diff --git a/.gitignore b/.gitignore
index 1fef4ab..13deeb9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,11 @@
# .tfvars files
*.tfvars
+
+# IDE files
+.idea
+*.iml
+
+# Build harness files
+.build-harness
+build-harness
diff --git a/LICENSE b/LICENSE
index 261eeb9..101fd7c 100644
--- a/LICENSE
+++ b/LICENSE
@@ -186,7 +186,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.
- Copyright [yyyy] [name of copyright owner]
+ Copyright 2019 Cloud Posse, LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..6362526
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,10 @@
+SHELL := /bin/bash
+
+# List of targets the `readme` target should call before generating the readme
+export README_DEPS ?= docs/terraform.md
+
+-include $(shell curl -sSL -o .build-harness "https://git.io/build-harness"; echo .build-harness)
+
+## Lint terraform code
+lint:
+ $(SELF) terraform/install terraform/get-modules terraform/get-plugins terraform/lint terraform/validate
\ No newline at end of file
diff --git a/README.md b/README.md
index fd5eeb8..2093668 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,303 @@
-# terraform-aws-iam-policy-document-aggregator
\ No newline at end of file
+
+[![README Header][readme_header_img]][readme_header_link]
+
+[![Cloud Posse][logo]](https://cpco.io/homepage)
+
+# terraform-aws-iam-policy-document-aggregator
+
+ [](https://travis-ci.org/cloudposse/terraform-aws-iam-policy-document-aggregator) [](https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator/releases/latest) [](https://slack.cloudposse.com)
+
+
+Terraform module to aggregate multiple IAM policy documents into single policy document.
+
+
+---
+
+This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps.
+[
][share_email]
+[
][share_googleplus]
+[
][share_facebook]
+[
][share_reddit]
+[
][share_linkedin]
+[
][share_twitter]
+
+
+[][terraform_modules]
+
+
+
+It's 100% Open Source and licensed under the [APACHE2](LICENSE).
+
+
+
+
+
+
+
+We literally have [*hundreds of terraform modules*][terraform_modules] that are Open Source and well-maintained. Check them out!
+
+
+
+
+
+
+
+## Usage
+
+This example creates a single IAM policy document from multiple IAM policy documents.
+
+```hcl
+ data "aws_iam_policy_document" "resource_full_access" {
+ statement {
+ sid = "FullAccess"
+ effect = "Allow"
+ resources = ["arn:aws:s3:::bucketname/path/*"]
+
+ actions = [
+ "s3:PutObject",
+ "s3:PutObjectAcl",
+ "s3:GetObject",
+ "s3:DeleteObject",
+ "s3:ListBucket",
+ "s3:ListBucketMultipartUploads",
+ "s3:GetBucketLocation",
+ "s3:AbortMultipartUpload",
+ ]
+ }
+ }
+
+ data "aws_iam_policy_document" "base" {
+ statement {
+ sid = "BaseAccess"
+
+ actions = [
+ "s3:ListBucket",
+ "s3:ListBucketVersions",
+ ]
+
+ resources = ["*"]
+ effect = "Allow"
+ }
+ }
+
+
+ module "aggregated_policy" {
+ source = "../"
+ source_documents = [
+ "${data.aws_iam_policy_document.base.json}",
+ "${data.aws_iam_policy_document.resource_full_access.json}"
+ ]
+ }
+
+ resource "aws_iam_role" "default" {
+ name = "example-role"
+ description = "IAM Role with permissions to perform actions on S3 resources"
+ }
+
+ resource "aws_iam_role_policy" "default" {
+ name = "example-policy"
+ description = "Allow S3 actions"
+ role = "${aws_iam_role.default.id}"
+ policy = "${module.aggregated_policy.result_document}"
+ }
+
+```
+
+### Additional Examples
+The [`example`](./example) directory contains the example.
+
+
+
+
+
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| source_documents | List of JSON IAM policy documents.
Limits:
* List size max 10
* Statement can be overriden by the statement with the same sid from the latest policy. | list | `` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| result_document | Aggregeted IAM policy |
+
+
+
+
+## Share the Love
+
+Like this project? Please give it a ★ on [our GitHub](https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator)! (it helps us **a lot**)
+
+Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =)
+
+
+## Related Projects
+
+Check out these related projects.
+
+- [terraform-aws-iam-role](https://github.com/cloudposse/terraform-aws-iam-role) - A Terraform module that creates IAM role with provided JSON IAM polices documents.
+- [terraform-aws-iam-chamber-s3-role](https://github.com/cloudposse/terraform-aws-iam-chamber-s3-role) - Terraform module to provision an IAM role with configurable permissions to access S3 as chamber backend.
+
+
+
+## Help
+
+**Got a question?**
+
+File a GitHub [issue](https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator/issues), send us an [email][email] or join our [Slack Community][slack].
+
+[![README Commercial Support][readme_commercial_support_img]][readme_commercial_support_link]
+
+## Commercial Support
+
+Work directly with our team of DevOps experts via email, slack, and video conferencing.
+
+We provide [*commercial support*][commercial_support] for all of our [Open Source][github] projects. As a *Dedicated Support* customer, you have access to our team of subject matter experts at a fraction of the cost of a full-time engineer.
+
+[][email]
+
+- **Questions.** We'll use a Shared Slack channel between your team and ours.
+- **Troubleshooting.** We'll help you triage why things aren't working.
+- **Code Reviews.** We'll review your Pull Requests and provide constructive feedback.
+- **Bug Fixes.** We'll rapidly work to fix any bugs in our projects.
+- **Build New Terraform Modules.** We'll [develop original modules][module_development] to provision infrastructure.
+- **Cloud Architecture.** We'll assist with your cloud strategy and design.
+- **Implementation.** We'll provide hands-on support to implement our reference architectures.
+
+
+
+## Terraform Module Development
+
+Are you interested in custom Terraform module development? Submit your inquiry using [our form][module_development] today and we'll get back to you ASAP.
+
+
+## Slack Community
+
+Join our [Open Source Community][slack] on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure.
+
+## Newsletter
+
+Signup for [our newsletter][newsletter] that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.
+
+## Contributing
+
+### Bug Reports & Feature Requests
+
+Please use the [issue tracker](https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator/issues) to report any bugs or file feature requests.
+
+### Developing
+
+If you are interested in being a contributor and want to get involved in developing this project or [help out](https://cpco.io/help-out) with our other projects, we would love to hear from you! Shoot us an [email][email].
+
+In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
+
+ 1. **Fork** the repo on GitHub
+ 2. **Clone** the project to your own machine
+ 3. **Commit** changes to your own branch
+ 4. **Push** your work back up to your fork
+ 5. Submit a **Pull Request** so that we can review your changes
+
+**NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request!
+
+
+## Copyright
+
+Copyright © 2017-2019 [Cloud Posse, LLC](https://cpco.io/copyright)
+
+
+
+## License
+
+[](https://opensource.org/licenses/Apache-2.0)
+
+See [LICENSE](LICENSE) for full details.
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+
+
+
+
+
+
+
+
+## Trademarks
+
+All other trademarks referenced herein are the property of their respective owners.
+
+## About
+
+This project is maintained and funded by [Cloud Posse, LLC][website]. Like it? Please let us know by [leaving a testimonial][testimonial]!
+
+[![Cloud Posse][logo]][website]
+
+We're a [DevOps Professional Services][hire] company based in Los Angeles, CA. We ❤️ [Open Source Software][we_love_open_source].
+
+We offer [paid support][commercial_support] on all of our projects.
+
+Check out [our other projects][github], [follow us on twitter][twitter], [apply for a job][jobs], or [hire us][hire] to help with your cloud strategy and implementation.
