terra-test/000000000000/iam/roles/main.tf

terraform {
  backend "s3" {
    profile = "terra"
    bucket  = "mytesting-tf-states"
    key     = "000000000000/iam/roles/terraform.tfstate"
    region  = "eu-west-1"
  }
}

##########################
###"A" policy and role 
##########################

resource "aws_iam_policy" "role_a_policy" {
  name        = "role_a_policy"
  path        = "/service-role/"
  description = "role_a_policy"

  policy = data.template_file.policy_a.rendered
}

resource "aws_iam_role" "role_a" {
  name = "role_a"

  assume_role_policy  = data.template_file.asume_role.rendered
  managed_policy_arns = [aws_iam_policy.role_a_policy.arn]
}

##########################
###"B" policy and role 
##########################

resource "aws_iam_policy" "role_b_policy" {
  name        = "role_b_policy"
  path        = "/service-role/"
  description = ""
  policy      = data.template_file.asume_role_policy.rendered
}


resource "aws_iam_role" "role_b" {
  name = "role_b"

  assume_role_policy  = data.template_file.asume_role.rendered
  managed_policy_arns = [aws_iam_policy.role_b_policy.arn]
}

#######################################
### Creating Ec2 instance role for "B" 
#######################################

resource "aws_iam_instance_profile" "test_profile" {
  name = "s3_profile"
  role = aws_iam_role.role_b.name
}

####################################################
### Attach "A" role policy to group 1 just for test
####################################################

resource "aws_iam_group_policy_attachment" "group_1" {
  group      = data.terraform_remote_state.group_1.outputs.user_group_1_name
  policy_arn = aws_iam_policy.role_a_policy.arn
  depends_on = [aws_iam_policy.role_a_policy]
}

resource "aws_iam_group_policy_attachment" "group_2_role" {
  group      = data.terraform_remote_state.group_2.outputs.user_group_2_name
  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
  depends_on = [aws_iam_policy.role_a_policy]
}

format("%-%", var.prod_account_id[terraform.workspace])