github.com/nathanielks/terraform@v0.6.1-0.20170509030759-13e1a62319dc/website/source/docs/providers/aws/d/iam_policy_document.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "AWS: aws_iam_policy_document" 4 sidebar_current: "docs-aws-datasource-iam-policy-document" 5 description: |- 6 Generates an IAM policy document in JSON format 7 --- 8 9 # aws\_iam\_policy\_document 10 11 Generates an IAM policy document in JSON format. 12 13 This is a data source which can be used to construct a JSON representation of 14 an IAM policy document, for use with resources which expect policy documents, 15 such as the `aws_iam_policy` resource. 16 17 ```hcl 18 data "aws_iam_policy_document" "example" { 19 statement { 20 sid = "1" 21 22 actions = [ 23 "s3:ListAllMyBuckets", 24 "s3:GetBucketLocation", 25 ] 26 27 resources = [ 28 "arn:aws:s3:::*", 29 ] 30 } 31 32 statement { 33 actions = [ 34 "s3:ListBucket", 35 ] 36 37 resources = [ 38 "arn:aws:s3:::${var.s3_bucket_name}", 39 ] 40 41 condition { 42 test = "StringLike" 43 variable = "s3:prefix" 44 45 values = [ 46 "", 47 "home/", 48 "home/&{aws:username}/", 49 ] 50 } 51 } 52 53 statement { 54 actions = [ 55 "s3:*", 56 ] 57 58 resources = [ 59 "arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}", 60 "arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}/*", 61 ] 62 } 63 } 64 65 resource "aws_iam_policy" "example" { 66 name = "example_policy" 67 path = "/" 68 policy = "${data.aws_iam_policy_document.example.json}" 69 } 70 ``` 71 72 Using this data source to generate policy documents is *optional*. It is also 73 valid to use literal JSON strings within your configuration, or to use the 74 `file` interpolation function to read a raw JSON policy document from a file. 75 76 ## Argument Reference 77 78 The following arguments are supported: 79 80 * `policy_id` (Optional) - An ID for the policy document. 81 * `statement` (Required) - A nested configuration block (described below) 82 configuring one *statement* to be included in the policy document. 83 84 Each document configuration must have one or more `statement` blocks, which 85 each accept the following arguments: 86 87 * `sid` (Optional) - An ID for the policy statement. 88 * `effect` (Optional) - Either "Allow" or "Deny", to specify whether this 89 statement allows or denies the given actions. The default is "Allow". 90 * `actions` (Optional) - A list of actions that this statement either allows 91 or denies. For example, ``["ec2:RunInstances", "s3:*"]``. 92 * `not_actions` (Optional) - A list of actions that this statement does *not* 93 apply to. Used to apply a policy statement to all actions *except* those 94 listed. 95 * `resources` (Optional) - A list of resource ARNs that this statement applies 96 to. This is required by AWS if used for an IAM policy. 97 * `not_resources` (Optional) - A list of resource ARNs that this statement 98 does *not* apply to. Used to apply a policy statement to all resources 99 *except* those listed. 100 * `principals` (Optional) - A nested configuration block (described below) 101 specifying a resource (or resource pattern) to which this statement applies. 102 * `not_principals` (Optional) - Like `principals` except gives resources that 103 the statement does *not* apply to. 104 * `condition` (Optional) - A nested configuration block (described below) 105 that defines a further, possibly-service-specific condition that constrains 106 whether this statement applies. 107 108 Each policy may have either zero or more `principals` blocks or zero or more 109 `not_principals` blocks, both of which each accept the following arguments: 110 111 * `type` (Required) The type of principal. For AWS accounts this is "AWS". 112 * `identifiers` (Required) List of identifiers for principals. When `type` 113 is "AWS", these are IAM user or role ARNs. 114 115 Each policy statement may have zero or more `condition` blocks, which each 116 accept the following arguments: 117 118 * `test` (Required) The name of the 119 [IAM condition type](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AccessPolicyLanguage_ConditionType) 120 to evaluate. 121 * `variable` (Required) The name of a 122 [Context Variable](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) 123 to apply the condition to. Context variables may either be standard AWS 124 variables starting with `aws:`, or service-specific variables prefixed with 125 the service name. 126 * `values` (Required) The values to evaluate the condition against. If multiple 127 values are provided, the condition matches if at least one of them applies. 128 (That is, the tests are combined with the "OR" boolean operation.) 129 130 When multiple `condition` blocks are provided, they must *all* evaluate to true 131 for the policy statement to apply. (In other words, the conditions are combined 132 with the "AND" boolean operation.) 133 134 ## Context Variable Interpolation 135 136 The IAM policy document format allows context variables to be interpolated 137 into various strings within a statement. The native IAM policy document format 138 uses `${...}`-style syntax that is in conflict with Terraform's interpolation 139 syntax, so this data source instead uses `&{...}` syntax for interpolations that 140 should be processed by AWS rather than by Terraform. 141 142 ## Attributes Reference 143 144 The following attribute is exported: 145 146 * `json` - The above arguments serialized as a standard JSON policy document. 147 148 ## Example with Multiple Principals 149 150 Showing how you can use this as an assume role policy as well as showing how you can specify multiple principal blocks with different types. 151 152 ```hcl 153 data "aws_iam_policy_document" "event_stream_bucket_role_assume_role_policy" { 154 statement { 155 actions = ["sts:AssumeRole"] 156 157 principals { 158 type = "Service" 159 identifiers = ["firehose.amazonaws.com"] 160 } 161 162 principals { 163 type = "AWS" 164 identifiers = ["${var.trusted_role_arn}"] 165 } 166 } 167 } 168 ```