なんで悩んでいたのかわからない.
ロールにアタッチするポリシーのうち,
AWS管理ポリシーをアタッチする場合は data.aws_iam_policy
で対象のarnを指定する,
カスタム管理ポシリーをアタッチする場合は resource.aws_iam_policy
でポシリーを作成してarnを指定する.
アタッチはどちらも resource.aws_iam_policy_attachment
を利用すればよい.
dataとresourceをきちんと理解していなかった.反省.
resource "aws_iam_role" "terraform_sts_role" { name = "terraform-sts-role" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF } resource "aws_iam_policy" "custom_s3_list_bucket" { name = "CustomS3ListBucket" path = "/" policy = <<POLICY { "Statement": [ { "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:HeadBucket" ], "Effect": "Allow", "Resource": "*", "Sid": "VisualEditor0" } ], "Version": "2012-10-17" } POLICY } resource "aws_iam_policy_attachment" "attach_custom_policy_to_sts_role" { name = "CustomS3ListBucket" policy_arn = aws_iam_policy.custom_s3_list_bucket.arn roles = [ aws_iam_role.terraform_sts_role.name ] } data "aws_iam_policy" "ec2_read_only_access" { arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess" } resource "aws_iam_policy_attachment" "attach_ec2_read_only_access_to_sts_role" { name = "EC2ReadOnlyAccessAttachment" policy_arn = data.aws_iam_policy.ec2_read_only_access.arn roles = [ aws_iam_role.terraform_sts_role.name ] }