From 2de5b7ca793b6f6707ea7be4453332355aa5b78b Mon Sep 17 00:00:00 2001
From: David Rosin <david.rosin@idealo.de>
Date: Tue, 11 Feb 2025 15:02:02 +0100
Subject: [PATCH 1/5] feat: support aws_dynamodb_resource_policy (closes #95)

---
 README.md                                   |  2 +
 examples/resource-based-policy/README.md    | 57 ++++++++++++++
 examples/resource-based-policy/main.tf      | 83 +++++++++++++++++++++
 examples/resource-based-policy/outputs.tf   | 19 +++++
 examples/resource-based-policy/variables.tf |  0
 examples/resource-based-policy/versions.tf  | 14 ++++
 main.tf                                     |  7 ++
 variables.tf                                |  6 ++
 wrappers/main.tf                            |  1 +
 9 files changed, 189 insertions(+)
 create mode 100644 examples/resource-based-policy/README.md
 create mode 100644 examples/resource-based-policy/main.tf
 create mode 100644 examples/resource-based-policy/outputs.tf
 create mode 100644 examples/resource-based-policy/variables.tf
 create mode 100644 examples/resource-based-policy/versions.tf

diff --git a/README.md b/README.md
index 3be8499..1b6d936 100644
--- a/README.md
+++ b/README.md
@@ -92,6 +92,7 @@ No modules.
 | [aws_appautoscaling_target.index_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
 | [aws_appautoscaling_target.table_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
 | [aws_appautoscaling_target.table_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
+| [aws_dynamodb_resource_policy.table_resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_resource_policy) | resource |
 | [aws_dynamodb_table.autoscaled](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_dynamodb_table.autoscaled_gsi_ignore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_dynamodb_table.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
@@ -120,6 +121,7 @@ No modules.
 | <a name="input_range_key"></a> [range\_key](#input\_range\_key) | The attribute to use as the range (sort) key. Must also be defined as an attribute | `string` | `null` | no |
 | <a name="input_read_capacity"></a> [read\_capacity](#input\_read\_capacity) | The number of read units for this table. If the billing\_mode is PROVISIONED, this field should be greater than 0 | `number` | `null` | no |
 | <a name="input_replica_regions"></a> [replica\_regions](#input\_replica\_regions) | Region names for creating replicas for a global DynamoDB table. | `any` | `[]` | no |
+| <a name="input_resource_based_policy_json"></a> [resource\_based\_policy\_json](#input\_resource\_based\_policy\_json) | The JSON definition of the resource-based policy. | `string` | `null` | no |
 | <a name="input_restore_date_time"></a> [restore\_date\_time](#input\_restore\_date\_time) | Time of the point-in-time recovery point to restore. | `string` | `null` | no |
 | <a name="input_restore_source_name"></a> [restore\_source\_name](#input\_restore\_source\_name) | Name of the table to restore. Must match the name of an existing table. | `string` | `null` | no |
 | <a name="input_restore_source_table_arn"></a> [restore\_source\_table\_arn](#input\_restore\_source\_table\_arn) | ARN of the source table to restore. Must be supplied for cross-region restores. | `string` | `null` | no |
diff --git a/examples/resource-based-policy/README.md b/examples/resource-based-policy/README.md
new file mode 100644
index 0000000..9692751
--- /dev/null
+++ b/examples/resource-based-policy/README.md
@@ -0,0 +1,57 @@
+# DynamoDB Table with resource-based policy example
+
+Configuration in this directory creates AWS DynamoDB table with a resource-based policy.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.72.1 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_disabled_dynamodb_table"></a> [disabled\_dynamodb\_table](#module\_disabled\_dynamodb\_table) | ../../ | n/a |
+| <a name="module_dynamodb_table"></a> [dynamodb\_table](#module\_dynamodb\_table) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_dynamodb_table_arn"></a> [dynamodb\_table\_arn](#output\_dynamodb\_table\_arn) | ARN of the DynamoDB table |
+| <a name="output_dynamodb_table_id"></a> [dynamodb\_table\_id](#output\_dynamodb\_table\_id) | ID of the DynamoDB table |
+| <a name="output_dynamodb_table_stream_arn"></a> [dynamodb\_table\_stream\_arn](#output\_dynamodb\_table\_stream\_arn) | The ARN of the Table Stream. Only available when var.stream\_enabled is true |
+| <a name="output_dynamodb_table_stream_label"></a> [dynamodb\_table\_stream\_label](#output\_dynamodb\_table\_stream\_label) | A timestamp, in ISO 8601 format of the Table Stream. Only available when var.stream\_enabled is true |
+<!-- END_TF_DOCS -->
diff --git a/examples/resource-based-policy/main.tf b/examples/resource-based-policy/main.tf
new file mode 100644
index 0000000..ed03c40
--- /dev/null
+++ b/examples/resource-based-policy/main.tf
@@ -0,0 +1,83 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+resource "random_pet" "this" {
+  length = 2
+}
+
+module "dynamodb_table" {
+  source = "../../"
+
+  name                        = "my-table-${random_pet.this.id}"
+  hash_key                    = "id"
+  range_key                   = "title"
+  table_class                 = "STANDARD"
+  deletion_protection_enabled = false
+
+  attributes = [
+    {
+      name = "id"
+      type = "N"
+    },
+    {
+      name = "title"
+      type = "S"
+    },
+    {
+      name = "age"
+      type = "N"
+    }
+  ]
+
+  global_secondary_indexes = [
+    {
+      name               = "TitleIndex"
+      hash_key           = "title"
+      range_key          = "age"
+      projection_type    = "INCLUDE"
+      non_key_attributes = ["id"]
+
+      on_demand_throughput = {
+        max_write_request_units = 1
+        max_read_request_units  = 1
+      }
+    }
+  ]
+
+  on_demand_throughput = {
+    max_read_request_units  = 1
+    max_write_request_units = 1
+  }
+
+  resource_based_policy_json = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowDummyRoleAccess",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::222222222222:role/DummyRole"
+      },
+      "Action": "dynamodb:GetItem",
+      "Resource": "arn:aws:dynamodb:eu-west-1:111111111111:table/DummyTable"
+    }
+  ]
+}
+POLICY
+  # the account ids and table name are placeholders and should be replaced with the actual values
+
+
+  tags = {
+    Terraform   = "true"
+    Environment = "staging"
+  }
+}
+
+
+module "disabled_dynamodb_table" {
+  source = "../../"
+
+  create_table = false
+}
diff --git a/examples/resource-based-policy/outputs.tf b/examples/resource-based-policy/outputs.tf
new file mode 100644
index 0000000..e21f490
--- /dev/null
+++ b/examples/resource-based-policy/outputs.tf
@@ -0,0 +1,19 @@
+output "dynamodb_table_arn" {
+  description = "ARN of the DynamoDB table"
+  value       = module.dynamodb_table.dynamodb_table_arn
+}
+
+output "dynamodb_table_id" {
+  description = "ID of the DynamoDB table"
+  value       = module.dynamodb_table.dynamodb_table_id
+}
+
+output "dynamodb_table_stream_arn" {
+  description = "The ARN of the Table Stream. Only available when var.stream_enabled is true"
+  value       = module.dynamodb_table.dynamodb_table_stream_arn
+}
+
+output "dynamodb_table_stream_label" {
+  description = "A timestamp, in ISO 8601 format of the Table Stream. Only available when var.stream_enabled is true"
+  value       = module.dynamodb_table.dynamodb_table_stream_label
+}
diff --git a/examples/resource-based-policy/variables.tf b/examples/resource-based-policy/variables.tf
new file mode 100644
index 0000000..e69de29
diff --git a/examples/resource-based-policy/versions.tf b/examples/resource-based-policy/versions.tf
new file mode 100644
index 0000000..8672707
--- /dev/null
+++ b/examples/resource-based-policy/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.72.1"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.0"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
index ffe2303..e22495e 100644
--- a/main.tf
+++ b/main.tf
@@ -376,3 +376,10 @@ resource "aws_dynamodb_table" "autoscaled_gsi_ignore" {
     ignore_changes = [global_secondary_index, read_capacity, write_capacity]
   }
 }
+
+resource "aws_dynamodb_resource_policy" "table_resource_policy" {
+  count = var.create_table && var.resource_based_policy_json != null ? 1 : 0
+
+  resource_arn = try(aws_dynamodb_table.this[0].arn, aws_dynamodb_table.autoscaled[0].arn, aws_dynamodb_table.autoscaled_gsi_ignore[0].arn, "")
+  policy       = var.resource_based_policy_json
+}
diff --git a/variables.tf b/variables.tf
index 9b415a6..69f6d9b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -209,3 +209,9 @@ variable "restore_to_latest_time" {
   type        = bool
   default     = null
 }
+
+variable "resource_based_policy_json" {
+  description = "The JSON definition of the resource-based policy."
+  type        = string
+  default     = null
+}
diff --git a/wrappers/main.tf b/wrappers/main.tf
index 12e311a..6ef6bb0 100644
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -27,6 +27,7 @@ module "wrapper" {
   range_key                             = try(each.value.range_key, var.defaults.range_key, null)
   read_capacity                         = try(each.value.read_capacity, var.defaults.read_capacity, null)
   replica_regions                       = try(each.value.replica_regions, var.defaults.replica_regions, [])
+  resource_based_policy_json            = try(each.value.resource_based_policy_json, var.defaults.resource_based_policy_json, null)
   restore_date_time                     = try(each.value.restore_date_time, var.defaults.restore_date_time, null)
   restore_source_name                   = try(each.value.restore_source_name, var.defaults.restore_source_name, null)
   restore_source_table_arn              = try(each.value.restore_source_table_arn, var.defaults.restore_source_table_arn, null)

