Allow aws_iam_policy_document to merge on a per statement level

[shadycuz]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

aws_iam_policy_document allows you to combine policies with the source_json attribute and to replace statements with the overide_json attribute. One feature that could really open up the possibilities is the ability to merge together two statements with the same sid. This would allow you to create a "template" aws_iam_policy_document and then re-use that over and over again to create your IAM policies. A simple example is included below.

New or Affected Resource(s)

• aws_iam_policy_document

Potential Terraform Configuration

data "aws_iam_policy_document" "cloudwatch_logs" {
  statement {
    sid = "CloudWatch"

    actions = [
      "logs:CreateLogStream",
      "logs:PutLogEvents"
    ]
  }
}

data "aws_iam_policy_document" "s3_rw" {
  statement {
    sid = "S3"

    actions = [
      "s3:*Object",
      "s3:ListBucket"
    ]
  }
}

data "aws_iam_policy_document" "create_identity" {

  merge_json = [
                 data.aws_iam_policy_document.cloudwatch_logs.json,
                 data.aws_iam_policy_document.s3_rw.json
                ]

  statement {
    sid = "CloudWatch"

    resources = [aws_cloudwatch_log_group.create_identity.arn]
  }

  statement {
    sid = "S3"

    resources = [aws_s3_bucket.identity_backup.arn]
  }

  statement {
    sid = "Cognito"

    actions = [
      "cognito-idp:SignUp"
    ]

    resources = ["*"]
  }
}

The resulting json would have a CloudWatch statement that was the combination of CloudWatch statements from the aws_iam_policy_document.cloudwatch_logs and aws_iam_policy_document.create_identity. This would allow you to reuse aws_iam_policy_document.cloudwatch_logs for any resource that needed access to create Cloudwatch logs.

This is just a simple example, a more complex example would make better use of this new functionality.

References

• Compose aws_iam_policy_document with individual statements from other aws_iam_policy_documents #11308
• better AWS policy layering #5047

[YakDriver]

We have merged #12055 in to the Terraform AWS Provider. With this, aws_iam_policy_document provides the ability to merge multiple source and override policy documents. This is available now on the main branch and when version 3.28.0 is released (likely Feb. 11, 2021). If you have problems with the functionality or need further enhancements, please open a new issue. Thanks for your interest in the AWS Provider! 🎉

[ghost]

This has been released in version 3.28.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!