iamポリシーのjsonをHCLで書き直すパズル集 #AWS - Qiita
data "aws_caller_identity" "current" {} locals { region = "ap-northeast-1" account_id = data.aws_caller_identity.current.account_id } resource "aws_subnet" "private_1a" { ... } resource "aws_subnet" "private_1c" { ... } data "aws_iam_policy_document" "codebuild_vpc" { statement { sid = "" actions = [ "ec2:CreateNetworkInterface", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs" ] effect = "Allow" resources = [ "*" ] } statement { sid = "" actions = [ "ec2:CreateNetworkInterfacePermission" ] effect = "Allow" resources = [ "arn:aws:ec2:${local.region}:${local.account_id}:network-interface/*" ] condition { test = "StringEquals" values = [ "${aws_subnet.private_1a.arn}", "${aws_subnet.private_1c.arn}" ] variable = "ec2:Subnet" } condition { test = "StringEquals" values = [ "codebuild.amazonaws.com" ] variable = "ec2:AuthorizedService" } } }
参考
CodeBuildでCloudformationを使ってIAMロールを作成する #CloudFormation - Qiita 2020