+
+
+
+### Contributors
+
+| [![Igor Rodionov][goruha_avatar]][goruha_homepage]
[Igor Rodionov][goruha_homepage] | [![Maxim Mironenko][maximmi_avatar]][maximmi_homepage]
[Maxim Mironenko][maximmi_homepage] |
+|---|---|
+
+ [goruha_homepage]: https://github.com/goruha
+ [goruha_avatar]: https://github.com/goruha.png?size=150
+ [maximmi_homepage]: https://github.com/maximmi
+ [maximmi_avatar]: https://github.com/maximmi.png?size=150
+
+
+
+[![README Footer][readme_footer_img]][readme_footer_link]
+[![Beacon][beacon]][website]
+
+ [logo]: https://cloudposse.com/logo-300x69.svg
+ [docs]: https://cpco.io/docs
+ [website]: https://cpco.io/homepage
+ [github]: https://cpco.io/github
+ [jobs]: https://cpco.io/jobs
+ [hire]: https://cpco.io/hire
+ [slack]: https://cpco.io/slack
+ [linkedin]: https://cpco.io/linkedin
+ [twitter]: https://cpco.io/twitter
+ [testimonial]: https://cpco.io/leave-testimonial
+ [newsletter]: https://cpco.io/newsletter
+ [email]: https://cpco.io/email
+ [commercial_support]: https://cpco.io/commercial-support
+ [we_love_open_source]: https://cpco.io/we-love-open-source
+ [module_development]: https://cpco.io/module-development
+ [terraform_modules]: https://cpco.io/terraform-modules
+ [readme_header_img]: https://cloudposse.com/readme/header/img?repo=cloudposse/terraform-aws-iam-policy-document-aggregator
+ [readme_header_link]: https://cloudposse.com/readme/header/link?repo=cloudposse/terraform-aws-iam-policy-document-aggregator
+ [readme_footer_img]: https://cloudposse.com/readme/footer/img?repo=cloudposse/terraform-aws-iam-policy-document-aggregator
+ [readme_footer_link]: https://cloudposse.com/readme/footer/link?repo=cloudposse/terraform-aws-iam-policy-document-aggregator
+ [readme_commercial_support_img]: https://cloudposse.com/readme/commercial-support/img?repo=cloudposse/terraform-aws-iam-policy-document-aggregator
+ [readme_commercial_support_link]: https://cloudposse.com/readme/commercial-support/link?repo=cloudposse/terraform-aws-iam-policy-document-aggregator
+ [share_twitter]: https://twitter.com/intent/tweet/?text=terraform-aws-iam-policy-document-aggregator&url=https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator
+ [share_linkedin]: https://www.linkedin.com/shareArticle?mini=true&title=terraform-aws-iam-policy-document-aggregator&url=https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator
+ [share_reddit]: https://reddit.com/submit/?url=https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator
+ [share_facebook]: https://facebook.com/sharer/sharer.php?u=https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator
+ [share_googleplus]: https://plus.google.com/share?url=https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator
+ [share_email]: mailto:?subject=terraform-aws-iam-policy-document-aggregator&body=https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator
+ [beacon]: https://ga-beacon.cloudposse.com/UA-76589703-4/cloudposse/terraform-aws-iam-policy-document-aggregator?pixel&cs=github&cm=readme&an=terraform-aws-iam-policy-document-aggregator
diff --git a/README.yaml b/README.yaml
new file mode 100644
index 0000000..b67b98e
--- /dev/null
+++ b/README.yaml
@@ -0,0 +1,115 @@
+---
+#
+# This is the canonical configuration for the `README.md`
+# Run `make readme` to rebuild the `README.md`
+#
+
+# Name of this project
+name: terraform-aws-iam-policy-document-aggregator
+
+# Logo for this project
+#logo: docs/logo.png
+
+# License of this project
+license: "APACHE2"
+
+# Canonical GitHub repo
+github_repo: cloudposse/terraform-aws-iam-policy-document-aggregator
+
+# Badges to display
+badges:
+ - name: "Build Status"
+ image: "https://travis-ci.org/cloudposse/terraform-aws-iam-policy-document-aggregator.svg?branch=master"
+ url: "https://travis-ci.org/cloudposse/terraform-aws-iam-policy-document-aggregator"
+ - name: "Latest Release"
+ image: "https://img.shields.io/github/release/cloudposse/terraform-aws-iam-policy-document-aggregator.svg"
+ url: "https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator/releases/latest"
+ - name: "Slack Community"
+ image: "https://slack.cloudposse.com/badge.svg"
+ url: "https://slack.cloudposse.com"
+
+related:
+ - name: "terraform-aws-iam-role"
+ description: "A Terraform module that creates IAM role with provided JSON IAM polices documents."
+ url: "https://github.com/cloudposse/terraform-aws-iam-role"
+ - name: "terraform-aws-iam-chamber-s3-role"
+ description: "Terraform module to provision an IAM role with configurable permissions to access S3 as chamber backend."
+ url: "https://github.com/cloudposse/terraform-aws-iam-chamber-s3-role"
+
+# Short description of this project
+description: |-
+ Terraform module to aggregate multiple IAM policy documents into single policy document.
