Skip to main content
Sponsor @cloudposse

Module: iam-policy

This terraform-aws-iam-policy module is a wrapper around the Terraform aws_iam_policy_document data source, enhancing it to provide multiple ways to create an AWS IAM Policy document (as a JSON string). It is primarily intended to simplify creating a policy in Terraform from external inputs. In particular, if you want to specify a policy in a tfvars file as a Terraform object, or in YAML as part of an Atmos stack (which is them turned into a Terraform object input), this module provides an object type declaration to use for the input and then it can make the translation to JSON for you. If you can supply the policy as JSON to begin with, or conveniently use the aws_iam_policy_document Terraform data source directly, then this module is not helpful in your case.

note

AWS's IAM policy document syntax allows for replacement of policy variables within a statement using ${...}-style notation, which conflicts with Terraform's interpolation syntax. In order to use AWS policy variables with this module, use &{...} notation for interpolations that should be processed by AWS rather than by Terraform. Nevertheless, any ${...}-style notations that appear in strings passed into this module (somehow escaping Terraform interpolation earlier) will be passed through to the policy document unchanged.

Usage

For a complete example, see examples/complete.

For automated tests of the complete example using bats and Terratest (which tests and deploys the example on AWS), see test.

module "iam_policy" {
  source  = "cloudposse/iam-policy/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"

  iam_policy = [{
    version = "2012-10-17"
    policy_id = "example"
    statements = [
      {
        sid       = "ListMyBucket"
        effect    = "Allow"
        actions   = ["s3:ListBucket"]
        resources = ["arn:aws:s3:::test"]
        conditions = [
          {
            test     = "StringLike"
            variable = "cloudwatch:namespace"
            values   = ["x-*"]
          },
        ]
      },
      {
        sid       = "WriteMyBucket"
        effect    = "Allow"
        actions   = ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"]
        resources = ["arn:aws:s3:::test/*"]
        conditions = [
          {
            test     = "StringLike"
            variable = "cloudwatch:namespace"
            values   = ["x-*"]
          },
        ]
      }
    ]
  }]

data "aws_iam_policy_document" "assume_role" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "example" {
  name               = "hello_role"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json

  inline_policy {
    name = "test_policy"

    policy = module.iam_policy.json
  }
}

Examples

Here is an example of using this module: