grimm26 · February 28, 2020 15:09
diff --git a/terraform_stuff b/terraform_stuff
 09:05:34 ❯ tf apply
 data.aws_iam_policy_document.dms: Refreshing state...

 An execution plan has been generated and is shown below.
 Resource actions are indicated with the following symbols:
  + create

 Terraform will perform the following actions:

  # aws_iam_policy.dms_policy will be created
  + resource "aws_iam_policy" "dms_policy" {
      + arn         = (known after apply)
      + description = "Policy allowing console users to access dms resources created in terraform workspace."
      + id          = (known after apply)
      + name        = "tf-dms-permissions-default"
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "dms:TestConnection",
                          + "dms:StartReplicationTaskAssessment",
                          + "dms:StartReplicationTask",
                          + "dms:ModifyReplicationTask",
                          + "dms:ListTagsForResource",
                          + "dms:DescribeSchemas",
                          + "dms:DescribeReplicationInstances",
                          + "dms:DescribeRefreshSchemasStatus",
                          + "dms:DescribeOrderableReplicationInstances",
                          + "dms:DescribeEventSubscriptions",
                          + "dms:DescribeEventCategories",
                          + "dms:DescribeEndpoints",
                          + "dms:DescribeEndpointTypes",
                          + "dms:DescribeConnections",
                          + "dms:DeleteReplicationTask",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:rep:somevalue",
                          + "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
                        ]
                      + Sid      = "DMSAllowedOperations"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
    }

 Plan: 1 to add, 0 to change, 0 to destroy.

 Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

 aws_iam_policy.dms_policy: Creating...
 aws_iam_policy.dms_policy: Creation complete after 1s [id=arn:aws:iam::643927032162:policy/tf-dms-permissions-default]

 Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

 09:05:47 ❯

 09:07:45 ❯ cat main.tf
 provider "aws" {
  region = "us-east-1"
 }

 data "aws_iam_policy_document" "dms" {
  statement {
    sid = "DMSAllowedOperations"
    actions = [
      "dms:DescribeSchemas",
      "dms:DescribeRefreshSchemasStatus",
      "dms:ModifyReplicationTask",
      "dms:StartReplicationTask",
      "dms:DescribeEventSubscriptions",
      "dms:DescribeEndpointTypes",
      "dms:DescribeEventCategories",
      "dms:StartReplicationTaskAssessment",
      "dms:DescribeOrderableReplicationInstances",
      "dms:ListTagsForResource",
      "dms:DescribeConnections",
      "dms:DescribeReplicationInstances",
      "dms:DeleteReplicationTask",
      "dms:TestConnection",
      "dms:DescribeEndpoints",
    ]
    effect = "Allow"
    resources = [
      "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
      "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
      "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
      "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
      "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
      "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
      "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:rep:somevalue",
      "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:rep:somevalue",
      "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:rep:somevalue",
    ]
  }
 }

 resource "aws_iam_policy" "dms_policy" {
  name        = "tf-dms-permissions-${terraform.workspace}"
  description = "Policy allowing console users to access dms resources created in terraform workspace."
  path        = "/"
  policy      = data.aws_iam_policy_document.dms.json
 }
	09:05:34 ❯ tf apply
	data.aws_iam_policy_document.dms: Refreshing state...

	An execution plan has been generated and is shown below.
	Resource actions are indicated with the following symbols:
	+ create

	Terraform will perform the following actions:

	# aws_iam_policy.dms_policy will be created
	+ resource "aws_iam_policy" "dms_policy" {
	+ arn = (known after apply)
	+ description = "Policy allowing console users to access dms resources created in terraform workspace."
	+ id = (known after apply)
	+ name = "tf-dms-permissions-default"
	+ path = "/"
	+ policy = jsonencode(
	{
	+ Statement = [
	+ {
	+ Action = [
	+ "dms:TestConnection",
	+ "dms:StartReplicationTaskAssessment",
	+ "dms:StartReplicationTask",
	+ "dms:ModifyReplicationTask",
	+ "dms:ListTagsForResource",
	+ "dms:DescribeSchemas",
	+ "dms:DescribeReplicationInstances",
	+ "dms:DescribeRefreshSchemasStatus",
	+ "dms:DescribeOrderableReplicationInstances",
	+ "dms:DescribeEventSubscriptions",
	+ "dms:DescribeEventCategories",
	+ "dms:DescribeEndpoints",
	+ "dms:DescribeEndpointTypes",
	+ "dms:DescribeConnections",
	+ "dms:DeleteReplicationTask",
	]
	+ Effect = "Allow"
	+ Resource = [
	+ "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:rep:somevalue",
	+ "arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
	]
	+ Sid = "DMSAllowedOperations"
	},
	]
	+ Version = "2012-10-17"
	}
	)
	}

	Plan: 1 to add, 0 to change, 0 to destroy.

	Do you want to perform these actions?
	Terraform will perform the actions described above.
	Only 'yes' will be accepted to approve.

	Enter a value: yes

	aws_iam_policy.dms_policy: Creating...
	aws_iam_policy.dms_policy: Creation complete after 1s [id=arn:aws:iam::643927032162:policy/tf-dms-permissions-default]

	Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

	09:05:47 ❯

	09:07:45 ❯ cat main.tf
	provider "aws" {
	region = "us-east-1"
	}

	data "aws_iam_policy_document" "dms" {
	statement {
	sid = "DMSAllowedOperations"
	actions = [
	"dms:DescribeSchemas",
	"dms:DescribeRefreshSchemasStatus",
	"dms:ModifyReplicationTask",
	"dms:StartReplicationTask",
	"dms:DescribeEventSubscriptions",
	"dms:DescribeEndpointTypes",
	"dms:DescribeEventCategories",
	"dms:StartReplicationTaskAssessment",
	"dms:DescribeOrderableReplicationInstances",
	"dms:ListTagsForResource",
	"dms:DescribeConnections",
	"dms:DescribeReplicationInstances",
	"dms:DeleteReplicationTask",
	"dms:TestConnection",
	"dms:DescribeEndpoints",
	]
	effect = "Allow"
	resources = [
	"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
	"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
	"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
	"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
	"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
	"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:endpoint:somevalue",
	"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:rep:somevalue",
	"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:rep:somevalue",
	"arn:aws:dms:eu-west-1:xxxxxxxxxxxx:rep:somevalue",
	]
	}
	}

	resource "aws_iam_policy" "dms_policy" {
	name = "tf-dms-permissions-${terraform.workspace}"
	description = "Policy allowing console users to access dms resources created in terraform workspace."
	path = "/"
	policy = data.aws_iam_policy_document.dms.json
	}