How to Convert AWS IAM Policies to Terraform HCL

This converter transforms AWS IAM policy JSON into Terraform's aws_iam_policy_document data source format. Understanding AWS IAM policy elements helps you create better Terraform configurations:

Version
Specify the version of the policy language that you want to use. We recommend that you use the latest 2012-10-17 version. For more information, see IAM JSON policy elements: Version
Statement
Use this main policy element as a container for the following elements. You can include more than one statement in a policy.
Sid (Optional)
Include an optional statement ID to differentiate between your statements.
Effect
Use Allow or Deny to indicate whether the policy allows or denies access.
Principal (Required in some circumstances)
If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
Action
Include a list of actions that the policy allows or denies.
Resource (Required in some circumstances)
If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, it depends on the resource you're using as to whether this element is required or not.
Condition (Optional)
Specify the circumstances under which the policy grants permission.

Pattern Matching in AWS Policies

AWS IAM policies support pattern matching through glob-style wildcards and regex-like syntax:

Resource Patterns:

* - Matches any combination of characters
? - Matches exactly one character
${...} - Variable substitution (e.g., ${aws:username})
Example: arn:aws:s3:::my-bucket/* matches all objects in the bucket

Action Patterns:

service:* - All actions in a service (e.g., s3:*)
service:action* - Actions with prefix (e.g., iam:Get*)
service:*action - Actions with suffix
Example: iam:*Role* matches CreateRole, DeleteRole, etc.

Terraform aws_iam_policy_document Reference

When converting to Terraform HCL, your JSON policy becomes a structured aws_iam_policy_document data source with the following fields:

Top-level Arguments

policy_id (Optional) - An ID for the policy document
source_policy_documents (Optional) - List of IAM policy documents that are merged together
override_policy_documents (Optional) - List of IAM policy documents that override others
version (Optional) - IAM policy version (2008-10-17 or 2012-10-17)

Statement Arguments

The following arguments are optional:

actions - List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"]
effect - Whether this statement allows or denies the given actions. Valid values are Allow and Deny
not_actions - List of actions that this statement does not apply to
resources - List of resource ARNs. Required for IAM policies. Conflicts with not_resources
not_resources - List of resource ARNs that this statement does not apply to. Conflicts with resources
principals - Configuration block for principals. Detailed below
not_principals - Principals that the statement does not apply to
sid - Statement ID to identify the policy statement

Principal Arguments

Required configuration for principal blocks:

type (Required) - Type of principal (AWS, Service, Federated, etc.)
identifiers (Required) - List of principal identifiers

Condition Block

Multiple conditions use "AND" operation - all must be true. The following arguments are required:

test - Name of the IAM condition operator to evaluate
variable - Context Variable name (aws: prefix for AWS variables, service-specific prefix for others)
values - Values to evaluate against. Multiple values use "OR" operation

AWS IAM Policy to Terraform HCL Converter

Input AWS IAM Policy (JSON)

Policy Document HCL

Resource HCL