Provides a RAM Policy resource.
# Create a new RAM Policy.
resource "alicloud_ram_policy" "policy" {
policy_name = "policyName"
policy_document = <<EOF
{
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOF
description = "this is a policy test"
}
{
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOF
description = "this is a policy test"
}
The following arguments are supported:
name
- (Deprecated since 1.114.0, Required, ForceNew) It has been deprecated since provider version 1.114.0 and policy_name
instead.policy_name
- (Required, ForceNew, Optional, Available since 1.114.0+) Name of the RAM policy. This name can have a string of 1 to 128 characters, must contain only alphanumeric characters or hyphen "-", and must not begin with a hyphen.statement
- (Deprecated since 1.49.0, Optional, Type: list, Conflicts with policy_document
, document
) (It has been deprecated since version 1.49.0, and use field 'document' to replace.) Statements of the RAM policy document. It is required when the document
is not specified. See statement
below.version
- (Deprecated since 1.49.0, Optional, Conflicts with policy_document
, document
) (It has been deprecated since version 1.49.0, and use field 'document' to replace.) Version of the RAM policy document. Valid value is 1
. Default value is 1
.document
- (Deprecated since 1.114.0, Optional, Conflicts with policy_document
, statement
and version
) It has been deprecated since provider version 1.114.0 and policy_document
instead.policy_document
- (Optional, Conflicts with document
, statement
and version
, Available since 1.114.0+) Document of the RAM policy. It is required when the statement
is not specified.description
- (Optional, ForceNew) Description of the RAM policy. This name can have a string of 1 to 1024 characters.rotate_strategy
- (Optional, Available since 1.114.0+) The rotation strategy of the policy. You can use this parameter to delete an early policy version. Valid Values: None
, DeleteOldestNonDefaultVersionWhenLimitExceeded
. Default to None
.force
- (Optional) This parameter is used for resource destroy. Default value is false
.statement
The statement support the following:
resource
- (Deprecated since 1.49.0, Required, Type: list) (It has been deprecated since version 1.49.0, and use field 'document' to replace.) List of specific objects which will be authorized. The format of each item in this list is acs:${service}:${region}:${account_id}:${relative_id}
, such as acs:ecs:*:*:instance/inst-002
and acs:oss:*:1234567890000:mybucket
. The ${service}
can be ecs
, oss
, ots
and so on, the ${region}
is the region info which can use *
replace when it is not supplied, the ${account_id}
refers to someone's Alicloud account id or you can use *
to replace, the ${relative_id}
is the resource description section which related to the ${service}
.action
- (Deprecated since 1.49.0, Required, Type: list) (It has been deprecated since version 1.49.0, and use field 'document' to replace.) List of operations for the resource
. The format of each item in this list is ${service}:${action_name}
, such as oss:ListBuckets
and ecs:Describe*
. The ${service}
can be ecs
, oss
, ots
and so on, the ${action_name}
refers to the name of an api interface which related to the ${service}
.effect
- (Deprecated since 1.49.0, Required) (It has been deprecated since version 1.49.0, and use field 'document' to replace.) This parameter indicates whether or not the action
is allowed. Valid values are Allow
and Deny
.The following attributes are exported:
id
- The policy ID.type
- The policy type.attachment_count
- The policy attachment count.default_version
- The default version of policy.version_id
- The ID of default version policy.RAM policy can be imported using the id or name, e.g.
$ terraform import alicloud_ram_policy.example my-policy