FEATURES PRICING ABOUT DOCS LOGIN

aws_iam_policy_document

Generates an IAM policy document in JSON format.

This is a data source which can be used to construct a JSON representation of an IAM policy document, for use with resources which expect policy documents, such as the aws_iam_policy resource.

data "aws_iam_policy_document" "example" {
    statement {
        sid = "1"
        actions = [
            "s3:ListAllMyBuckets",
            "s3:GetBucketLocation",
        ]
        resources = [
            "arn:aws:s3:::*",
        ]
    }

    statement {
        actions = [
            "s3:ListBucket",
        ]
        resources = [
            "arn:aws:s3:::${var.s3_bucket_name}",
        ]
        condition {
            test = "StringLike"
            variable = "s3:prefix"
            values = [
                "",
                "home/",
                "home/&{aws:username}/",
            ]
        }
    }

    statement {
        actions = [
            "s3:*",
        ]
        resources = [
            "arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}",
            "arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}/*",
        ]
    }

}

resource "aws_iam_policy" "example" {
    name = "example_policy"
    path = "/"
    policy = "${data.aws_iam_policy_document.example.json}"
}

Using this data source to generate policy documents is optional. It is also valid to use literal JSON strings within your configuration, or to use the file interpolation function to read a raw JSON policy document from a file.

Argument Reference

The following arguments are supported:

Each document configuration must have one or more statement blocks, which each accept the following arguments:

Each policy may have either zero or more principals blocks or zero or more not_principals blocks, both of which each accept the following arguments:

Each policy statement may have zero or more condition blocks, which each accept the following arguments:

When multiple condition blocks are provided, they must all evaluate to true for the policy statement to apply. (In other words, the conditions are combined with the “AND” boolean operation.)

Context Variable Interpolation

The IAM policy document format allows context variables to be interpolated into various strings within a statement. The native IAM policy document format uses ${...}-style syntax that is in conflict with Terraform’s interpolation syntax, so this data source instead uses &{...} syntax for interpolations that should be processed by AWS rather than by Terraform.

Attributes Reference

The following attribute is exported:


See the source of this document at Terraform.io

REQUEST A DEMO