So I have an IAM policy where I am hard coding the name of the IAM group. Instead, I want to be able to reference the arn of a specific group. I have the following configuration set up :
variables.tf
variable "iam_user_groups" {
type = map(list(string))
description = "The iam user groups variables"
}
IAM Groups Resource
resource "aws_iam_group" "data_engineers_team" {
for_each = var.iam_user_groups
name = "${local.csi}-${each.key}"
path = "/"
}
groups.tfvars
iam_user_groups = {
all-users = ["[email protected]",],
admin-team = ["[email protected]",],
operational-team = [ ],
}
outputs.tf
output "map_group_arn" {
value = { for k, v in aws_iam_group.data_engineers_team : k => v.group_arn }
}
This is my IAM Policy :
condition {
test = "StringNotEquals"
variable = "aws:PrincipalArn"
values = ["arn:aws:iam::${var.aws_account_id}:group/admin-team"]
}
I only want the arn of admin-team.At the moment I have this hardcoded which is not best practice.
I have tried to obtain just the admin-team arn but the solution I currently have loops through all iam-user groups.
Based on the data in the question, the group ARN should be easy to fetch from the attributes exported by the IAM group resource:
condition {
test = "StringNotEquals"
variable = "aws:PrincipalArn"
values = [aws_iam_group.data_engineers_team["admin-team"].arn]
}