Difference between revisions of "Terraform resource: aws iam policy"
Jump to navigation
Jump to search
| (20 intermediate revisions by 3 users not shown) | |||
| Line 2: | Line 2: | ||
| + | [[aws_iam_policy]] + [[aws_iam_role]] -> [[aws_iam_role_policy_attachment]] | ||
| + | |||
| + | == Examples == | ||
| + | === Official example === | ||
| + | resource "aws_iam_policy" "policy" { | ||
| + | name = "test_policy" | ||
| + | path = "/" | ||
| + | description = "My test policy" | ||
| + | |||
| + | # Terraform's "jsonencode" function converts a | ||
| + | # Terraform expression result to valid JSON syntax. | ||
| + | policy = [[jsonencode]]({ | ||
| + | Version = "2012-10-17" | ||
| + | Statement = [ | ||
| + | { | ||
| + | Action = [ | ||
| + | "ec2:Describe*", | ||
| + | ] | ||
| + | Effect = "Allow" | ||
| + | Resource = "*" | ||
| + | }, | ||
| + | ] | ||
| + | }) | ||
| + | } | ||
| + | |||
| + | === Basic example === | ||
resource "aws_iam_policy" "your_resource_name" { | resource "aws_iam_policy" "your_resource_name" { | ||
name = "your_policy_name" | name = "your_policy_name" | ||
[[policy]] = "${data.[[aws_iam_policy_document]].your_policy_name[[.json]]}" | [[policy]] = "${data.[[aws_iam_policy_document]].your_policy_name[[.json]]}" | ||
} | } | ||
| + | |||
| + | == DynamoDB example == | ||
| + | resource "aws_iam_policy" "dynamodb_example" { | ||
| + | name = "${var.environment}-dynamodb_example" | ||
| + | policy = jsonencode({ | ||
| + | Version = "2012-10-17" | ||
| + | Statement = [ | ||
| + | { | ||
| + | Action = [ | ||
| + | "[[dynamodb:Scan]]", | ||
| + | "[[dynamodb:GetItem]]", | ||
| + | "[[dynamodb:BatchGetItem]]", | ||
| + | "[[dynamodb:Query]]", | ||
| + | "[[dynamodb:PutItem]]", | ||
| + | "[[dynamodb:UpdateItem]]", | ||
| + | "[[dynamodb:DeleteItem]]", | ||
| + | "[[dynamodb:BatchWriteItem]]" | ||
| + | ] | ||
| + | Effect = "Allow" | ||
| + | Resource = "*" | ||
| + | }, | ||
| + | { | ||
| + | Action = [ | ||
| + | "logs:CreateLogGroup", | ||
| + | "logs:CreateLogStream", | ||
| + | "logs:PutLogEvents" | ||
| + | ] | ||
| + | Effect = "Allow" | ||
| + | Resource = "*" | ||
| + | } | ||
| + | ] | ||
| + | }) | ||
| + | } | ||
| + | |||
| + | == Errors == | ||
| + | *<code>[[Error: Deleting IAM policy]] ../.. is not authorized to perform: [[iam:DeletePolicyVersion]] on resource</code> | ||
| + | |||
| + | == Policies == | ||
| + | * [[AWS: Denies access to AWS based on the requested Region]] | ||
== Related == | == Related == | ||
* [[AWS policy]] | * [[AWS policy]] | ||
| − | + | * <code>[[aws_iam_user]]</code> | |
| + | * [[Terraform data source]]: <code>[[aws_iam_policy_document]]</code> | ||
| + | * [[kms:Decrypt]] | ||
| + | * [[ecr:]] [[ecr:BatchGetImage]] | ||
| + | * [[ECS execution policy]] | ||
| + | * [[AWS managed policy: AmazonECSTaskExecutionRolePolicy]] | ||
| + | * <code>[[s3:]]</code> | ||
== See also == | == See also == | ||
| − | * {{ | + | * {{aws_iam_policy}} |
| + | * {{terraform aws iam resources}} | ||
[[Category:Terraform]] | [[Category:Terraform]] | ||
Latest revision as of 11:23, 14 June 2024
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
aws_iam_policy + aws_iam_role -> aws_iam_role_policy_attachment
Contents
Examples[edit]
Official example[edit]
resource "aws_iam_policy" "policy" {
name = "test_policy"
path = "/"
description = "My test policy"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
Basic example[edit]
resource "aws_iam_policy" "your_resource_name" {
name = "your_policy_name"
policy = "${data.aws_iam_policy_document.your_policy_name.json}"
}
DynamoDB example[edit]
resource "aws_iam_policy" "dynamodb_example" {
name = "${var.environment}-dynamodb_example"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"dynamodb:Scan",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
]
Effect = "Allow"
Resource = "*"
},
{
Action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
Effect = "Allow"
Resource = "*"
}
]
})
}
Errors[edit]
Error: Deleting IAM policy ../.. is not authorized to perform: iam:DeletePolicyVersion on resource
Policies[edit]
Related[edit]
- AWS policy
aws_iam_user- Terraform data source:
aws_iam_policy_document - kms:Decrypt
- ecr: ecr:BatchGetImage
- ECS execution policy
- AWS managed policy: AmazonECSTaskExecutionRolePolicy
s3:
See also[edit]
- Terraform resource:
aws_iam_policy,AmazonECSTaskExecutionRolePolicy - Terraform IAM resources:
aws_iam_user, aws_iam_group, aws_iam_role, aws_iam_role_policy_attachment,aws_iam_policy,aws_iam_role_policy, aws_iam_user_policy, aws_iam_user_policy_attachment,aws_iam_access_key, aws_iam_group_policy, aws_iam_group_policy_attachment, aws_iam_openid_connect_provider
Advertising:
