AWS IAM Policies with Terraform – Easy Secure Setup

Leave a Comment / Terraform / By

AWS IAM Policies with Terraform is a crucial skill for anyone managing AWS infrastructure using Infrastructure as Code (IaC). With Terraform, you can automate user permission management through policy documents—saving time, reducing errors, and enhancing security.

In this tutorial, you’ll learn how to create IAM policies in AWS using Terraform and how to attach them to IAM users effectively. Whether you’re new to Terraform or an experienced DevOps professional, this guide covers the essentials and best practices.

Why Use AWS IAM Policies with Terraform?

IAM (Identity and Access Management) policies define what actions users can take within your AWS account. Automating this process with Terraform gives you several advantages:

  • Version control: Track every change to policies.
  • Scalability: Apply consistent rules across environments.
  • Security: Reduce human error by eliminating manual IAM updates.

When you create a user in AWS, they start with no permissions. You must assign permissions through IAM policies, which are defined in JSON format.

Creating IAM Policies in Terraform

To define a policy, you’ll use the aws_iam_policy resource type provided by the AWS Terraform provider. At its core, the only required field is the actual policy document in JSON format.

Defining a Policy Inline

One approach is to embed the entire JSON policy directly into your Terraform configuration. This is done using heredoc syntax—a way to input multi-line strings.

Example:

resource "aws_iam_policy" "admin_policy" {
  name   = "AdminAccessPolicy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}
EOF
}

Using <<EOF ... EOF allows you to easily insert multi-line JSON content into the policy argument without formatting issues.

Attaching Policies to IAM Users

Creating a policy alone doesn’t grant permissions. You must attach the policy to a user, using the aws_iam_user_policy_attachment resource.

Example:

resource "aws_iam_user_policy_attachment" "attach_admin" {
  user       = aws_iam_user.lucy.name
  policy_arn = aws_iam_policy.admin_policy.arn
}

This setup binds the admin_policy to the IAM user named lucy, effectively giving her administrative access.

You may recognize this pattern if you’ve used resource references in Terraform. It ensures Terraform manages dependencies automatically and in the correct order.

Using External JSON Policy Files

Instead of embedding the entire JSON content within your .tf file, a better long-term approach is to use external JSON policy files. This keeps configuration clean and readable.

Steps:

  1. Create a JSON file called admin-policy.json in the same folder as your Terraform configuration.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}
  1. Reference it in your Terraform file using the file() function:
resource "aws_iam_policy" "admin_policy" {
  name   = "AdminAccessPolicy"
  policy = file("admin-policy.json")
}

This method is not only cleaner but also separates concerns—policy logic lives in a dedicated file while infrastructure logic remains in the Terraform code.

Running Terraform Commands

Once the configuration is ready:

  • Run terraform init to install the provider plugins.
  • Use terraform plan to preview changes.
  • Execute terraform apply to provision the policy and attach it to the user.

Security Best Practices

While working with AWS IAM Policies with Terraform, always follow these security guidelines:

  • Avoid hardcoding credentials in your Terraform files.
  • Use least privilege: Only assign permissions the user needs.
  • Store sensitive JSON policy files securely.
  • Use variable files and environment variables for credentials.
  • Audit permissions regularly to remove unused access.

Conclusion

Automating AWS IAM Policies with Terraform provides a secure and scalable method for managing access to AWS resources. Whether you define policies inline using heredoc syntax or pull them from external files, Terraform ensures your IAM configurations are consistent, repeatable, and version-controlled.

You’ve now seen how to create an IAM policy, attach it to a user, and apply the best practices to avoid misconfigurations or security risks. Start small, and gradually modularize your IAM architecture for broader adoption.

Frequently Asked Questions (FAQs)

1. What is an IAM policy in AWS?

An IAM policy is a JSON document that defines what actions are allowed or denied for specific AWS resources.

2. Can I define IAM policies in a separate file with Terraform?

Yes. You can use the file() function to load policies from external .json files, improving code clarity.

3. How do I attach multiple policies to a single user?

You can use multiple aws_iam_user_policy_attachment blocks or create an IAM group and attach policies to the group.

4. Is heredoc syntax required to define JSON policies?

Not required, but helpful for embedding multi-line JSON directly in .tf files without escaping quotes.

5. Can IAM roles and groups be managed the same way?

Yes. Terraform supports creating and managing IAM roles, groups, and policy attachments using similar resources.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top