Inputs

Configuration parameters for the access-policy module (v0.1.0).

Required

policy_name Required
string

Name of the access policy. Must be unique within your AWS account. Can contain alphanumeric characters, plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). Maximum 128 characters.

Optional

policy_type
string Default: iam

Type of policy to create. Valid values: iam (standard IAM policy), scp (Service Control Policy for Organizations), boundary (Permission Boundary).

allowed_services
list(string)

List of allowed AWS services (e.g., ec2, s3, lambda, dynamodb). Define which AWS services the policy permits access to for least-privilege design.

denied_actions
list(string)

Explicitly denied actions that should never be performed, regardless of other permissions (e.g., iam:CreateUser, organizations:*).

resource_restrictions
map(list(string))

Resource-level restrictions by service. A map where keys are service names and values are lists of ARN patterns. Example: { s3 = ["arn:aws:s3:::company-data-*/*"] dynamodb = ["arn:aws:dynamodb:*:*:table/users-*"] }