terraform-aws-modules · antonbabenko · Mar 19, 2025 · Feb 11, 2025 · Feb 12, 2025 · Feb 12, 2025
diff --git a/README.md b/README.md
@@ -92,6 +92,7 @@ No modules.
 | [aws_appautoscaling_target.index_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
 | [aws_appautoscaling_target.table_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
 | [aws_appautoscaling_target.table_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
+| [aws_dynamodb_resource_policy.table_resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_resource_policy) | resource |
 | [aws_dynamodb_table.autoscaled](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_dynamodb_table.autoscaled_gsi_ignore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_dynamodb_table.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
@@ -120,6 +121,7 @@ No modules.
 | <a name="input_range_key"></a> [range\_key](#input\_range\_key) | The attribute to use as the range (sort) key. Must also be defined as an attribute | `string` | `null` | no |
 | <a name="input_read_capacity"></a> [read\_capacity](#input\_read\_capacity) | The number of read units for this table. If the billing\_mode is PROVISIONED, this field should be greater than 0 | `number` | `null` | no |
 | <a name="input_replica_regions"></a> [replica\_regions](#input\_replica\_regions) | Region names for creating replicas for a global DynamoDB table. | `any` | `[]` | no |
+| <a name="input_resource_based_policy_json"></a> [resource\_based\_policy\_json](#input\_resource\_based\_policy\_json) | The JSON definition of the resource-based policy. | `string` | `null` | no |
 | <a name="input_restore_date_time"></a> [restore\_date\_time](#input\_restore\_date\_time) | Time of the point-in-time recovery point to restore. | `string` | `null` | no |
 | <a name="input_restore_source_name"></a> [restore\_source\_name](#input\_restore\_source\_name) | Name of the table to restore. Must match the name of an existing table. | `string` | `null` | no |
 | <a name="input_restore_source_table_arn"></a> [restore\_source\_table\_arn](#input\_restore\_source\_table\_arn) | ARN of the source table to restore. Must be supplied for cross-region restores. | `string` | `null` | no |

diff --git a/examples/resource-based-policy/README.md b/examples/resource-based-policy/README.md
@@ -0,0 +1,57 @@
+# DynamoDB Table with resource-based policy example
+
+Configuration in this directory creates AWS DynamoDB table with a resource-based policy.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.72.1 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_disabled_dynamodb_table"></a> [disabled\_dynamodb\_table](#module\_disabled\_dynamodb\_table) | ../../ | n/a |
+| <a name="module_dynamodb_table"></a> [dynamodb\_table](#module\_dynamodb\_table) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_dynamodb_table_arn"></a> [dynamodb\_table\_arn](#output\_dynamodb\_table\_arn) | ARN of the DynamoDB table |
+| <a name="output_dynamodb_table_id"></a> [dynamodb\_table\_id](#output\_dynamodb\_table\_id) | ID of the DynamoDB table |
+| <a name="output_dynamodb_table_stream_arn"></a> [dynamodb\_table\_stream\_arn](#output\_dynamodb\_table\_stream\_arn) | The ARN of the Table Stream. Only available when var.stream\_enabled is true |
+| <a name="output_dynamodb_table_stream_label"></a> [dynamodb\_table\_stream\_label](#output\_dynamodb\_table\_stream\_label) | A timestamp, in ISO 8601 format of the Table Stream. Only available when var.stream\_enabled is true |
+<!-- END_TF_DOCS -->
diff --git a/examples/resource-based-policy/main.tf b/examples/resource-based-policy/main.tf
@@ -0,0 +1,83 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+resource "random_pet" "this" {
+  length = 2
+}
+
+module "dynamodb_table" {
+  source = "../../"
+
+  name                        = "my-table-${random_pet.this.id}"
+  hash_key                    = "id"
+  range_key                   = "title"
+  table_class                 = "STANDARD"
+  deletion_protection_enabled = false
+
+  attributes = [
+    {
+      name = "id"
+      type = "N"
