I'm creating a role for the Grafana EC2 instance to allow it to read metrics from CloudWatch. I've faced this issue: https://github.com/grafana/grafana/issues/19173, and it seems like I need to add these lines to the Trust relationship to fix it.
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::[id-removed]:role/grafana",
"arn:aws:sts::[id-removed]:assumed-role/grafana/GrafanaSession"
]
},
"Action": "sts:AssumeRole"
}
So I'm wondering how to do it with Terraform. At the moment I'm playing with this version of terraform script:
provider "aws" {
region = "eu-west-1"
version = "~> 2.0"
}
variable "aws_account_id" {
type = string
default = "account_id"
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${var.aws_account_id}:role/grafana",
"arn:aws:sts::${var.aws_account_id}:assumed-role/grafana/GrafanaSession"
]
}
}
}
resource "aws_iam_role" "grafana" {
name = "grafana"
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
}
It fails with MalformedPolicyDocument: Invalid principal in policy: "AWS":"arn:aws:iam::[id-removed]:role/grafana"
To make it work I have to comment the second statement block of aws_iam_policy_document, run terraform apply, then uncomment it and run terraform apply again, which is not a very convenient way to work with, as we run our terraform scripts from GitLab, so it means we have to commit without assumed roles, tag, deploy, commit with assumed roles, tag and deploy again :explode