provider/aws: Add per user, role and group policy attachment (supersedes #5816) (#6858)

* Add per user, role and group policy attachment

* Add docs for new IAM policy attachment resources.

* Make policy attachment resources manage only 1 entity<->policy attachment

* provider/aws: Tidy up IAM Group/User/Role attachments

builtin/providers/aws/provider.go

@@ -183,13 +183,16 @@ func Provider() terraform.ResourceProvider {
 			"aws_iam_group_policy":                         resourceAwsIamGroupPolicy(),
 			"aws_iam_group":                                resourceAwsIamGroup(),
 			"aws_iam_group_membership":                     resourceAwsIamGroupMembership(),
+			"aws_iam_group_policy_attachment":              resourceAwsIamGroupPolicyAttachment(),
 			"aws_iam_instance_profile":                     resourceAwsIamInstanceProfile(),
 			"aws_iam_policy":                               resourceAwsIamPolicy(),
 			"aws_iam_policy_attachment":                    resourceAwsIamPolicyAttachment(),
+			"aws_iam_role_policy_attachment":               resourceAwsIamRolePolicyAttachment(),
 			"aws_iam_role_policy":                          resourceAwsIamRolePolicy(),
 			"aws_iam_role":                                 resourceAwsIamRole(),
 			"aws_iam_saml_provider":                        resourceAwsIamSamlProvider(),
 			"aws_iam_server_certificate":                   resourceAwsIAMServerCertificate(),
+			"aws_iam_user_policy_attachment":               resourceAwsIamUserPolicyAttachment(),
 			"aws_iam_user_policy":                          resourceAwsIamUserPolicy(),
 			"aws_iam_user_ssh_key":                         resourceAwsIamUserSshKey(),
 			"aws_iam_user":                                 resourceAwsIamUser(),

builtin/providers/aws/resource_aws_iam_group_policy_attachment.go

@@ -0,0 +1,124 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsIamGroupPolicyAttachment() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsIamGroupPolicyAttachmentCreate,
+		Read:   resourceAwsIamGroupPolicyAttachmentRead,
+		Delete: resourceAwsIamGroupPolicyAttachmentDelete,
+
+		Schema: map[string]*schema.Schema{
+			"group": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"policy_arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceAwsIamGroupPolicyAttachmentCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+
+	group := d.Get("group").(string)
+	arn := d.Get("policy_arn").(string)
+
+	err := attachPolicyToGroup(conn, group, arn)
+	if err != nil {
+		return fmt.Errorf("[WARN] Error attaching policy %s to IAM group %s: %v", arn, group, err)
+	}
+
+	d.SetId(resource.PrefixedUniqueId(fmt.Sprintf("%s-", group)))
+	return resourceAwsIamGroupPolicyAttachmentRead(d, meta)
+}
+
+func resourceAwsIamGroupPolicyAttachmentRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+	group := d.Get("group").(string)
+	arn := d.Get("policy_arn").(string)
+
+	_, err := conn.GetGroup(&iam.GetGroupInput{
+		GroupName: aws.String(group),
+	})
+
+	if err != nil {
+		if awsErr, ok := err.(awserr.Error); ok {
+			if awsErr.Code() == "NoSuchEntity" {
+				log.Printf("[WARN] No such entity found for Policy Attachment (%s)", group)
+				d.SetId("")
+				return nil
+			}
+		}
+		return err
+	}
+
+	attachedPolicies, err := conn.ListAttachedGroupPolicies(&iam.ListAttachedGroupPoliciesInput{
+		GroupName: aws.String(group),
+	})
+	if err != nil {
+		return err
+	}
+
+	var policy string
+	for _, p := range attachedPolicies.AttachedPolicies {
+		if *p.PolicyArn == arn {
+			policy = *p.PolicyArn
+		}
+	}
+
+	if policy == "" {
+		log.Printf("[WARN] No such policy found for Group Policy Attachment (%s)", group)
+		d.SetId("")
+	}
+
+	return nil
+}
+
+func resourceAwsIamGroupPolicyAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+	group := d.Get("group").(string)
+	arn := d.Get("policy_arn").(string)
+
+	err := detachPolicyFromGroup(conn, group, arn)
+	if err != nil {
+		return fmt.Errorf("[WARN] Error removing policy %s from IAM Group %s: %v", arn, group, err)
+	}
+	return nil
+}
+
+func attachPolicyToGroup(conn *iam.IAM, group string, arn string) error {
+	_, err := conn.AttachGroupPolicy(&iam.AttachGroupPolicyInput{
+		GroupName: aws.String(group),
+		PolicyArn: aws.String(arn),
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func detachPolicyFromGroup(conn *iam.IAM, group string, arn string) error {
+	_, err := conn.DetachGroupPolicy(&iam.DetachGroupPolicyInput{
+		GroupName: aws.String(group),
+		PolicyArn: aws.String(arn),
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}

