-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create a way to modify/merge changes into aws_iam_policy_document #2672
Comments
Hi @devonbleak! I think we could address this by adding a new attribute to Do you think that would address your use-case here? The Terraform team at HashiCorp won't be able to work on this in the near future due to our focus being elsewhere, but we'd be happy to review a pull request if you or someone else has the time and motivation to implement it. Alternatively, if others would also like to see this implemented I'd encourage adding a 👍 upvote reaction to the original issue comment (not to this comment), which we use as one of the inputs to prioritize work for the Terraform team. |
That sort of inverts what I was thinking but seems like a reasonable way forward. We'd probably just need to address the case where Understood about the timing. |
Support for layering |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
We have merged #12055 in to the Terraform AWS Provider. With this, |
For resource-based policies, like S3 bucket policies, where you can only attach one policy to the resource the current aws_iam_policy_document is not adequate.
Say you have a module that creates a bucket policy that does things like enforcing ACLs and server-side encryption. Now you need to add cross-account federation to the policy for one of your buckets. At the moment your option is basically to create an entirely new policy document that replicates the existing one with the only difference being adding one additional statement. For even moderate scale you're going to end up with an explosion of bucket policies that are all 90%+ duplicate code.
Being able to generate statement fragments for injection into a template or being able to add/merge statements to an existing policy document would be greatly beneficial for these resource policy use cases.
The text was updated successfully, but these errors were encountered: