-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
data-source/aws_iam_policy_document: Add functionality to merge multiple policy documents #12055
Conversation
@aborrello Thanks for implementing these new features. It's going to make the |
Statements without an `sid` cannot be overwritten. | ||
* `override_json_list` (Optional) - A list of IAM policy documents to import and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Open to suggestions around the documentation for this attribute. I found it quite hard to find a simple way to describe the iterative merge based on the ordering of the array...
@@ -30,6 +30,11 @@ func dataSourceAwsIamPolicyDocument() *schema.Resource { | |||
Type: schema.TypeString, | |||
Optional: true, | |||
}, | |||
"override_json_list": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was some discussion around override_json_list
or override_jsons
. I think the _list
is cleaner, but completely open for discussion.
for stmtIndex, stmt := range sourceDoc.Statements { | ||
if stmt.Sid != "" { | ||
if _, sidExists := sidMap[stmt.Sid]; sidExists { | ||
return fmt.Errorf("Found duplicate sid (%s) in source_json_list (item %d; statement %d). Either remove the sid or ensure the sid is unique across all statements.", stmt.Sid, sourceJSONIndex, stmtIndex) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is slightly different to the normal error messages. I wanted to include the json
index and statement
index for developer ease, but am open to discuss different ways to convey this information.
This feature would be really helpful in a lot of scenarios and seem requested by a lot of people. (I'm really desperate for this feature 😅) |
@aborrello Thank you for your work on this PR! I will be working on this before long. In order to expedite the process, I will likely make some changes. Make sure that you have checked the box "Allow edits from maintainers." (Don't worry though, you will receive all credit for your contribution and code!) Also, please coordinate with us before making any commits to this branch. Again, thank you for your help and we look forward to this popular addition to the AWS provider! |
We have merged #12055 in to the Terraform AWS Provider. With this, |
This has been released in version 3.28.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
This change causes this to happen:
To drop the |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
TL;DR
This PR introduces the two new attributes
source_json_list
andoverride_json_list
into theaws_iam_policy_document
data source. This enhancement allows for the layering and combining of IAM policy documents which is incredibly useful generating permission boundaries and reducing duplicated statements across Terraform definitions.Design
This PR models the behaviour described by @bflad in this comment on issue #5047.
source_json_list
provides a method to generate a base policy from multiple policy documents. Each non-empty SID across all statements (including statements defined in thesource_json
) must be unique, or a "Found duplicate sid" will be thrown.override_json_list
provides a method iteratively combine policy documents, performing an overwrite / merge on any duplicated SIDs.This behaviour was achieved by utilising the
IAMPolicyDoc.Merge
method. The proposed conceptual flow for generating policy documents is as follows:IAMPolicyDoc
based on the providedsource_json
. If nosource_json
was defined, create a blankIAMPolicyDoc
.source_json_list
attribute was specified, iterate over each policy and merge them. Before each individual policy is merged in, check that none of the non-blank SIDs have already been defined.statement
attributes.override_json_list
attribute was specified, iterate over each policy and merge them.override_json
document if the attribute was specified.Tests
The following tests were added to verify this new functionality:
The outputs from these tests (and all other
TestAccAWSDataSourceIAMPolicyDocument
) can be found in the "Output from acceptance testing" section of this PR.Closes the following issues:
Release note for CHANGELOG:
Output from acceptance testing: