fix: Re-add iam-policy module

Author: bryantbiggs

README.md

@@ -83,6 +83,40 @@ module "iam_oidc_provider" {
 }
 ```
 
+### IAM Policy
+
+Creates an IAM policy.
+
+```hcl
+module "iam_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+
+  name        = "example"
+  path        = "/"
+  description = "My example policy"
+
+  policy = <<-EOF
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": [
+            "ec2:Describe*"
+          ],
+          "Effect": "Allow",
+          "Resource": "*"
+        }
+      ]
+    }
+  EOF
+
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
+```
+
 ### IAM ReadOnly Policy
 
 Creates an IAM policy that allows read-only access to the list of AWS services provided.
@@ -248,6 +282,7 @@ module "iam_user" {
 - [iam-account](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-account) - Set AWS account alias and password policy
 - [iam-group](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group) - IAM group with users who are allowed to assume IAM roles in another AWS account and have access to specified IAM policies
 - [iam-oidc-provider](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-oidc-provider) - Create an OpenID connect provider and IAM role which can be assumed from specified subjects federated from the OIDC provider
+- [iam-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-policy) - Create an IAM policy
 - [iam-read-only-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-read-only-policy) - Create IAM read-only policy
 - [iam-role](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-role) - Create individual IAM role which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
 - [iam-role-for-service-accounts](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-role-for-service-accounts) - Create IAM role for service accounts (IRSA) for use within EKS clusters

docs/UPGRADE-6.0.md

@@ -22,7 +22,6 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 - `iam-group-with-policies` has been renamed to `iam-group`
 - `iam-group-with-assumable-roles-policy` has been merged into `iam-group`
 - `iam-eks-role` has been removed; `iam-role-for-service-accounts` or [`eks-pod-identity`](https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity) should be used instead
-- `iam-policy` has been removed; the `aws_iam_policy` resource should be used directly instead
 - `iam-role-for-service-accounts-eks` has been renamed to `iam-role-for-service-accounts`
     - Individual policy creation and attachment has been consolidated under one policy creation and attachment
     - Default values that enable permissive permissions have been removed; users will need to be explicit about the scope of access (i.e. ARNs) they provide when enabling permissions
@@ -93,6 +92,8 @@ stateDiagram
         - `assumable_roles`
     - `iam-oidc-provider`
         - `additional_thumbprints` - no longer required by GitHub
+    - `iam-policy`
+        - None
     - `iam-read-only-policy`
         - `additional_policy_json` - use `source_inline_policy_documents` or `override_inline_policy_documents` instead
     - `iam-role`
@@ -140,6 +141,8 @@ stateDiagram
         - `aws_account_id` -> `users_account_id`
     - `iam-oidc-provider`
         - None
+    - `iam-policy`
+        - `create_policy` -> `create`
     - `iam-read-only-policy`
         - `name_prefix` (string) -> `use_name_prefix` (bool)
     - `iam-role`
@@ -179,6 +182,8 @@ stateDiagram
         - `enable_mfa_enforcment`
     - `iam-oidc-provider`
         - None
+    - `iam-policy`
+        - None
     - `iam-read-only-policy`
         - `create`
         - `source_policy_documents`
@@ -215,6 +220,9 @@ stateDiagram
         - `aws_account_id`
     - `iam-oidc-provider`
         - None
+    - `iam-policy`
+        - `description`
+        - `path`
     - `iam-read-only-policy`
         - `description`
         - `path`
@@ -246,6 +254,8 @@ stateDiagram
         - `group_users` -> `users`
     - `iam-oidc-provider`
         - None
+    - `iam-policy`
+        - None
     - `iam-read-only-policy`
         - None
     - `iam-role`
@@ -786,64 +796,7 @@ terraform state mv "module.iam_group.aws_iam_group_policy_attachment.custom_arns
 
 #### `iam-policy`
 
-##### Before `v5.60`
-
-```hcl
-module "iam_policy" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "~> 5.60"
-
-  name_prefix = "example-"
-  path        = "/"
-  description = "My example policy"
-
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "ec2:Describe*"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-}
-```
-
-##### After `v6.0`
-
-```hcl
-resource "aws_iam_policy" "example" {
-  name_prefix = "example-"
-  path        = "/"
-  description = "My example policy"
-
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "ec2:Describe*"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-}
-```
-
-##### State Changes
-
-```sh
-terraform state mv "module.iam_policy.aws_iam_policy.policy[0]" aws_iam_policy.example
-```
+None
 
 #### `iam-read-only-policy`
 

examples/iam-policy/README.md

@@ -0,0 +1,57 @@
+# IAM Policy Example
+
+Configuration in this directory creates IAM policies.
+
+# Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_iam_policy"></a> [iam\_policy](#module\_iam\_policy) | ../../modules/iam-policy | n/a |
+| <a name="module_iam_policy_disabled"></a> [iam\_policy\_disabled](#module\_iam\_policy\_disabled) | ../../modules/iam-policy | n/a |
+| <a name="module_iam_policy_from_data_source"></a> [iam\_policy\_from\_data\_source](#module\_iam\_policy\_from\_data\_source) | ../../modules/iam-policy | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | The ARN assigned by AWS to this policy |
+| <a name="output_id"></a> [id](#output\_id) | The policy ID |
+| <a name="output_name"></a> [name](#output\_name) | The name of the policy |
+| <a name="output_policy"></a> [policy](#output\_policy) | The policy document |
+<!-- END_TF_DOCS -->

examples/iam-policy/main.tf

@@ -0,0 +1,72 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+locals {
+  name = "ex-${basename(path.cwd)}"
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-iam"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+################################################################################
+# IAM Policy
+################################################################################
+
+module "iam_policy" {
+  source = "../../modules/iam-policy"
+
+  name_prefix = "example-"
+  path        = "/"
+  description = "My example policy"
+
+  policy = <<-EOF
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": [
+            "ec2:Describe*"
+          ],
+          "Effect": "Allow",
+          "Resource": "*"
+        }
+      ]
+    }
+  EOF
+
+  tags = local.tags
+}
+
+module "iam_policy_from_data_source" {
+  source = "../../modules/iam-policy"
+
+  name        = "example_from_data_source"
+  path        = "/"
+  description = "My example policy"
+
+  policy = data.aws_iam_policy_document.bucket_policy.json
+
+  tags = local.tags
+}
+
+module "iam_policy_disabled" {
+  source = "../../modules/iam-policy"
+
+  create = false
+}
+
+################################################################################
+# Supporting resources
+################################################################################
+
+data "aws_iam_policy_document" "bucket_policy" {
+  statement {
+    sid       = "AllowFullS3Access"
+    actions   = ["s3:ListAllMyBuckets"]
+    resources = ["*"]
+  }
+}

examples/iam-policy/outputs.tf

@@ -0,0 +1,23 @@
+################################################################################
+# IAM Policy
+################################################################################
+
+output "id" {
+  description = "The policy ID"
+  value       = module.iam_policy.id
+}
+
+output "arn" {
+  description = "The ARN assigned by AWS to this policy"
+  value       = module.iam_policy.arn
+}
+
+output "name" {
+  description = "The name of the policy"
+  value       = module.iam_policy.name
+}
+
+output "policy" {
+  description = "The policy document"
+  value       = module.iam_policy.policy
+}

examples/iam-policy/variables.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
+}