Replace managed_policy_arns with aws_iam_role_policy_attachment (#…

…862) ## Context #785 This PR fixes deprecation warning linked in the above ticket ## Testing / Validation see: navapbc/platform-test#162
navapbc · Feb 13, 2025 · 50da2c8 · 50da2c8
1 parent 18437db
commit 50da2c8
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 18 deletions.
diff --git a/infra/modules/database/resources/role_manager.tf b/infra/modules/database/resources/role_manager.tf
@@ -74,18 +74,28 @@ data "aws_secretsmanager_secret" "db_password" {
 resource "aws_iam_role" "role_manager" {
   name               = "${var.name}-manager"
   assume_role_policy = data.aws_iam_policy_document.role_manager_assume_role.json
-  managed_policy_arns = [
-    data.aws_iam_policy.lambda_vpc_access.arn,
-
-    # Grant the role manager access to the DB as app and migrator users
-    # so that it can performance database checks. This is needed by
-    # the infra database tests
-    aws_iam_policy.app_db_access.arn,
-    aws_iam_policy.migrator_db_access.arn
-  ]
 }
 
+resource "aws_iam_role_policy_attachment" "role_manager_vpc_access" {
+  role       = aws_iam_role.role_manager.name
+  policy_arn = data.aws_iam_policy.lambda_vpc_access.arn
+}
+
+resource "aws_iam_role_policy_attachment" "role_manager_app_db_access" {
+  # Grants the role manager access to the DB as app and migrator users
+  # so that it can performance database checks. This is needed by
+  # the infra database tests
+  role       = aws_iam_role.role_manager.name
+  policy_arn = aws_iam_policy.app_db_access.arn
+}
 
+resource "aws_iam_role_policy_attachment" "role_manager_migrator_db_access" {
+  # Grants the role manager access to the DB as app and migrator users
+  # so that it can performance database checks. This is needed by
+  # the infra database tests
+  role       = aws_iam_role.role_manager.name
+  policy_arn = aws_iam_policy.migrator_db_access.arn
+}
 
 resource "aws_iam_role_policy" "role_manager_access_to_db_password" {
   name = "${var.name}-role-manager-ssm-access"

diff --git a/infra/modules/service/events_role.tf b/infra/modules/service/events_role.tf
@@ -6,9 +6,13 @@
 # Role that EventBridge will assume
 # The role allows EventBridge to run tasks on the ECS cluster
 resource "aws_iam_role" "events" {
-  name                = "${local.cluster_name}-events"
-  managed_policy_arns = [aws_iam_policy.run_task.arn]
-  assume_role_policy  = data.aws_iam_policy_document.events_assume_role.json
+  name               = "${local.cluster_name}-events"
+  assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "events" {
+  role       = aws_iam_role.events.name
+  policy_arn = aws_iam_policy.run_task.arn
 }
 
 data "aws_iam_policy_document" "events_assume_role" {

diff --git a/infra/modules/service/scheduler_role.tf b/infra/modules/service/scheduler_role.tf
@@ -4,9 +4,13 @@
 # This role and policy are used by EventBridge to manage the scheduled jobs.
 
 resource "aws_iam_role" "scheduler" {
-  name                = "${var.service_name}-scheduler"
-  managed_policy_arns = [aws_iam_policy.scheduler.arn]
-  assume_role_policy  = data.aws_iam_policy_document.scheduler_assume_role.json
+  name               = "${var.service_name}-scheduler"
+  assume_role_policy = data.aws_iam_policy_document.scheduler_assume_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "scheduler" {
+  role       = aws_iam_role.scheduler.name
+  policy_arn = aws_iam_policy.scheduler.arn
 }
 
 data "aws_iam_policy_document" "scheduler_assume_role" {

diff --git a/infra/modules/service/workflow_orchestrator_role.tf b/infra/modules/service/workflow_orchestrator_role.tf
@@ -4,9 +4,13 @@
 # This role and policy are used by the Step Functions state machine that manages the scheduled jobs workflow.
 
 resource "aws_iam_role" "workflow_orchestrator" {
-  name                = "${var.service_name}-workflow-orchestrator"
-  managed_policy_arns = [aws_iam_policy.workflow_orchestrator.arn]
-  assume_role_policy  = data.aws_iam_policy_document.workflow_orchestrator_assume_role.json
+  name               = "${var.service_name}-workflow-orchestrator"
+  assume_role_policy = data.aws_iam_policy_document.workflow_orchestrator_assume_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "workflow_orchestrator" {
+  role       = aws_iam_role.workflow_orchestrator.name
+  policy_arn = aws_iam_policy.workflow_orchestrator.arn
 }
 
 data "aws_iam_policy_document" "workflow_orchestrator_assume_role" {