Patterned Designs HCL Module Registry
MODULE

access-policy

governance/access-policy/aws
v0.1.0 latest View all versions

Terraform module for access-policy on aws

View Full Documentation Usage guides, examples & best practices
module "access-policy" {
  source  = "registry.patterneddesigns.ca/governance/access-policy/aws"
  version = "0.1.0"
}
policy_name required
string

Name of the access policy. Must be unique within your AWS account. Can contain alphanumeric characters, plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). Maximum 128 characters.

Constraints
  • Policy name must contain only alphanumeric characters, +, =, ,, ., @, _, - and be at most 128 characters.
policy_type
string default: iam

Type of policy to create. Valid values: iam (standard IAM policy), scp (Service Control Policy for Organizations), boundary (Permission Boundary).

Constraints
  • Policy type must be one of: iam, scp, boundary.
allowed_services
list(string) default: null

List of allowed AWS services (e.g., ec2, s3, lambda, dynamodb). Define which AWS services the policy permits access to for least-privilege design.

Constraints
  • Service names must be lowercase and contain only alphanumeric characters and hyphens.
denied_actions
list(string) default: null

Explicitly denied actions that should never be performed, regardless of other permissions (e.g., iam:CreateUser, organizations:*).

Constraints
  • Denied actions must be in the format service:action (e.g., iam:CreateUser, s3:*).
resource_restrictions
map(list(string)) default: null

Resource-level restrictions by service. A map where keys are service names and values are lists of ARN patterns. Example: { s3 = ["arn:aws:s3:::company-data-*/*"] dynamodb = ["arn:aws:dynamodb:*:*:table/users-*"] }

policy_arn

ARN of the created policy. Use this for attaching the policy to IAM entities or referencing in other resources.

policy_document

JSON-formatted policy document generated by the module. Useful for debugging, auditing, or using in contexts that require raw policy JSON.

policy_id

Unique identifier for the policy. This is the policy's internal AWS ID, distinct from the ARN.

← Back to Home Machine-readable specification