github.com/ves/terraform@v0.8.0-beta2/website/source/docs/providers/aws/d/iam_policy_document.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "AWS: aws_iam_policy_document" 4 sidebar_current: "docs-aws-datasource-iam-policy-document" 5 description: |- 6 Generates an IAM policy document in JSON format 7 --- 8 9 # aws\_iam\_policy\_document 10 11 Generates an IAM policy document in JSON format. 12 13 This is a data source which can be used to construct a JSON representation of 14 an IAM policy document, for use with resources which expect policy documents, 15 such as the `aws_iam_policy` resource. 16 17 ``` 18 data "aws_iam_policy_document" "example" { 19 statement { 20 sid = "1" 21 actions = [ 22 "s3:ListAllMyBuckets", 23 "s3:GetBucketLocation", 24 ] 25 resources = [ 26 "arn:aws:s3:::*", 27 ] 28 } 29 30 statement { 31 actions = [ 32 "s3:ListBucket", 33 ] 34 resources = [ 35 "arn:aws:s3:::${var.s3_bucket_name}", 36 ] 37 condition { 38 test = "StringLike" 39 variable = "s3:prefix" 40 values = [ 41 "", 42 "home/", 43 "home/&{aws:username}/", 44 ] 45 } 46 } 47 48 statement { 49 actions = [ 50 "s3:*", 51 ] 52 resources = [ 53 "arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}", 54 "arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}/*", 55 ] 56 } 57 58 } 59 60 resource "aws_iam_policy" "example" { 61 name = "example_policy" 62 path = "/" 63 policy = "${data.aws_iam_policy_document.example.json}" 64 } 65 ``` 66 67 Using this data source to generate policy documents is *optional*. It is also 68 valid to use literal JSON strings within your configuration, or to use the 69 `file` interpolation function to read a raw JSON policy document from a file. 70 71 ## Argument Reference 72 73 The following arguments are supported: 74 75 * `policy_id` (Optional) - An ID for the policy document. 76 * `statement` (Required) - A nested configuration block (described below) 77 configuring one *statement* to be included in the policy document. 78 79 Each document configuration must have one or more `statement` blocks, which 80 each accept the following arguments: 81 82 * `sid` (Optional) - An ID for the policy statement. 83 * `effect` (Optional) - Either "Allow" or "Deny", to specify whether this 84 statement allows or denies the given actions. The default is "Allow". 85 * `actions` (Optional) - A list of actions that this statement either allows 86 or denies. For example, ``["ec2:RunInstances", "s3:*"]``. 87 * `not_actions` (Optional) - A list of actions that this statement does *not* 88 apply to. Used to apply a policy statement to all actions *except* those 89 listed. 90 * `resources` (Optional) - A list of resource ARNs that this statement applies 91 to. This is required by AWS if used for an IAM policy. 92 * `not_resources` (Optional) - A list of resource ARNs that this statement 93 does *not* apply to. Used to apply a policy statement to all resources 94 *except* those listed. 95 * `principals` (Optional) - A nested configuration block (described below) 96 specifying a resource (or resource pattern) to which this statement applies. 97 * `not_principals` (Optional) - Like `principals` except gives resources that 98 the statement does *not* apply to. 99 * `condition` (Optional) - A nested configuration block (described below) 100 that defines a further, possibly-service-specific condition that constrains 101 whether this statement applies. 102 103 Each policy may have either zero or more `principals` blocks or zero or more 104 `not_principals` blocks, both of which each accept the following arguments: 105 106 * `type` (Required) The type of principal. For AWS accounts this is "AWS". 107 * `identifiers` (Required) List of identifiers for principals. When `type` 108 is "AWS", these are IAM user or role ARNs. 109 110 Each policy statement may have zero or more `condition` blocks, which each 111 accept the following arguments: 112 113 * `test` (Required) The name of the 114 [IAM condition type](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AccessPolicyLanguage_ConditionType) 115 to evaluate. 116 * `variable` (Required) The name of a 117 [Context Variable](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) 118 to apply the condition to. Context variables may either be standard AWS 119 variables starting with `aws:`, or service-specific variables prefixed with 120 the service name. 121 * `values` (Required) The values to evaluate the condition against. If multiple 122 values are provided, the condition matches if at least one of them applies. 123 (That is, the tests are combined with the "OR" boolean operation.) 124 125 When multiple `condition` blocks are provided, they must *all* evaluate to true 126 for the policy statement to apply. (In other words, the conditions are combined 127 with the "AND" boolean operation.) 128 129 ## Context Variable Interpolation 130 131 The IAM policy document format allows context variables to be interpolated 132 into various strings within a statement. The native IAM policy document format 133 uses `${...}`-style syntax that is in conflict with Terraform's interpolation 134 syntax, so this data source instead uses `&{...}` syntax for interpolations that 135 should be processed by AWS rather than by Terraform. 136 137 ## Attributes Reference 138 139 The following attribute is exported: 140 141 * `json` - The above arguments serialized as a standard JSON policy document.