Convert AWS IAM policies from JSON to Terraform
HCL format instantly. This tool transforms your
policies into
aws_iam_policy_document
data
sources, making your infrastructure as code more
maintainable and readable.
This converter transforms AWS IAM policy JSON into
Terraform's
aws_iam_policy_document
data source
format. Understanding AWS IAM policy elements helps
you create better Terraform configurations:
Specify the version of the policy language that you want to use. We recommend that you use the latest 2012-10-17 version. For more information, see IAM JSON policy elements: Version
Use this main policy element as a container for the following elements. You can include more than one statement in a policy.
Include an optional statement ID to differentiate between your statements.
Use Allow or Deny to indicate whether the policy allows or denies access.
If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
Include a list of actions that the policy allows or denies.
If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, it depends on the resource you're using as to whether this element is required or not.
Specify the circumstances under which the policy grants permission.
AWS IAM policies support pattern matching through glob-style wildcards and regex-like syntax:
*
- Matches any combination of characters
?
- Matches exactly one character
${...}
- Variable substitution (e.g.,
${aws:username}
)
arn:aws:s3:::my-bucket/*
matches all objects in the bucket
service:*
- All actions in a service (e.g.,
s3:*
)
service:action*
- Actions with prefix (e.g.,
iam:Get*
)
service:*action
- Actions with suffix
iam:*Role*
matches CreateRole, DeleteRole, etc.
When converting to Terraform HCL, your JSON
policy becomes a structured
aws_iam_policy_document
data source
with the following fields:
policy_id
(Optional) - An ID for the policy document
source_policy_documents
(Optional) - List of IAM policy documents
that are merged together
override_policy_documents
(Optional) - List of IAM policy documents
that override others
version
(Optional) - IAM policy version (2008-10-17
or 2012-10-17)
The following arguments are optional:
actions
- List of actions that this statement either
allows or denies. For example,
["ec2:RunInstances", "s3:*"]
effect
- Whether this statement allows or denies
the given actions. Valid values are Allow
and Deny
not_actions
- List of actions that this statement does
not apply to
resources
- List of resource ARNs. Required for IAM
policies. Conflicts with not_resources
not_resources
- List of resource ARNs that this statement
does not apply to. Conflicts with resources
principals
- Configuration block for principals.
Detailed below
not_principals
- Principals that the statement does not
apply to
sid
- Statement ID to identify the policy
statement
Required configuration for principal blocks:
type
(Required) - Type of principal (AWS,
Service, Federated, etc.)
identifiers
(Required) - List of principal identifiers
Multiple conditions use "AND" operation - all must be true. The following arguments are required:
test
- Name of the IAM condition operator to
evaluate
variable
- Context Variable name (aws: prefix for AWS
variables, service-specific prefix for
others)
values
- Values to evaluate against. Multiple
values use "OR" operation
Converting policy...