AWS IAM Policy to Terraform HCL Converter

Convert AWS IAM policies from JSON to Terraform HCL format instantly. This tool transforms your policies into aws_iam_policy_document data sources, making your infrastructure as code more maintainable and readable.

Input AWS IAM Policy (JSON)

Policy Document HCL

Resource HCL

How to Convert AWS IAM Policies to Terraform HCL

This converter transforms AWS IAM policy JSON into Terraform's aws_iam_policy_document data source format. Understanding AWS IAM policy elements helps you create better Terraform configurations:

  • Version

    Specify the version of the policy language that you want to use. We recommend that you use the latest 2012-10-17 version. For more information, see IAM JSON policy elements: Version

  • Statement

    Use this main policy element as a container for the following elements. You can include more than one statement in a policy.

  • Sid (Optional)

    Include an optional statement ID to differentiate between your statements.

  • Effect

    Use Allow or Deny to indicate whether the policy allows or denies access.

  • Principal (Required in some circumstances)

    If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.

  • Action

    Include a list of actions that the policy allows or denies.

  • Resource (Required in some circumstances)

    If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, it depends on the resource you're using as to whether this element is required or not.

  • Condition (Optional)

    Specify the circumstances under which the policy grants permission.

Pattern Matching in AWS Policies

AWS IAM policies support pattern matching through glob-style wildcards and regex-like syntax:

Resource Patterns:
  • * - Matches any combination of characters
  • ? - Matches exactly one character
  • ${...} - Variable substitution (e.g., ${aws:username})
  • Example: arn:aws:s3:::my-bucket/* matches all objects in the bucket
Action Patterns:
  • service:* - All actions in a service (e.g., s3:*)
  • service:action* - Actions with prefix (e.g., iam:Get*)
  • service:*action - Actions with suffix
  • Example: iam:*Role* matches CreateRole, DeleteRole, etc.

Terraform aws_iam_policy_document Reference

When converting to Terraform HCL, your JSON policy becomes a structured aws_iam_policy_document data source with the following fields:

Top-level Arguments
  • policy_id (Optional) - An ID for the policy document
  • source_policy_documents (Optional) - List of IAM policy documents that are merged together
  • override_policy_documents (Optional) - List of IAM policy documents that override others
  • version (Optional) - IAM policy version (2008-10-17 or 2012-10-17)
Statement Arguments

The following arguments are optional:

  • actions - List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"]
  • effect - Whether this statement allows or denies the given actions. Valid values are Allow and Deny
  • not_actions - List of actions that this statement does not apply to
  • resources - List of resource ARNs. Required for IAM policies. Conflicts with not_resources
  • not_resources - List of resource ARNs that this statement does not apply to. Conflicts with resources
  • principals - Configuration block for principals. Detailed below
  • not_principals - Principals that the statement does not apply to
  • sid - Statement ID to identify the policy statement
Principal Arguments

Required configuration for principal blocks:

  • type (Required) - Type of principal (AWS, Service, Federated, etc.)
  • identifiers (Required) - List of principal identifiers
Condition Block

Multiple conditions use "AND" operation - all must be true. The following arguments are required:

  • test - Name of the IAM condition operator to evaluate
  • variable - Context Variable name (aws: prefix for AWS variables, service-specific prefix for others)
  • values - Values to evaluate against. Multiple values use "OR" operation

Converting policy...

⚠️