From 3e78c7decb2e2bc9bbd631fa73f52451700d9a49 Mon Sep 17 00:00:00 2001
From: David Rosin <davidprosin@gmail.com>
Date: Wed, 12 Feb 2025 11:49:24 +0100
Subject: [PATCH 2/5] Rename policy resource

Co-authored-by: Anton Babenko <anton@antonbabenko.com>
---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index e22495e..c6b8412 100644
--- a/main.tf
+++ b/main.tf
@@ -377,7 +377,7 @@ resource "aws_dynamodb_table" "autoscaled_gsi_ignore" {
   }
 }
 
-resource "aws_dynamodb_resource_policy" "table_resource_policy" {
+resource "aws_dynamodb_resource_policy" "this" {
   count = var.create_table && var.resource_based_policy_json != null ? 1 : 0
 
   resource_arn = try(aws_dynamodb_table.this[0].arn, aws_dynamodb_table.autoscaled[0].arn, aws_dynamodb_table.autoscaled_gsi_ignore[0].arn, "")

From cb1e89a33a504446fd7d8f734d67f50a6141474f Mon Sep 17 00:00:00 2001
From: David Rosin <davidprosin@gmail.com>
Date: Wed, 12 Feb 2025 11:50:33 +0100
Subject: [PATCH 3/5] rename policy variable

Co-authored-by: Anton Babenko <anton@antonbabenko.com>
---
 variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/variables.tf b/variables.tf
index 69f6d9b..2261d86 100644
--- a/variables.tf
+++ b/variables.tf
@@ -210,7 +210,7 @@ variable "restore_to_latest_time" {
   default     = null
 }
 
-variable "resource_based_policy_json" {
+variable "resource_policy" {
   description = "The JSON definition of the resource-based policy."
   type        = string
   default     = null

From ad9975c88f5a966775d65f3fece12b9f459a430a Mon Sep 17 00:00:00 2001
From: David Rosin <david.rosin@idealo.de>
Date: Wed, 12 Feb 2025 12:16:43 +0100
Subject: [PATCH 4/5] Apply suggested changes

