53 | > Watch demo of using Atmos with Terraform
54 | > 
55 | > Example of running atmos to manage infrastructure from our Quick Start tutorial.
56 | >
57 |
58 |
59 |
60 |
61 |
62 | ## Usage
63 |
64 | For a complete example, see [examples/complete](examples/complete).
65 |
66 | For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)
67 | (which tests and deploys the example on AWS), see [test](test).
68 |
69 | ```hcl
70 | module "iam_policy" {
71 | source = "cloudposse/iam-policy/aws"
72 | # Cloud Posse recommends pinning every module to a specific version
73 | # version = "x.x.x"
74 |
75 | iam_policy = [{
76 | version = "2012-10-17"
77 | policy_id = "example"
78 | statements = [
79 | {
80 | sid = "ListMyBucket"
81 | effect = "Allow"
82 | actions = ["s3:ListBucket"]
83 | resources = ["arn:aws:s3:::test"]
84 | conditions = [
85 | {
86 | test = "StringLike"
87 | variable = "cloudwatch:namespace"
88 | values = ["x-*"]
89 | },
90 | ]
91 | },
92 | {
93 | sid = "WriteMyBucket"
94 | effect = "Allow"
95 | actions = ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"]
96 | resources = ["arn:aws:s3:::test/*"]
97 | conditions = [
98 | {
99 | test = "StringLike"
100 | variable = "cloudwatch:namespace"
101 | values = ["x-*"]
102 | },
103 | ]
104 | }
105 | ]
106 | }]
107 |
108 | data "aws_iam_policy_document" "assume_role" {
109 | statement {
110 | actions = ["sts:AssumeRole"]
111 |
112 | principals {
113 | type = "Service"
114 | identifiers = ["ec2.amazonaws.com"]
115 | }
116 | }
117 | }
118 |
119 | resource "aws_iam_role" "example" {
120 | name = "hello_role"
121 | assume_role_policy = data.aws_iam_policy_document.assume_role.json
122 |
123 | inline_policy {
124 | name = "test_policy"
125 |
126 | policy = module.iam_policy.json
127 | }
128 | }
129 | ```
130 |
131 | > [!IMPORTANT]
132 | > In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation
133 | > and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version
134 | > you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic
135 | > approach for updating versions to avoid unexpected changes.
136 |
137 |
138 |
139 |
140 |
141 | ## Examples
142 |
143 | Here is an example of using this module:
144 | - [`examples/complete`](https://github.com/cloudposse/terraform-aws-iam-policy/) - overly basic example of using this module
145 | - [terraform-aws-helm-release](https://github.com/cloudposse/terraform-aws-helm-release) - realistic use of this module
146 |
147 |
148 |
149 |
150 |
151 | ## Requirements
152 |
153 | | Name | Version |
154 | |------|---------|
155 | | [terraform](#requirement\_terraform) | >= 1.3.0 |
156 | | [aws](#requirement\_aws) | >= 4.0 |
157 | | [http](#requirement\_http) | >= 3.0 |
158 |
159 | ## Providers
160 |
161 | | Name | Version |
162 | |------|---------|
163 | | [aws](#provider\_aws) | >= 4.0 |
164 | | [http](#provider\_http) | >= 3.0 |
165 |
166 | ## Modules
167 |
168 | | Name | Source | Version |
169 | |------|--------|---------|
170 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 |
171 |
172 | ## Resources
173 |
174 | | Name | Type |
175 | |------|------|
176 | | [aws_iam_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
177 | | [aws_iam_role_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
178 | | [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
179 | | [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
180 | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
181 | | [http_http.iam_source_json_url](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
182 |
183 | ## Inputs
184 |
185 | | Name | Description | Type | Default | Required |
186 | |------|-------------|------|---------|:--------:|
187 | | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
188 | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
189 | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
190 | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
191 | | [description](#input\_description) | Description of created IAM policy | `string` | `null` | no |
192 | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
193 | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
194 | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
195 | | [iam\_override\_policy\_documents](#input\_iam\_override\_policy\_documents) | List of IAM policy documents (as JSON strings) that are merged together into the exported document with higher precedence.