+
+# How to use this project
+usage: |-
+ This example creates a single IAM policy document from multiple IAM policy documents.
+
+ ```hcl
+ data "aws_iam_policy_document" "resource_full_access" {
+ statement {
+ sid = "FullAccess"
+ effect = "Allow"
+ resources = ["arn:aws:s3:::bucketname/path/*"]
+
+ actions = [
+ "s3:PutObject",
+ "s3:PutObjectAcl",
+ "s3:GetObject",
+ "s3:DeleteObject",
+ "s3:ListBucket",
+ "s3:ListBucketMultipartUploads",
+ "s3:GetBucketLocation",
+ "s3:AbortMultipartUpload",
+ ]
+ }
+ }
+
+ data "aws_iam_policy_document" "base" {
+ statement {
+ sid = "BaseAccess"
+
+ actions = [
+ "s3:ListBucket",
+ "s3:ListBucketVersions",
+ ]
+
+ resources = ["*"]
+ effect = "Allow"
+ }
+ }
+
+
+ module "aggregated_policy" {
+ source = "../"
+ source_documents = [
+ "${data.aws_iam_policy_document.base.json}",
+ "${data.aws_iam_policy_document.resource_full_access.json}"
+ ]
+ }
+
+ resource "aws_iam_role" "default" {
+ name = "example-role"
+ description = "IAM Role with permissions to perform actions on S3 resources"
+ }
+
+ resource "aws_iam_role_policy" "default" {
+ name = "example-policy"
+ description = "Allow S3 actions"
+ role = "${aws_iam_role.default.id}"
+ policy = "${module.aggregated_policy.result_document}"
+ }
+
+ ```
+
+ ### Additional Examples
+ The [`example`](./example) directory contains the example.
+
+include:
+ - "docs/terraform.md"
+
+# Contributors to this project
+contributors:
+ - name: "Igor Rodionov"
+ github: "goruha"
+ - name: "Maxim Mironenko"
+ github: "maximmi"
\ No newline at end of file
diff --git a/docs/terraform.md b/docs/terraform.md
new file mode 100644
index 0000000..a02dd0f
--- /dev/null
+++ b/docs/terraform.md
@@ -0,0 +1,12 @@
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| source_documents | List of JSON IAM policy documents.
Limits:
* List size max 10
* Statement can be overriden by the statement with the same sid from the latest policy. | list | `` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| result_document | Aggregeted IAM policy |
+
diff --git a/example/main.tf b/example/main.tf
new file mode 100644
index 0000000..59e90c2
--- /dev/null
+++ b/example/main.tf
@@ -0,0 +1,53 @@
+data "aws_iam_policy_document" "resource_full_access" {
+ statement {
+ sid = "FullAccess"
+ effect = "Allow"
+ resources = ["arn:aws:s3:::bucketname/path/*"]
+
+ actions = [
+ "s3:PutObject",
+ "s3:PutObjectAcl",
+ "s3:GetObject",
+ "s3:DeleteObject",
+ "s3:ListBucket",
+ "s3:ListBucketMultipartUploads",
+ "s3:GetBucketLocation",
+ "s3:AbortMultipartUpload",
+ ]
+ }
+}
+
+data "aws_iam_policy_document" "base" {
+ statement {
+ sid = "BaseAccess"
+
+ actions = [
+ "s3:ListBucket",
+ "s3:ListBucketVersions",
+ ]
+
+ resources = ["*"]
+ effect = "Allow"
+ }
+}
+
+module "aggregated_policy" {
+ source = "../"
+
+ source_documents = [
+ "${data.aws_iam_policy_document.base.json}",
+ "${data.aws_iam_policy_document.resource_full_access.json}",
+ ]
+}
+
+resource "aws_iam_role" "default" {
+ name = "example-role"
+ description = "IAM Role with permissions to perform actions on S3 resources"
+}
+
+resource "aws_iam_role_policy" "default" {
+ name = "example-policy"
+ description = "Allow S3 actions"
+ role = "${aws_iam_role.default.id}"
+ policy = "${module.aggregated_policy.result_document}"
+}
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..bc88471
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,90 @@
+resource "null_resource" "source_documents_count_check" {
+ count = "${length(var.source_documents) <= 10 ? 0 : 1}"
+
+ provisioner "local-exec" {
+ command = "false"
+ interpreter = ["bash", "-c"]
+ }
+}
+
+locals {
+ policies = [
