aws_iam_policy_documentを使っていると、terraform planを実行したときに差分が大きくて変更がわかりにくくなることがあったので検証してみた。
具体的には以下のようなパターンで差分が大きくなった。
まず以下のようなtfがあったとして
resource "aws_cloudwatch_log_group" "my-group" {
name = "my-group"
}
resource "aws_iam_role" "log-writer" {
name = "log-writer"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "lambda.amazonaws.com"
}
},
]
})
}
data "aws_iam_policy_document" "put-log" {
statement {
actions = [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
]
resources = [
# 普通、aws_cloudwatch_log_group.my-group.arn を使うが、説明のために便宜上
"arn:aws:logs:ap-northeast-1:XXX:log-group:${aws_cloudwatch_log_group.my-group.name}:*",
]
}
}
resource "aws_iam_role_policy" "put-log" {
role = aws_iam_role.log-writer.name
name = "put-log"
policy = data.aws_iam_policy_document.put-log.json
}
aws_cloudwatch_log_group.my-groupのname属性を変更する。
diff --git a/terraform.tf b/terraform.tf
index cea67e4..d806f57 100644
--- a/terraform.tf
+++ b/terraform.tf
@@ -14,7 +14,7 @@ provider "aws" {
}
resource "aws_cloudwatch_log_group" "my-group" {
- name = "my-group"
+ name = "my-group2"
}
resource "aws_iam_role" "log-writer" {
terraform planの差分は以下のようになる。
![](https://cdn-ak.f.st-hatena.com/images/fotolife/w/winebarrel/20240615/20240615103600.png)
# aws_iam_role_policy.put-log will be updated in-place
~ resource "aws_iam_role_policy" "put-log" {
id = "log-writer:put-log"
name = "put-log"
~ policy = jsonencode(
{
- Statement = [
- {
- Action = [
- "logs:CreateLogStream",
- "logs:DescribeLogStreams",
- "logs:PutLogEvents",
- "logs:GetLogEvents",
]
- Effect = "Allow"
- Resource = "arn:aws:logs:ap-northeast-1:XXX:log-group:my-group:*"
},
]
- Version = "2012-10-17"
}
) -> (known after apply)
# (2 unchanged attributes hidden)
}
これをjsonencodeで直接ポリシーを指定するとポリシーの差分だけ表示される。
resource "aws_iam_role_policy" "put-log" {
role = aws_iam_role.log-writer.name
name = "put-log"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
]
Effect = "Allow"
Resource = "arn:aws:logs:ap-northeast-1:XXX:log-group:${aws_cloudwatch_log_group.my-group.name}:*"
},
]
})
}
![](https://cdn-ak.f.st-hatena.com/images/fotolife/w/winebarrel/20240615/20240615123421.png)
# aws_iam_role_policy.put-log will be updated in-place
~ resource "aws_iam_role_policy" "put-log" {
id = "log-writer:put-log"
name = "put-log"
~ policy = jsonencode(
~ {
~ Statement = [
~ {
~ Resource = "arn:aws:logs:ap-northeast-1:XXX:log-group:my-group:*" -> "arn:aws:logs:ap-northeast-1:XXX:log-group:my-group2:*"
# (2 unchanged attributes hidden)
},
]
# (1 unchanged attribute hidden)
}
)
# (2 unchanged attributes hidden)
}
name属性のようにリソースの変更前に値がわかっているようなものだと、同様の現象が発生しそう。
追記
id:MIZZY さんにコメントをいただいたので、aws_cloudwatch_log_group.my-group.name をlocal変数に格納してみた。
resource "aws_cloudwatch_log_group" "my-group" {
name = "my-group2"
}
locals {
my_group_name = aws_cloudwatch_log_group.my-group.name
}
data "aws_iam_policy_document" "put-log" {
statement {
actions = [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
]
resources = [
"arn:aws:logs:ap-northeast-1:822997939312:log-group:${local.my_group_name}:*",
]
}
}
いったんlocal変数に格納すると、差分が最小限になる。
![](https://cdn-ak.f.st-hatena.com/images/fotolife/w/winebarrel/20240615/20240615201604.png)