AWS IAM Policy to Terraform HCL Converter

Transform your AWS IAM policies into elegant Terraform HCL with precision and ease. Perfect for modern infrastructure as code workflows.

Input AWS IAM Policy (JSON)

Policy Document HCL

Resource HCL

AWS IAM policies define permissions through the following elements:

  • Version

    Specify the version of the policy language that you want to use. We recommend that you use the latest 2012-10-17 version. For more information, see IAM JSON policy elements: Version

  • Statement

    Use this main policy element as a container for the following elements. You can include more than one statement in a policy.

  • Sid (Optional)

    Include an optional statement ID to differentiate between your statements.

  • Effect

    Use Allow or Deny to indicate whether the policy allows or denies access.

  • Principal (Required in some circumstances)

    If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.

  • Action

    Include a list of actions that the policy allows or denies.

  • Resource (Required in some circumstances)

    If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, it depends on the resource you're using as to whether this element is required or not.

  • Condition (Optional)

    Specify the circumstances under which the policy grants permission.

Pattern Matching in AWS Policies

AWS IAM policies support pattern matching through glob-style wildcards and regex-like syntax:

Resource Patterns:
  • * - Matches any combination of characters
  • ? - Matches exactly one character
  • ${...} - Variable substitution (e.g., ${aws:username})
  • Example: arn:aws:s3:::my-bucket/* matches all objects in the bucket
Action Patterns:
  • service:* - All actions in a service (e.g., s3:*)
  • service:action* - Actions with prefix (e.g., iam:Get*)
  • service:*action - Actions with suffix
  • Example: iam:*Role* matches CreateRole, DeleteRole, etc.

Terraform aws_iam_policy_document Fields

Top-level Arguments
  • policy_id (Optional) - An ID for the policy document
  • source_policy_documents (Optional) - List of IAM policy documents that are merged together
  • override_policy_documents (Optional) - List of IAM policy documents that override others
  • version (Optional) - IAM policy version (2008-10-17 or 2012-10-17)
Statement Arguments

The following arguments are optional:

  • actions - List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"]
  • effect - Whether this statement allows or denies the given actions. Valid values are Allow and Deny
  • not_actions - List of actions that this statement does not apply to
  • resources - List of resource ARNs. Required for IAM policies. Conflicts with not_resources
  • not_resources - List of resource ARNs that this statement does not apply to. Conflicts with resources
  • principals - Configuration block for principals. Detailed below
  • not_principals - Principals that the statement does not apply to
  • sid - Statement ID to identify the policy statement
Principal Arguments

Required configuration for principal blocks:

  • type (Required) - Type of principal (AWS, Service, Federated, etc.)
  • identifiers (Required) - List of principal identifiers
Condition Block

Multiple conditions use "AND" operation - all must be true. The following arguments are required:

  • test - Name of the IAM condition operator to evaluate
  • variable - Context Variable name (aws: prefix for AWS variables, service-specific prefix for others)
  • values - Values to evaluate against. Multiple values use "OR" operation

Converting policy...

⚠️