Terraform Level 2 Send Notifications from IAM Events to SNS Using Terraform

V.SIVAKUMAR.MCA · July 12, 2025, 7:47pm

Task16: To enable secure inter-service communication, the DevOps team needs to configure access to an SNS topic using IAM roles and policies. The objective is to allow EC2 instances to publish messages to the topic using proper permissions and role assumptions. Please complete the following tasks: 1. Create an SNS topic named nautilus-sns-topic . 2. Create an IAM role named nautilus-sns-role with EC2 as the trusted entity. 3. Attach an inline IAM policy named nautilus-sns-policy that grants permission to publish messages to the SNS topic. 4. Use the main.tf file (do not create a separate .tf file) to provision the sns-topic, role and policy. 5. Create the locals.tf with the following names: * KKE_SNS_TOPIC_NAME :name of the sns topic created. * KKE_ROLE_NAME : name of the role created. * KKE_POLICY_NAME : name of the policy created. 6. Create the outputs.tf file to the output the following: * The name of the SNS topic using the output variable kke_sns_topic_name . * The name of the role using the output variable kke_role_name . * The name of the policy using the output variable kke_policy_name .

My solution: main.tf
resource “aws_sns_topic” “nautilus-sns-topic” {
name = local.KKE_SNS_TOPIC_NAME
}

resource “aws_iam_role” “nautilus-sns-role” {
name = local.KKE_ROLE_NAME

assume_role_policy = jsonencode({
Version = “2012-10-17”
Statement = [
{
Action = “sts:AssumeRole”
Effect = “Allow”
Sid = “”
Principal = {
Service = “ec2.amazonaws.com”
}
},
]
})
}

resource “aws_iam_role_policy” “nautilus-sns-policy” {
name = local.KKE_POLICY_NAME
role = aws_iam_role.nautilus-sns-role.id

policy = jsonencode({
Version = “2012-10-17”
Statement = [
{
Action = [
“sns:Publish”,
]
Effect = “Allow”
Resource = aws_sns_topic.nautilus-sns-topic.arn
},
]
})
}

resource “aws_iam_instance_profile” “nautilus_instance_profile” {
name = “${local.KKE_ROLE_NAME}-instance-profile”
role = aws_iam_role.nautilus-sns-role.name
}

Task16 verification failed with below message:

 **Managed IAM Policy 'nautilus-sns-policy' is not attached to role.**

But Task 16 question clearly asked us to create inline IAM policy for SNS publish permission.
Please check and clarify whether verification expects **aws_iam_role_policy_attachment** or **aws_iam_policy_attachment** resource as well or something else.

V.SIVAKUMAR.MCA · July 12, 2025, 8:36pm

Below solution for this task is verified successfully :

resource “aws_sns_topic” “datacenter_sns_topic” {
name = local.KKE_SNS_TOPIC_NAME

tags = {
Name = local.KKE_SNS_TOPIC_NAME
}
}

resource “aws_iam_role” “datacenter_sns_role” {
name = local.KKE_ROLE_NAME

assume_role_policy = jsonencode({
Version = “2012-10-17”
Statement = [
{
Action = “sts:AssumeRole”
Effect = “Allow”
Principal = {
Service = “ec2.amazonaws.com”
}
}
]
})

tags = {
Name = local.KKE_ROLE_NAME
}
}

resource “aws_iam_role_policy” “datacenter_sns_policy” {
name = local.KKE_POLICY_NAME
role = aws_iam_role.datacenter_sns_role.id

policy = jsonencode({
Version = “2012-10-17”
Statement = [
{
Effect = “Allow”
Action = [
“sns:Publish”
]
Resource = aws_sns_topic.datacenter_sns_topic.arn
}
]
})
}

resource “aws_iam_policy” “datacenter_sns_policy” {
name = local.KKE_POLICY_NAME
description = “Policy to allow publishing messages to SNS topic”

policy = jsonencode({
Version = “2012-10-17”
Statement = [
{
Effect = “Allow”
Action = [
“sns:Publish”
]
Resource = aws_sns_topic.datacenter_sns_topic.arn
}
]
})

tags = {
Name = local.KKE_POLICY_NAME
}
}

resource “aws_iam_role_policy_attachment” “datacenter_sns_policy_attachment” {
role = aws_iam_role.datacenter_sns_role.name
policy_arn = aws_iam_policy.datacenter_sns_policy.arn
}

resource “aws_iam_policy_attachment” “datacenter_sns_policy_attachment” {
name = “datacenter-sns-policy-attachment”
roles = [aws_iam_role.datacenter_sns_role.name]
policy_arn = aws_iam_policy.datacenter_sns_policy.arn
}

resource “aws_iam_instance_profile” “datacenter_instance_profile” {
name = “${local.KKE_ROLE_NAME}-instance-profile”
role = aws_iam_role.datacenter_sns_role.name
}

Please update the question description or verification step for this task as it looks NOT matching now as on 12th July 2025…

amaruxia · July 20, 2025, 10:07am

Hi V.Sivakumar.Mca,

I had similar thoughts when using this to create a policy resource block. Here’s my two cents on it.

I think the main difference between the two resources is their scope and intended use:

aws_iam_policy_attachment

Scope: Manages policy attachments across multiple entity types (users, groups, AND roles)

aws_iam_role_policy_attachment

Scope: Manages policy attachments only for IAM roles

Use case: When you want to attach a policy to a specific role without interfering with other policy attachments.That being said either will work, but I think for this task, the aws_iam_role_policy_attachment would make more sense as there is only one role involved.