Compose aws_iam_policy_document with individual statements from other aws_iam_policy_documentsΒ #11308
Closed
Description
Community Note
- Please vote on this issue by adding a π reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Due to the limitation of attaching 10 policies to an iam_role, we often have to construct large
aws_iam_policy_document's with multiple statement blocks. The issue with this is that if we have a
statement block that we'd like to use for multiple roles, we'd like to follow DRY principles and define this once and compose into both aws_iam_policy_document's.
New or Affected Resource(s)
- aws_iam_policy_document
Potential Terraform Configuration
data "aws_iam_policy_document" "re_usable_statement_1" {
statement {
actions = [...]
resources = [...]
}
}
data "aws_iam_policy_document" "re_usable_statement_2" {
statement {
actions = [...]
resources = [...]
}
}
data "aws_iam_policy_document" "foo_policies" {
statement = data.aws_iam_policy_document.re_usable_statement_1.statement
statement = data.aws_iam_policy_document.re_usable_statement_2.statement
# Alternatively statements = [ data.aws_iam_policy.re_usable_statement_1.statement, ... ]
}
data "aws_iam_policy_document" "bar_policies" {
statement = data.aws_iam_policy_document.re_usable_statement_1
}
resource "aws_iam_policy" "foo_policy" {
policy = data.aws.iam_policy_document.foo_policies.json
name = "FooPolicy"
}
resource "aws_iam_policy" "bar_policy" {
policy = data.aws.iam_policy_document.bar_policies.json
name = "BarPolicy"
}