+    },
+    {
+      name = "title"
+      type = "S"
+    },
+    {
+      name = "age"
+      type = "N"
+    }
+  ]
+
+  global_secondary_indexes = [
+    {
+      name               = "TitleIndex"
+      hash_key           = "title"
+      range_key          = "age"
+      projection_type    = "INCLUDE"
+      non_key_attributes = ["id"]
+
+      on_demand_throughput = {
+        max_write_request_units = 1
+        max_read_request_units  = 1
+      }
+    }
+  ]
+
+  on_demand_throughput = {
+    max_read_request_units  = 1
+    max_write_request_units = 1
+  }
+
+  resource_based_policy_json = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowDummyRoleAccess",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::222222222222:role/DummyRole"
+      },
+      "Action": "dynamodb:GetItem",
+      "Resource": "arn:aws:dynamodb:eu-west-1:111111111111:table/DummyTable"
+    }
+  ]
+}
+POLICY
+  # the account ids and table name are placeholders and should be replaced with the actual values
+
+
+  tags = {
+    Terraform   = "true"
+    Environment = "staging"
+  }
+}
+
+
+module "disabled_dynamodb_table" {
+  source = "../../"
+
+  create_table = false
+}
diff --git a/examples/resource-based-policy/outputs.tf b/examples/resource-based-policy/outputs.tf
@@ -0,0 +1,19 @@
+output "dynamodb_table_arn" {
+  description = "ARN of the DynamoDB table"
+  value       = module.dynamodb_table.dynamodb_table_arn
+}
+
+output "dynamodb_table_id" {
+  description = "ID of the DynamoDB table"
+  value       = module.dynamodb_table.dynamodb_table_id
+}
+
+output "dynamodb_table_stream_arn" {
+  description = "The ARN of the Table Stream. Only available when var.stream_enabled is true"
+  value       = module.dynamodb_table.dynamodb_table_stream_arn
+}
+
+output "dynamodb_table_stream_label" {
+  description = "A timestamp, in ISO 8601 format of the Table Stream. Only available when var.stream_enabled is true"
+  value       = module.dynamodb_table.dynamodb_table_stream_label
+}
diff --git a/examples/resource-based-policy/variables.tf b/examples/resource-based-policy/variables.tf
diff --git a/examples/resource-based-policy/versions.tf b/examples/resource-based-policy/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.72.1"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.0"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -376,3 +376,10 @@ resource "aws_dynamodb_table" "autoscaled_gsi_ignore" {
     ignore_changes = [global_secondary_index, read_capacity, write_capacity]
   }
 }
+
+resource "aws_dynamodb_resource_policy" "table_resource_policy" {
+  count = var.create_table && var.resource_based_policy_json != null ? 1 : 0
+
+  resource_arn = try(aws_dynamodb_table.this[0].arn, aws_dynamodb_table.autoscaled[0].arn, aws_dynamodb_table.autoscaled_gsi_ignore[0].arn, "")
+  policy       = var.resource_based_policy_json
+}
diff --git a/variables.tf b/variables.tf
@@ -209,3 +209,9 @@ variable "restore_to_latest_time" {
   type        = bool
   default     = null
 }
+
+variable "resource_based_policy_json" {
+  description = "The JSON definition of the resource-based policy."
+  type        = string
+  default     = null
+}
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -27,6 +27,7 @@ module "wrapper" {
   range_key                             = try(each.value.range_key, var.defaults.range_key, null)
   read_capacity                         = try(each.value.read_capacity, var.defaults.read_capacity, null)
   replica_regions                       = try(each.value.replica_regions, var.defaults.replica_regions, [])
+  resource_based_policy_json            = try(each.value.resource_based_policy_json, var.defaults.resource_based_policy_json, null)
   restore_date_time                     = try(each.value.restore_date_time, var.defaults.restore_date_time, null)
   restore_source_name                   = try(each.value.restore_source_name, var.defaults.restore_source_name, null)
   restore_source_table_arn              = try(each.value.restore_source_table_arn, var.defaults.restore_source_table_arn, null)