feat: Support aws_dynamodb_resource_policy (closes #95) (#96)

drosin · antonbabenko · web-flow · commit eee22aaa46d5 · 2025-03-19T15:59:47.000+01:00
Co-authored-by: Anton Babenko &lt;anton@antonbabenko.com&gt;
diff --git a/README.md b/README.md
@@ -92,6 +92,7 @@ No modules.
 | [aws_appautoscaling_target.index_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
 | [aws_appautoscaling_target.table_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
 | [aws_appautoscaling_target.table_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
+| [aws_dynamodb_resource_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_resource_policy) | resource |
 | [aws_dynamodb_table.autoscaled](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_dynamodb_table.autoscaled_gsi_ignore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_dynamodb_table.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
@@ -120,6 +121,7 @@ No modules.
 | <a name="input_range_key"></a> [range\_key](#input\_range\_key) | The attribute to use as the range (sort) key. Must also be defined as an attribute | `string` | `null` | no |
 | <a name="input_read_capacity"></a> [read\_capacity](#input\_read\_capacity) | The number of read units for this table. If the billing\_mode is PROVISIONED, this field should be greater than 0 | `number` | `null` | no |
 | <a name="input_replica_regions"></a> [replica\_regions](#input\_replica\_regions) | Region names for creating replicas for a global DynamoDB table. | `any` | `[]` | no |
+| <a name="input_resource_policy"></a> [resource\_policy](#input\_resource\_policy) | The JSON definition of the resource-based policy. | `string` | `null` | no |
 | <a name="input_restore_date_time"></a> [restore\_date\_time](#input\_restore\_date\_time) | Time of the point-in-time recovery point to restore. | `string` | `null` | no |
 | <a name="input_restore_source_name"></a> [restore\_source\_name](#input\_restore\_source\_name) | Name of the table to restore. Must match the name of an existing table. | `string` | `null` | no |
 | <a name="input_restore_source_table_arn"></a> [restore\_source\_table\_arn](#input\_restore\_source\_table\_arn) | ARN of the source table to restore. Must be supplied for cross-region restores. | `string` | `null` | no |
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -50,6 +50,23 @@ module "dynamodb_table" {
     max_write_request_units = 1
   }
 
+  resource_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowDummyRoleAccess",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::222222222222:role/DummyRole"
+      },
+      "Action": "dynamodb:GetItem",
+      "Resource": "__DYNAMODB_TABLE_ARN__"
+    }
+  ]
+}
+POLICY
+
   tags = {
     Terraform   = "true"
     Environment = "staging"
diff --git a/main.tf b/main.tf
@@ -1,3 +1,7 @@
+locals {
+  dynamodb_table_arn = try(aws_dynamodb_table.this[0].arn, aws_dynamodb_table.autoscaled[0].arn, aws_dynamodb_table.autoscaled_gsi_ignore[0].arn, "")
+}
+
 resource "aws_dynamodb_table" "this" {
   count = var.create_table && !var.autoscaling_enabled ? 1 : 0
 
@@ -376,3 +380,10 @@ resource "aws_dynamodb_table" "autoscaled_gsi_ignore" {
     ignore_changes = [global_secondary_index, read_capacity, write_capacity]
   }
 }
+
+resource "aws_dynamodb_resource_policy" "this" {
+  count = var.create_table && var.resource_policy != null ? 1 : 0
+
+  resource_arn = local.dynamodb_table_arn
+  policy       = replace(var.resource_policy, "__DYNAMODB_TABLE_ARN__", local.dynamodb_table_arn)
+}
diff --git a/outputs.tf b/outputs.tf
@@ -1,6 +1,6 @@
 output "dynamodb_table_arn" {
   description = "ARN of the DynamoDB table"
-  value       = try(aws_dynamodb_table.this[0].arn, aws_dynamodb_table.autoscaled[0].arn, aws_dynamodb_table.autoscaled_gsi_ignore[0].arn, "")
+  value       = local.dynamodb_table_arn
 }
 
 output "dynamodb_table_id" {
diff --git a/variables.tf b/variables.tf
@@ -209,3 +209,9 @@ variable "restore_to_latest_time" {
   type        = bool
   default     = null
 }
+
+variable "resource_policy" {
+  description = "The JSON definition of the resource-based policy."
+  type        = string
+  default     = null
+}
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -27,6 +27,7 @@ module "wrapper" {
   range_key                             = try(each.value.range_key, var.defaults.range_key, null)
   read_capacity                         = try(each.value.read_capacity, var.defaults.read_capacity, null)
   replica_regions                       = try(each.value.replica_regions, var.defaults.replica_regions, [])
+  resource_policy                       = try(each.value.resource_policy, var.defaults.resource_policy, null)
   restore_date_time                     = try(each.value.restore_date_time, var.defaults.restore_date_time, null)
   restore_source_name                   = try(each.value.restore_source_name, var.defaults.restore_source_name, null)
   restore_source_table_arn              = try(each.value.restore_source_table_arn, var.defaults.restore_source_table_arn, null)

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`output "dynamodb_table_arn" {`
`2`	`2`	`description = "ARN of the DynamoDB table"`
`3`		`- value = try(aws_dynamodb_table.this[0].arn, aws_dynamodb_table.autoscaled[0].arn, aws_dynamodb_table.autoscaled_gsi_ignore[0].arn, "")`
	`3`	`+ value = local.dynamodb_table_arn`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`output "dynamodb_table_id" {`