Aws_iam_policy_document - Condition with multiple tests

jgreat · October 20, 2020, 3:19pm

Does anyone know if its possible to use aws_iam_policy_document data source to create a statement condition with multiple tests so you can create OR logic?

Looks like this is supported by the AWS documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html

conor-axomic · March 1, 2022, 10:39am

To answer your post @jgreat, I don’t think it is possible to create OR logic with conditions but it is possible for AND logic. The Terraform docs for aws_iam_policy_document condition blocks here states:

When using multiple condition blocks, they must all evaluate to true for the policy statement to apply.

Following the idea of multiple condition blocks, what is the syntax for creating multiple conditions for a single aws_iam_policy_document statement block, please? I have come across this StackOverflow answer that states:

The aws_iam_policy_document supports nested condition directives.

As well as giving an example.

But when I follow this example and implement it myself, Terraform errors on plan with:

“Attribute redefined
The argument “condition” was already set at foo/bar/s3.tf. Each argument may only be set once”

I simply have multiple condition = {} blocks nested under my statement = {}.

Would love a hand with this please, I am more than happy to share any more info as needed

hashidev · March 14, 2022, 7:04pm

Facing the same issue here. I need to add multiple condition blocks for this policy.

conor-axomic · March 15, 2022, 1:20pm

I never found a solution to create multiple condition blocks for a aws_iam_policy_document in Terraform, if you do find a solution please do share it.

For only when I have multiple conditions, my work around is to use a JSON representation for the whole policy with policy = jsonencode(foo). Rather than using a aws_iam_policy_document data block.

conor-axomic · April 13, 2022, 9:31am

To answer the original question of can you create OR logic with multiple conditionals?

No.

The documentation now states:

When using multiple condition blocks, they must all evaluate to true for the policy statement to apply. In other words, AWS evaluates the conditions as though with an “AND” boolean operation.

There you go a clear answer that I’m fairly certain was not in the docs when I checked it a while ago

conor-axomic · April 13, 2022, 2:55pm

Well I’ve just figured out what I did wrong, I should have been paying more attention to the docs…

My issue was that I was stating condition s with an =. As in condition = {...}, whereas it should be condition {}!