terraform-modules/remote-state-access/policy.tf

data "aws_iam_policy_document" "this" {
  statement {
    effect = "Allow"
    actions = [
      "s3:ListBucket"
    ]

    resources = [
      "arn:aws:s3:::${var.bucket_name}",
    ]
  }
  statement {
    effect = "Allow"
    actions = [
      "s3:GetObject",
      "s3:PutObject",
      "s3:DeleteObject",
    ]

    resources = [
      "arn:aws:s3:::${var.bucket_name}",
    ]

    condition {
      test     = "StringLike"
      variable = "s3:prefix"

      values = var.prefixes
    }
  }
  statement {
    effect = "Allow"
    actions = [
      "dynamodb:GetItem",
      "dynamodb:PutItem",
      "dynamodb:DeleteItem",
    ]
    resources = [
      "arn:aws:dynamodb:*:*:table/${var.dynamodb_table}",
    ]
  }
}


resource "aws_iam_role" "this" {
  count = var.create_role ? 1 : 0
  name  = var.role_name

  inline_policy {
    name   = "Allow access for remote states s3 and dynamo"
    policy = data.aws_iam_policy_document.this.json
  }
}

resource "aws_iam_policy" "this" {
  count = var.create_policy ? 1 : 0
  name  = var.policy_name
  path  = var.policy_path
}