---
 README.md                                   |  4 +-
 examples/basic/main.tf                      | 17 +++++
 examples/resource-based-policy/README.md    | 57 --------------
 examples/resource-based-policy/main.tf      | 83 ---------------------
 examples/resource-based-policy/outputs.tf   | 19 -----
 examples/resource-based-policy/variables.tf |  0
 examples/resource-based-policy/versions.tf  | 14 ----
 main.tf                                     |  4 +-
 wrappers/main.tf                            |  2 +-
 9 files changed, 22 insertions(+), 178 deletions(-)
 delete mode 100644 examples/resource-based-policy/README.md
 delete mode 100644 examples/resource-based-policy/main.tf
 delete mode 100644 examples/resource-based-policy/outputs.tf
 delete mode 100644 examples/resource-based-policy/variables.tf
 delete mode 100644 examples/resource-based-policy/versions.tf

diff --git a/README.md b/README.md
index 1b6d936..a797fd3 100644
--- a/README.md
+++ b/README.md
@@ -92,7 +92,7 @@ No modules.
 | [aws_appautoscaling_target.index_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
 | [aws_appautoscaling_target.table_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
 | [aws_appautoscaling_target.table_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
-| [aws_dynamodb_resource_policy.table_resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_resource_policy) | resource |
+| [aws_dynamodb_resource_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_resource_policy) | resource |
 | [aws_dynamodb_table.autoscaled](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_dynamodb_table.autoscaled_gsi_ignore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_dynamodb_table.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
@@ -121,7 +121,7 @@ No modules.
 | <a name="input_range_key"></a> [range\_key](#input\_range\_key) | The attribute to use as the range (sort) key. Must also be defined as an attribute | `string` | `null` | no |
 | <a name="input_read_capacity"></a> [read\_capacity](#input\_read\_capacity) | The number of read units for this table. If the billing\_mode is PROVISIONED, this field should be greater than 0 | `number` | `null` | no |
 | <a name="input_replica_regions"></a> [replica\_regions](#input\_replica\_regions) | Region names for creating replicas for a global DynamoDB table. | `any` | `[]` | no |
-| <a name="input_resource_based_policy_json"></a> [resource\_based\_policy\_json](#input\_resource\_based\_policy\_json) | The JSON definition of the resource-based policy. | `string` | `null` | no |
+| <a name="input_resource_policy"></a> [resource\_policy](#input\_resource\_policy) | The JSON definition of the resource-based policy. | `string` | `null` | no |
 | <a name="input_restore_date_time"></a> [restore\_date\_time](#input\_restore\_date\_time) | Time of the point-in-time recovery point to restore. | `string` | `null` | no |
 | <a name="input_restore_source_name"></a> [restore\_source\_name](#input\_restore\_source\_name) | Name of the table to restore. Must match the name of an existing table. | `string` | `null` | no |
 | <a name="input_restore_source_table_arn"></a> [restore\_source\_table\_arn](#input\_restore\_source\_table\_arn) | ARN of the source table to restore. Must be supplied for cross-region restores. | `string` | `null` | no |
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
index 28133e9..3ce4f01 100644
--- a/examples/basic/main.tf
+++ b/examples/basic/main.tf
@@ -50,6 +50,23 @@ module "dynamodb_table" {
     max_write_request_units = 1
   }
 