In merging, statements with non-blank SIDs will override statements with the same SID
from earlier documents in the list and from other "source" documents. | `list(string)` | `null` | no |
196 | | [iam\_policy](#input\_iam\_policy) | IAM policy as list of Terraform objects, compatible with Terraform `aws_iam_policy_document` data source
except that `source_policy_documents` and `override_policy_documents` are not included.
Use inputs `iam_source_policy_documents` and `iam_override_policy_documents` for that. | list(object({
policy_id = optional(string, null)
version = optional(string, null)
statements = list(object({
sid = optional(string, null)
effect = optional(string, null)
actions = optional(list(string), null)
not_actions = optional(list(string), null)
resources = optional(list(string), null)
not_resources = optional(list(string), null)
conditions = optional(list(object({
test = string
variable = string
values = list(string)
})), [])
principals = optional(list(object({
type = string
identifiers = list(string)
})), [])
not_principals = optional(list(object({
type = string
identifiers = list(string)
})), [])
}))
})) | `[]` | no |
197 | | [iam\_policy\_enabled](#input\_iam\_policy\_enabled) | Whether to create the IAM managed policy in AWS or not.
If false without role\_names, it will output the JSON policy,
with role\_names, it will attach the inline policy. | `bool` | `false` | no |
198 | | [iam\_policy\_id](#input\_iam\_policy\_id) | Deprecated: Use `iam_policy` instead: ID for the policy document when using `iam_policy_statements`. | `string` | `null` | no |
199 | | [iam\_policy\_statements](#input\_iam\_policy\_statements) | Deprecated: Use `iam_policy` instead.
List or Map of IAM policy statements to use in the policy.
This can be used with `iam_source_policy_documents` and `iam_override_policy_documents`
and with or instead of `iam_source_json_url`. | `any` | `[]` | no |
200 | | [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | URL of the IAM policy (in JSON format) to download and use as `source_json` argument.
This is useful when using a 3rd party service that provides their own policy.
Statements in this policy will be overridden by statements with the same SID in `iam_override_policy_documents`. | `string` | `null` | no |
201 | | [iam\_source\_policy\_documents](#input\_iam\_source\_policy\_documents) | List of IAM policy documents (as JSON strings) that are merged together into the exported document.
Statements defined in `iam_source_policy_documents` must have unique SIDs and be distinct from SIDs
in `iam_policy` and deprecated `iam_policy_statements`.
Statements in these documents will be overridden by statements with the same SID in `iam_override_policy_documents`. | `list(string)` | `null` | no |
202 | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
203 | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
204 | | [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
205 | | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no |
206 | | [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | [
"default"
]
| no |
207 | | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
208 | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
209 | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
210 | | [role\_names](#input\_role\_names) | IAM role names to attach the policy to. Use iam\_policy\_enabled to toggle between managed or inline. | `list(string)` | `null` | no |
211 | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
212 | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
213 | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
214 |
215 | ## Outputs
216 |
217 | | Name | Description |
218 | |------|-------------|
219 | | [json](#output\_json) | JSON body of the IAM policy document |
220 | | [policy\_arn](#output\_policy\_arn) | ARN of created IAM policy |
221 |
222 |
223 |
224 |
225 |
226 |
227 |
228 |
229 | ## Related Projects
230 |
231 | Check out these related projects.
232 |
233 | - [terraform-null-label](https://github.com/cloudposse/terraform-null-label) - Terraform module designed to generate consistent names and tags for resources. Use terraform-null-label to implement a strict naming convention.
234 |
235 |
236 | ## References
237 |
238 | For additional context, refer to some of these links.
239 |
240 | - [Terraform `aws_iam_policy_document` data source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) - The Terraform data source that this module wraps.