+ "${length(var.source_documents) > 0 ? element(var.source_documents, 0) : data.aws_iam_policy_document.empty.json}",
+ "${length(var.source_documents) > 1 ? element(var.source_documents, 1) : data.aws_iam_policy_document.empty.json}",
+ "${length(var.source_documents) > 2 ? element(var.source_documents, 2) : data.aws_iam_policy_document.empty.json}",
+ "${length(var.source_documents) > 3 ? element(var.source_documents, 3) : data.aws_iam_policy_document.empty.json}",
+ "${length(var.source_documents) > 4 ? element(var.source_documents, 4) : data.aws_iam_policy_document.empty.json}",
+ "${length(var.source_documents) > 5 ? element(var.source_documents, 5) : data.aws_iam_policy_document.empty.json}",
+ "${length(var.source_documents) > 6 ? element(var.source_documents, 6) : data.aws_iam_policy_document.empty.json}",
+ "${length(var.source_documents) > 7 ? element(var.source_documents, 7) : data.aws_iam_policy_document.empty.json}",
+ "${length(var.source_documents) > 8 ? element(var.source_documents, 8) : data.aws_iam_policy_document.empty.json}",
+ "${length(var.source_documents) > 9 ? element(var.source_documents, 9) : data.aws_iam_policy_document.empty.json}",
+ ]
+}
+
+data "aws_iam_policy_document" "empty" {}
+
+data "aws_iam_policy_document" "zero" {
+ source_json = "${data.aws_iam_policy_document.empty.json}"
+ override_json = "${element(local.policies, 0)}"
+ "statement" = []
+}
+
+data "aws_iam_policy_document" "one" {
+ source_json = "${data.aws_iam_policy_document.zero.json}"
+ override_json = "${element(local.policies, 1)}"
+ "statement" = []
+}
+
+data "aws_iam_policy_document" "two" {
+ source_json = "${data.aws_iam_policy_document.one.json}"
+ override_json = "${element(local.policies, 2)}"
+ "statement" = []
+}
+
+data "aws_iam_policy_document" "three" {
+ source_json = "${data.aws_iam_policy_document.two.json}"
+ override_json = "${element(local.policies, 3)}"
+ "statement" = []
+}
+
+data "aws_iam_policy_document" "four" {
+ source_json = "${data.aws_iam_policy_document.three.json}"
+ override_json = "${element(local.policies, 4)}"
+ "statement" = []
+}
+
+data "aws_iam_policy_document" "five" {
+ source_json = "${data.aws_iam_policy_document.four.json}"
+ override_json = "${element(local.policies, 5)}"
+ "statement" = []
+}
+
+data "aws_iam_policy_document" "six" {
+ source_json = "${data.aws_iam_policy_document.five.json}"
+ override_json = "${element(local.policies, 6)}"
+ "statement" = []
+}
+
+data "aws_iam_policy_document" "seven" {
+ source_json = "${data.aws_iam_policy_document.six.json}"
+ override_json = "${element(local.policies, 7)}"
+ "statement" = []
+}
+
+data "aws_iam_policy_document" "eight" {
+ source_json = "${data.aws_iam_policy_document.seven.json}"
+ override_json = "${element(local.policies, 8)}"
+ "statement" = []
+}
+
+data "aws_iam_policy_document" "nine" {
+ source_json = "${data.aws_iam_policy_document.eight.json}"
+ override_json = "${element(local.policies, 9)}"
+ "statement" = []
+}
+
+data "aws_iam_policy_document" "default" {
+ source_json = "${data.aws_iam_policy_document.nine.json}"
+ "statement" = []
+}
diff --git a/output.tf b/output.tf
new file mode 100644
index 0000000..a8481f1
--- /dev/null
+++ b/output.tf
@@ -0,0 +1,4 @@
+output "result_document" {
+ value = "${data.aws_iam_policy_document.default.json}"
+ description = "Aggregeted IAM policy"
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..26ec2e3
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,5 @@
+variable "source_documents" {
+ type = "list"
+ description = "List of JSON IAM policy documents.
Limits:
* List size max 10
* Statement can be overriden by the statement with the same sid from the latest policy."
+ default = []
+}