cloudposse-terraform-components · gberenice · Jan 12, 2026 · Jan 10, 2026 · Jan 10, 2026
diff --git a/src/main.tf b/src/main.tf
@@ -106,6 +106,7 @@ module "permission_sets" {
     local.terraform_plan_access_permission_set,
     local.terraform_apply_access_permission_set,
     local.terraform_update_access_permission_set,
+    local.terraform_state_access_permission_set,
   )
 
   context = module.this.context

diff --git a/src/policy-TerraformAccess.tf b/src/policy-TerraformAccess.tf
@@ -43,6 +43,18 @@ locals {
     policy_attachments                  = ["arn:${local.aws_partition}:iam::aws:policy/AdministratorAccess"]
     customer_managed_policy_attachments = []
   }] : []
+
+  # Terraform State Access permission set
+  terraform_state_access_permission_set = local.tf_access_enabled ? [{
+    name                                = "TerraformStateAccess",
+    description                         = "Allow read/write access to Terraform state backend only",
+    relay_state                         = "",
+    session_duration                    = var.session_duration,
+    tags                                = {},
+    inline_policy                       = one(data.aws_iam_policy_document.terraform_state_access[*].json),
+    policy_attachments                  = []
+    customer_managed_policy_attachments = []
+  }] : []
 }
 
 # Terraform Plan Access - Read-only state access, read-only account access
@@ -133,3 +145,45 @@ data "aws_iam_policy_document" "terraform_apply_access" {
     resources = ["*"]
   }
 }
+
+# Terraform State Access - Read/write state access only (no account permissions)
+data "aws_iam_policy_document" "terraform_state_access" {
+  count = local.tf_access_enabled ? 1 : 0
+
+  # Read/write access to Terraform state S3 bucket
+  statement {
+    sid    = "TerraformStateBackendS3Bucket"
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:DeleteObject",
+    ]
+    resources = [var.tf_access_bucket_arn, "${var.tf_access_bucket_arn}/*"]
+  }
+
+  # DynamoDB table access for state locking (if configured)
+  dynamic "statement" {
+    for_each = (local.tf_access_enabled && var.tf_access_dynamodb_table_arn != "") ? [1] : []
+
+    content {
+      sid       = "TerraformStateBackendDynamoDbTable"
+      effect    = "Allow"
+      actions   = ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem"]
+      resources = [var.tf_access_dynamodb_table_arn]
+    }
+  }
+
+  # Allow assuming the Terraform state backend role
+  statement {
+    sid    = "TerraformStateBackendAssumeRole"
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole",
+      "sts:TagSession",
+      "sts:SetSourceIdentity",
+    ]
+    resources = [var.tf_access_role_arn]
+  }
+}