+  resource_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowDummyRoleAccess",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::222222222222:role/DummyRole"
+      },
+      "Action": "dynamodb:GetItem",
+      "Resource": "__DYNAMODB_TABLE_ARN__"
+    }
+  ]
+}
+POLICY
+
   tags = {
     Terraform   = "true"
     Environment = "staging"
diff --git a/examples/resource-based-policy/README.md b/examples/resource-based-policy/README.md
deleted file mode 100644
index 9692751..0000000
--- a/examples/resource-based-policy/README.md
+++ /dev/null
@@ -1,57 +0,0 @@
-# DynamoDB Table with resource-based policy example
-
-Configuration in this directory creates AWS DynamoDB table with a resource-based policy.
-
-## Usage
-
-To run this example you need to execute:
-
-```bash
-terraform init
-terraform plan
-terraform apply
-```
-
-Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
-
-<!-- BEGIN_TF_DOCS -->
-## Requirements
-
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.72.1 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
-
-## Modules
-
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_disabled_dynamodb_table"></a> [disabled\_dynamodb\_table](#module\_disabled\_dynamodb\_table) | ../../ | n/a |
-| <a name="module_dynamodb_table"></a> [dynamodb\_table](#module\_dynamodb\_table) | ../../ | n/a |
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
-
-## Inputs
-
-No inputs.
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| <a name="output_dynamodb_table_arn"></a> [dynamodb\_table\_arn](#output\_dynamodb\_table\_arn) | ARN of the DynamoDB table |
-| <a name="output_dynamodb_table_id"></a> [dynamodb\_table\_id](#output\_dynamodb\_table\_id) | ID of the DynamoDB table |
-| <a name="output_dynamodb_table_stream_arn"></a> [dynamodb\_table\_stream\_arn](#output\_dynamodb\_table\_stream\_arn) | The ARN of the Table Stream. Only available when var.stream\_enabled is true |
-| <a name="output_dynamodb_table_stream_label"></a> [dynamodb\_table\_stream\_label](#output\_dynamodb\_table\_stream\_label) | A timestamp, in ISO 8601 format of the Table Stream. Only available when var.stream\_enabled is true |
-<!-- END_TF_DOCS -->
diff --git a/examples/resource-based-policy/main.tf b/examples/resource-based-policy/main.tf
deleted file mode 100644
index ed03c40..0000000
--- a/examples/resource-based-policy/main.tf
+++ /dev/null
@@ -1,83 +0,0 @@
-provider "aws" {
-  region = "eu-west-1"
-}
-
-resource "random_pet" "this" {
-  length = 2
-}
-
-module "dynamodb_table" {
-  source = "../../"
-
-  name                        = "my-table-${random_pet.this.id}"
-  hash_key                    = "id"
-  range_key                   = "title"
-  table_class                 = "STANDARD"
-  deletion_protection_enabled = false
-
-  attributes = [
-    {
-      name = "id"
-      type = "N"
-    },
-    {
-      name = "title"
-      type = "S"
-    },
-    {
-      name = "age"
-      type = "N"
-    }
-  ]
-
-  global_secondary_indexes = [
-    {
-      name               = "TitleIndex"
-      hash_key           = "title"
-      range_key          = "age"
-      projection_type    = "INCLUDE"
-      non_key_attributes = ["id"]
-
-      on_demand_throughput = {
-        max_write_request_units = 1
-        max_read_request_units  = 1
-      }
-    }
-  ]
-
-  on_demand_throughput = {
-    max_read_request_units  = 1
-    max_write_request_units = 1
-  }
-
-  resource_based_policy_json = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "AllowDummyRoleAccess",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::222222222222:role/DummyRole"
-      },
-      "Action": "dynamodb:GetItem",
-      "Resource": "arn:aws:dynamodb:eu-west-1:111111111111:table/DummyTable"
-    }
-  ]
-}
-POLICY
-  # the account ids and table name are placeholders and should be replaced with the actual values
-
-
-  tags = {
-    Terraform   = "true"
-    Environment = "staging"
-  }
-}
-
-
-module "disabled_dynamodb_table" {
-  source = "../../"
-
-  create_table = false
-}
diff --git a/examples/resource-based-policy/outputs.tf b/examples/resource-based-policy/outputs.tf
deleted file mode 100644
index e21f490..0000000
--- a/examples/resource-based-policy/outputs.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-output "dynamodb_table_arn" {
-  description = "ARN of the DynamoDB table"
-  value       = module.dynamodb_table.dynamodb_table_arn
-}
-
-output "dynamodb_table_id" {
-  description = "ID of the DynamoDB table"
-  value       = module.dynamodb_table.dynamodb_table_id
-}
-
-output "dynamodb_table_stream_arn" {
-  description = "The ARN of the Table Stream. Only available when var.stream_enabled is true"
-  value       = module.dynamodb_table.dynamodb_table_stream_arn
-}
-
-output "dynamodb_table_stream_label" {
-  description = "A timestamp, in ISO 8601 format of the Table Stream. Only available when var.stream_enabled is true"
-  value       = module.dynamodb_table.dynamodb_table_stream_label
-}
diff --git a/examples/resource-based-policy/variables.tf b/examples/resource-based-policy/variables.tf
deleted file mode 100644
index e69de29..0000000
diff --git a/examples/resource-based-policy/versions.tf b/examples/resource-based-policy/versions.tf
deleted file mode 100644
index 8672707..0000000
--- a/examples/resource-based-policy/versions.tf
+++ /dev/null
@@ -1,14 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 5.72.1"
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = ">= 2.0"
-    }
-  }
-}
diff --git a/main.tf b/main.tf
index c6b8412..632f112 100644
--- a/main.tf
+++ b/main.tf
@@ -378,8 +378,8 @@ resource "aws_dynamodb_table" "autoscaled_gsi_ignore" {
 }
 