241 |
242 |
243 |
244 | > [!TIP]
245 | > #### Use Terraform Reference Architectures for AWS
246 | >
247 | > Use Cloud Posse's ready-to-go [terraform architecture blueprints](https://cloudposse.com/reference-architecture/) for AWS to get up and running quickly.
248 | >
249 | > ✅ We build it together with your team.
250 | > ✅ Your team owns everything.
251 | > ✅ 100% Open Source and backed by fanatical support.
252 | >
253 | > 
254 | > 📚 Learn More
255 | >
256 | >
257 | >
258 | > Cloud Posse is the leading [**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-iam-policy&utm_content=commercial_support) for funded startups and enterprises.
259 | >
260 | > *Your team can operate like a pro today.*
261 | >
262 | > Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.
263 | > #### Day-0: Your Foundation for Success
264 | > - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code.
265 | > - **Deployment Strategy.** Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
266 | > - **Site Reliability Engineering.** Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
267 | > - **Security Baseline.** Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
268 | > - **GitOps.** Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.
269 | >
270 | >
271 | >
272 | > #### Day-2: Your Operational Mastery
273 | > - **Training.** Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
274 | > - **Support.** Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
275 | > - **Troubleshooting.** Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
276 | > - **Code Reviews.** Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
277 | > - **Bug Fixes.** Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
278 | > - **Migration Assistance.** Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
279 | > - **Customer Workshops.** Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.
280 | >
281 | >
282 | > 
294 |
295 |
296 | For 🐛 bug reports & feature requests, please use the [issue tracker](https://github.com/cloudposse/terraform-aws-iam-policy/issues).
297 |
298 | In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
299 | 1. Review our [Code of Conduct](https://github.com/cloudposse/terraform-aws-iam-policy/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md).
300 | 2. **Fork** the repo on GitHub
301 | 3. **Clone** the project to your own machine
302 | 4. **Commit** changes to your own branch
303 | 5. **Push** your work back up to your fork
304 | 6. Submit a **Pull Request** so that we can review your changes
305 |
306 | **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request!
307 |
308 | ### 🌎 Slack Community
309 |
310 | Join our [Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-iam-policy&utm_content=slack) on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure.
311 |
312 | ### 📰 Newsletter
313 |
314 | Sign up for [our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-iam-policy&utm_content=newsletter) and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know.
315 | Dropped straight into your Inbox every week — and usually a 5-minute read.
316 |
317 | ### 📆 Office Hours 
318 |
319 | [Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-iam-policy&utm_content=office_hours) for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a _live Q&A_ that you can’t find anywhere else.
320 | It's **FREE** for everyone!
321 | ## License
322 |
323 | 
324 |
325 |
326 | Preamble to the Apache License, Version 2.0
327 |
328 |
329 |
330 | Complete license is available in the [`LICENSE`](LICENSE) file.
331 |
332 | ```text
333 | Licensed to the Apache Software Foundation (ASF) under one
334 | or more contributor license agreements. See the NOTICE file
335 | distributed with this work for additional information
336 | regarding copyright ownership. The ASF licenses this file
337 | to you under the Apache License, Version 2.0 (the
338 | "License"); you may not use this file except in compliance
339 | with the License. You may obtain a copy of the License at
340 |
341 | https://www.apache.org/licenses/LICENSE-2.0
342 |
343 | Unless required by applicable law or agreed to in writing,
344 | software distributed under the License is distributed on an
345 | "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
346 | KIND, either express or implied. See the License for the
347 | specific language governing permissions and limitations
348 | under the License.
349 | ```
350 |
351 |
352 | ## Trademarks
353 |
354 | All other trademarks referenced herein are the property of their respective owners.
355 |
356 |
357 | ## Copyrights
358 |
359 | Copyright © 2021-2025 [Cloud Posse, LLC](https://cloudposse.com)
360 |
361 |
362 |
363 | 
364 |
365 | 
366 |
--------------------------------------------------------------------------------
