Let's say you have the following files on your Terraform server.

├── required_providers.tf
├── iam_roles (directory)
│   ├── policy.tf
│   ├── provider.tf
│   ├── role.tf

required_providers.tf will almost always have this.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
    }
  }
}

Let's say provider.tf has the following. In this example, the "default" profile in /home/username/.aws/config and /home/username/.aws/credentials is being used. This assumes you have setup Terraform as described in Amazon Web Services (AWS) - Getting Started with Terraform.

provider "aws" {
  alias   = "default"
  profile = "default"
  region  = "default"
}

And policy.tf could have something like this.

data "aws_caller_identity" "my-caller-identity" {}

data "aws_iam_policy" "ec2" {
  name = "AmazonEC2FullAccess"
}

data "aws_iam_policy_document" "assume_role" {
  statement {
    effect = "Allow"
    actions = [
      "sts:AssumeRole",
      "sts:TagSession",
      "sts:SetSourceIdentity"
    ]
    principals {
      type        = "AWS"
      identifiers = [
        "arn:aws:iam::${data.aws_caller_identity.my-caller-identity.account_id}:root"
      ]
    }
  }
}

And role.tf could have something like this to create a role named my_role.

resource "aws_iam_role" "my_role" {
  name                = "my_role"
  assume_role_policy  = data.aws_iam_policy_document.assume_role.json
  managed_policy_arns = [data.aws_iam_policy.ec2.arn]
  tags                = {}
}

The terraform plan command can be used to see what Terraform should do (create the role).

]$ terraform plan
data.aws_caller_identity.my-caller-identity: Reading...
data.aws_iam_policy.ec2: Reading...
data.aws_caller_identity.my-caller-identity: Read complete after 0s [id=123456789012]
data.aws_iam_policy_document.assume_role: Reading...
data.aws_iam_policy_document.assume_role: Read complete after 0s [id=555684554]
data.aws_iam_policy.ec2: Read complete after 1s [id=arn:aws:iam::aws:policy/AmazonEC2FullAccess]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.iam.aws_iam_role.assume_role will be created
  + resource "aws_iam_role" "my_role" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = [
                          + "sts:TagSession",
                          + "sts:SetSourceIdentity",
                          + "sts:AssumeRole",
                        ]
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = "arn:aws:iam::123456789012:root"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = [
          + "arn:aws:iam::aws:policy/AmazonEC2FullAccess",
        ]
      + max_session_duration  = 3600
      + name                  = "my_role"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

The terraform apply command can be used to create the IAM role.

aws_iam_role.assume_role: Creating...
aws_iam_role.assume_role: Creation complete after 1s [id=my_role]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.