Menu
How can this S3 bucket IAM policy, which has multiple conditions, be re-written as aws_iam_policy_document data block, please?
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": "xxxxxxxxxxxx"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::my-tf-test-bucket"
}
}
With the aws_iam_policy_document condition data block syntax 1:
condition {
test = "StringEquals"
values = []
variable = ""
}
984
Data Source: aws_iam_policy_document. Generates an IAM policy document in JSON format. This is a data source which can be used to construct a JSON representation of an IAM policy document, for use with resources which expect policy documents, such as the aws_iam_policy resource.
Attaching the policy to the role using Terraform: This is where, we'll be attaching the policy which we wrote above, to the role we created in the first step. The terraform script: The aws_iam_policy_attachment in the above resource block, is used to attach a Managed IAM Policy to user(s), role(s), and/or group(s).
Table: aws_iam_role. An IAM role is an AWS Identity and Access Management (IAM) entity with permissions to make AWS service requests.
The aws_iam_policy_document supports nested condition directives. The following Terraform configuration should help:
data "aws_iam_policy_document" "iam_policy_document" {
condition {
test = "StringEquals"
values = [
"bucket-owner-full-control"
]
variable = "s3:x-amz-acl"
}
condition {
test = "StringEquals"
values = [
"xxxxxxxxxxxx"
]
variable = "aws:SourceAccount"
}
condition {
test = "ArnLike"
values = [
"arn:aws:s3:::my-tf-test-bucket"
]
variable = "aws:SourceArn"
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
