Create a way to modify/merge changes into aws_iam_policy_document

[devonbleak]

For resource-based policies, like S3 bucket policies, where you can only attach one policy to the resource the current aws_iam_policy_document is not adequate.

Say you have a module that creates a bucket policy that does things like enforcing ACLs and server-side encryption. Now you need to add cross-account federation to the policy for one of your buckets. At the moment your option is basically to create an entirely new policy document that replicates the existing one with the only difference being adding one additional statement. For even moderate scale you're going to end up with an explosion of bucket policies that are all 90%+ duplicate code.

Being able to generate statement fragments for injection into a template or being able to add/merge statements to an existing policy document would be greatly beneficial for these resource policy use cases.

[apparentlymart]

Hi @devonbleak!

I think we could address this by adding a new attribute to aws_iam_policy_document called source_json that takes an already-rendered JSON policy document and merges its statements with the ones declared with inline statement blocks.

Do you think that would address your use-case here?

The Terraform team at HashiCorp won't be able to work on this in the near future due to our focus being elsewhere, but we'd be happy to review a pull request if you or someone else has the time and motivation to implement it. Alternatively, if others would also like to see this implemented I'd encourage adding a 👍 upvote reaction to the original issue comment (not to this comment), which we use as one of the inputs to prioritize work for the Terraform team.

[devonbleak]

That sort of inverts what I was thinking but seems like a reasonable way forward. We'd probably just need to address the case where source_json is blank to allow for sane defaults in modules for example.

Understood about the timing.

[bflad]

Support for layering aws_iam_policy_documents via new override_json and source_json attributes has been merged into master (PR #2890) and will be released in v1.9.0 of the AWS provider, expected end of week. Happy Terraform'ing! 🎉

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

[YakDriver]

We have merged #12055 in to the Terraform AWS Provider. With this, aws_iam_policy_document provides the ability to merge multiple source and override policy documents. This is available now on the main branch and when version 3.28.0 is released (likely Feb. 11, 2021). If you have problems with the functionality or need further enhancements, please open a new issue. Thanks for your interest in the AWS Provider! 🎉