key
role_name = role.role_name
role_description = role.role_description
policy_key = policy_key
policy_name = policy.policy_name
policy_description = policy.policy_description
}
]
])
}
in terraform console:
> local.policies
[
{
"policy_description" = "Custom policy for AWSConfigRecorder Service Role"
"policy_key" = "policy"
"policy_name" = "policy"
"role_description" = "Custom AWSConfig Service Role for the Recorder to record s3 only"
"role_key" = "aws-config-role-1"
"role_name" = "aws-config-s3"
},
{
"policy_description" = "Custom policy for AWSConfigRecorder"
"policy_key" = "s3"
"policy_name" = "s3"
"role_description" = "Custom AWSConfig Role for s3"
"role_key" = "aws-config-role-1"
"role_name" = "aws-config-s3"
},
{
"policy_description" = "Custom policy for AWSConfigRecorder"
"policy_key" = "ebs"
"policy_name" = "ebs"
"role_description" = "Custom AWSConfig Role for ebs"
"role_key" = "aws-config-role-2"
"role_name" = "aws-config-ebs"
},
]
Creating roles and policies
roles.tf
resource "aws_iam_role" "this" {
for_each = var.roles
name = "${var.project}-${var.env}-${each.value["role_name"]}-role"
path = "/${var.project}/${var.module_name}/"
description = each.value["role_description"]
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "config.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
POLICY
}
then I create policies
resource "aws_iam_policy" "this" {
for_each = {
for policy in local.policies : "${policy.role_key}.${policy.policy_name}" => policy
}
name = "${var.project}-${var.env}-${each.value.policy_name}-Policy"
policy = "data.aws_iam_policy_document.${each.value.policy_name}.json"
path = "/${var.project}/${var.module_name}/"
description = each.value.policy_description
}
and data.tf where all policies defined
data "aws_iam_policy_document" "s3" {
statement {
sid = "GetListS3"
effect = "Allow"
actions = [
"s3:GetAccelerateConfiguration",
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
"s3:ListBucket"
]
resources = [
"arn:aws:s3:::*"
]
}
}
data "aws_iam_policy_document" "ebs" {
statement {
sid = "ListEBSVolumes"
effect = "Allow"
actions = [
"ec2:Describe*",
"ec2:GetEbsEncryptionByDefault"
]
resources = ["*"]
}
}
data "aws_iam_policy_document" "policy" {
statement {
sid = "Pol"
effect = "Allow"
actions = ["ec2:Describe*"]
resources = ["*"]
}
}
but when I run terraform plan
in aws_iam_policy.this policy field transformed into string instead of data value and I get an error
│ Error: "policy" contains an invalid JSON policy
│
│ with aws_iam_policy.this["aws-config-role-1.policy"],
│ on roles.tf line 31, in resource "aws_iam_policy" "this":
│ 31: policy = "data.aws_iam_policy_document.${each.value.policy_name}.json"
Basically if I look inside policy it contains string
policy =data.aws_iam_policy_document.s3.json insted of actual data
Is there a way around this? Please advice.
You can't dynamically create references to data sources in the following way:
policy = "data.aws_iam_policy_document.${each.value.policy_name}.json"
This will result in your policy being literal string, e.g. "data.aws_iam_policy_document.s3.json", not its outcome the way you may think it should work.
You have to fully refactor your design, probably using for_each with your aws_iam_policy_document and dynamic blocks.
I am trying to attach a list of policy ARN that I've been created as a map list. Please see below:
variables.tf:
variable "arns_map" { type = "map"
default = {
default = [
"default"
]
bakery = [
"arn:aws:iam::aws:policy/AmazonECS_FullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
"arn:aws:iam::aws:policy/AmazonSNSFullAccess"
]
lambda = [
"arn:aws:iam::aws:policy/AWSLambdaFullAccess"
]
media-server = [
"arn:aws:iam::aws:policy/AmazonSQSFullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
"arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess",
"arn:aws:iam::aws:policy/AmazonECS_FullAccess",
"arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
]
recognition = [
"arn:aws:iam::aws:policy/AmazonESFullAccess",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
"arn:aws:iam::aws:policy/AmazonECS_FullAccess"
]
frontends = [
"arn:aws:iam::aws:policy/CloudFrontFullAccess"
]
elasticbeanstalk = [
"arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess"
]
docker = [
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess"
]
media = [
"arn:aws:iam::aws:policy/CloudWatchLogsFullAccess",
"arn:aws:iam::aws:policy/AmazonSQSFullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
] } }
My resources are these ones:
main.tf
resource "aws_iam_role" "tenant_roles" {
count = length(var.role_names)
name = element(var.role_names, count.index)
description = "Dedicated role for tenants"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "${var.kops_nodes_role_arn}"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
tags = {
Managedby = "terraform"
}
}
resource "aws_iam_role_policy_attachment" "tenant_policies" {
count = length(values(var.arns_map))
role = join(",", keys(var.arns_map))
# policy_arn = element(var.role_names, count.index)
policy_arn = join(",", values(var.arns_map))
depends_on = [
aws_iam_role.tenant_roles,
]
}
I am getting the following error:
Error: Invalid function argument
on ../../_platform_modules/roles/main.tf line 38, in resource "aws_iam_role_policy_attachment" "tenant_policies":
38: policy_arn = join(",", values(var.arns_map))
|----------------
| var.arns_map is map of list of string with 9 elements
Invalid value for "lists" parameter: incorrect list element type: string
required.
Error: Invalid function argument
on ../../_platform_modules/roles/main.tf line 38, in resource "aws_iam_role_policy_attachment" "tenant_policies":
38: policy_arn = join(",", values(var.arns_map))
|----------------
| var.arns_map is map of list of string with 9 elements
Invalid value for "lists" parameter: incorrect list element type: string
required.
I am using terraform 0.12.6 to manage AWS resources.
Any idea on how to do that?
Thanks in advance
That's because aws_iam_role_policy_attachment requires stringified arn's from aws_iam_policy resource as described in the example and you are trying to provide a list(string).
I have limited experience with AWS IAM and I'm not sure about role parameter, but looks like you want to iterate over map. Like this:
resource "aws_iam_role_policy_attachment" "tenant_policies" {
count = length(keys(var.arns_map))
role = element(keys(var.arns_map), count.index)
policy_arn = join(",", var.arns_map[element(keys(var.arns_maps), count.index))]
}
Also you can use local variables with it:
locals {
arns_keys = keys(var.arns_map)
arns_values = [for k in keys(var.arns_map) : join(",", var.arns_map[k])]
}
resource "aws_iam_role_policy_attachment" "tenant_policies" {
count = length(local.arns_keys)
role = join(",", local.arns_keys)
policy_arn = element(local.arns_values, count.index)
}