 resource "aws_dynamodb_resource_policy" "this" {
-  count = var.create_table && var.resource_based_policy_json != null ? 1 : 0
+  count = var.create_table && var.resource_policy != null ? 1 : 0
 
   resource_arn = try(aws_dynamodb_table.this[0].arn, aws_dynamodb_table.autoscaled[0].arn, aws_dynamodb_table.autoscaled_gsi_ignore[0].arn, "")
-  policy       = var.resource_based_policy_json
+  policy       = replace(var.resource_policy, "__DYNAMODB_TABLE_ARN__", try(aws_dynamodb_table.this[0].arn, aws_dynamodb_table.autoscaled[0].arn, aws_dynamodb_table.autoscaled_gsi_ignore[0].arn, ""))
 }
diff --git a/wrappers/main.tf b/wrappers/main.tf
index 6ef6bb0..9a8c4a5 100644
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -27,7 +27,7 @@ module "wrapper" {
   range_key                             = try(each.value.range_key, var.defaults.range_key, null)
   read_capacity                         = try(each.value.read_capacity, var.defaults.read_capacity, null)
   replica_regions                       = try(each.value.replica_regions, var.defaults.replica_regions, [])
-  resource_based_policy_json            = try(each.value.resource_based_policy_json, var.defaults.resource_based_policy_json, null)
+  resource_policy                       = try(each.value.resource_policy, var.defaults.resource_policy, null)
   restore_date_time                     = try(each.value.restore_date_time, var.defaults.restore_date_time, null)
   restore_source_name                   = try(each.value.restore_source_name, var.defaults.restore_source_name, null)
   restore_source_table_arn              = try(each.value.restore_source_table_arn, var.defaults.restore_source_table_arn, null)

From dccf155e0805e9336fa623179df00b7d9a427f05 Mon Sep 17 00:00:00 2001
From: David Rosin <david.rosin@idealo.de>
Date: Thu, 13 Feb 2025 11:32:14 +0100
Subject: [PATCH 5/5] Move table arn to separate locals

---
 main.tf    | 8 ++++++--
 outputs.tf | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index 632f112..e0d9167 100644
--- a/main.tf
+++ b/main.tf
@@ -1,3 +1,7 @@
+locals {
+  dynamodb_table_arn = try(aws_dynamodb_table.this[0].arn, aws_dynamodb_table.autoscaled[0].arn, aws_dynamodb_table.autoscaled_gsi_ignore[0].arn, "")
+}
+
 resource "aws_dynamodb_table" "this" {
   count = var.create_table && !var.autoscaling_enabled ? 1 : 0
 
@@ -380,6 +384,6 @@ resource "aws_dynamodb_table" "autoscaled_gsi_ignore" {
 resource "aws_dynamodb_resource_policy" "this" {
   count = var.create_table && var.resource_policy != null ? 1 : 0
 
-  resource_arn = try(aws_dynamodb_table.this[0].arn, aws_dynamodb_table.autoscaled[0].arn, aws_dynamodb_table.autoscaled_gsi_ignore[0].arn, "")
-  policy       = replace(var.resource_policy, "__DYNAMODB_TABLE_ARN__", try(aws_dynamodb_table.this[0].arn, aws_dynamodb_table.autoscaled[0].arn, aws_dynamodb_table.autoscaled_gsi_ignore[0].arn, ""))
+  resource_arn = local.dynamodb_table_arn
+  policy       = replace(var.resource_policy, "__DYNAMODB_TABLE_ARN__", local.dynamodb_table_arn)
 }
diff --git a/outputs.tf b/outputs.tf
index fa07482..0d68576 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,6 +1,6 @@
 output "dynamodb_table_arn" {
   description = "ARN of the DynamoDB table"
-  value       = try(aws_dynamodb_table.this[0].arn, aws_dynamodb_table.autoscaled[0].arn, aws_dynamodb_table.autoscaled_gsi_ignore[0].arn, "")
+  value       = local.dynamodb_table_arn
 }
 
 output "dynamodb_table_id" {