builtin/providers/aws/resource_aws_iam_group_policy_attachment_test.go

@@ -0,0 +1,192 @@
+package aws
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSIamGroupPolicyAttachment_basic(t *testing.T) {
+	var out iam.ListAttachedGroupPoliciesOutput
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSGroupPolicyAttachmentDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSGroupPolicyAttachConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSGroupPolicyAttachmentExists("aws_iam_group_policy_attachment.test-attach", 1, &out),
+					testAccCheckAWSGroupPolicyAttachmentAttributes([]string{"test-policy"}, &out),
+				),
+			},
+			resource.TestStep{
+				Config: testAccAWSGroupPolicyAttachConfigUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSGroupPolicyAttachmentExists("aws_iam_group_policy_attachment.test-attach", 2, &out),
+					testAccCheckAWSGroupPolicyAttachmentAttributes([]string{"test-policy2", "test-policy3"}, &out),
+				),
+			},
+		},
+	})
+}
+func testAccCheckAWSGroupPolicyAttachmentDestroy(s *terraform.State) error {
+	return nil
+}
+
+func testAccCheckAWSGroupPolicyAttachmentExists(n string, c int, out *iam.ListAttachedGroupPoliciesOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No policy name is set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).iamconn
+		group := rs.Primary.Attributes["group"]
+
+		attachedPolicies, err := conn.ListAttachedGroupPolicies(&iam.ListAttachedGroupPoliciesInput{
+			GroupName: aws.String(group),
+		})
+		if err != nil {
+			return fmt.Errorf("Error: Failed to get attached policies for group %s (%s)", group, n)
+		}
+		if c != len(attachedPolicies.AttachedPolicies) {
+			return fmt.Errorf("Error: Group (%s) has wrong number of policies attached on initial creation", n)
+		}
+
+		*out = *attachedPolicies
+		return nil
+	}
+}
+func testAccCheckAWSGroupPolicyAttachmentAttributes(policies []string, out *iam.ListAttachedGroupPoliciesOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		matched := 0
+
+		for _, p := range policies {
+			for _, ap := range out.AttachedPolicies {
+				// *ap.PolicyArn like arn:aws:iam::111111111111:policy/test-policy
+				parts := strings.Split(*ap.PolicyArn, "/")
+				if len(parts) == 2 && p == parts[1] {
+					matched++
+				}
+			}
+		}
+		if matched != len(policies) || matched != len(out.AttachedPolicies) {
+			return fmt.Errorf("Error: Number of attached policies was incorrect: expected %d matched policies, matched %d of %d", len(policies), matched, len(out.AttachedPolicies))
+		}
+		return nil
+	}
+}
+
+const testAccAWSGroupPolicyAttachConfig = `
+resource "aws_iam_group" "group" {
+    name = "test-group"
+}
+
+resource "aws_iam_policy" "policy" {
+    name = "test-policy"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_group_policy_attachment" "test-attach" {
+    group = "${aws_iam_group.group.name}"
+    policy_arn = "${aws_iam_policy.policy.arn}"
+}
+`
+
+const testAccAWSGroupPolicyAttachConfigUpdate = `
+resource "aws_iam_group" "group" {
+    name = "test-group"
+}
+
+resource "aws_iam_policy" "policy" {
+    name = "test-policy"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "policy2" {
+    name = "test-policy2"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "policy3" {
+    name = "test-policy3"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_group_policy_attachment" "test-attach" {
+    group = "${aws_iam_group.group.name}"
+    policy_arn = "${aws_iam_policy.policy2.arn}"
+}
+
+resource "aws_iam_group_policy_attachment" "test-attach2" {
+    group = "${aws_iam_group.group.name}"
+    policy_arn = "${aws_iam_policy.policy3.arn}"
+}
+`

builtin/providers/aws/resource_aws_iam_role_policy_attachment.go

@@ -0,0 +1,124 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsIamRolePolicyAttachment() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsIamRolePolicyAttachmentCreate,
+		Read:   resourceAwsIamRolePolicyAttachmentRead,
+		Delete: resourceAwsIamRolePolicyAttachmentDelete,
+
+		Schema: map[string]*schema.Schema{
+			"role": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"policy_arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceAwsIamRolePolicyAttachmentCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+
+	role := d.Get("role").(string)
+	arn := d.Get("policy_arn").(string)
+
+	err := attachPolicyToRole(conn, role, arn)
+	if err != nil {
+		return fmt.Errorf("[WARN] Error attaching policy %s to IAM Role %s: %v", arn, role, err)
+	}
+
+	d.SetId(resource.PrefixedUniqueId(fmt.Sprintf("%s-", role)))
+	return resourceAwsIamRolePolicyAttachmentRead(d, meta)
+}
+
+func resourceAwsIamRolePolicyAttachmentRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+	role := d.Get("role").(string)
+	arn := d.Get("policy_arn").(string)
+
+	_, err := conn.GetRole(&iam.GetRoleInput{
+		RoleName: aws.String(role),
+	})
+
+	if err != nil {
+		if awsErr, ok := err.(awserr.Error); ok {
+			if awsErr.Code() == "NoSuchEntity" {
+				log.Printf("[WARN] No such entity found for Policy Attachment (%s)", role)
+				d.SetId("")
+				return nil
+			}
+		}
+		return err
+	}
+
+	attachedPolicies, err := conn.ListAttachedRolePolicies(&iam.ListAttachedRolePoliciesInput{
+		RoleName: aws.String(role),
+	})
+	if err != nil {
+		return err
+	}
+
+	var policy string
+	for _, p := range attachedPolicies.AttachedPolicies {
+		if *p.PolicyArn == arn {
+			policy = *p.PolicyArn
+		}
+	}
+
+	if policy == "" {
+		log.Printf("[WARN] No such policy found for Role Policy Attachment (%s)", role)
+		d.SetId("")
+	}
+
+	return nil
+}
+
+func resourceAwsIamRolePolicyAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+	role := d.Get("role").(string)
+	arn := d.Get("policy_arn").(string)
+
+	err := detachPolicyFromRole(conn, role, arn)
+	if err != nil {
+		return fmt.Errorf("[WARN] Error removing policy %s from IAM Role %s: %v", arn, role, err)
+	}
+	return nil
+}
+
+func attachPolicyToRole(conn *iam.IAM, role string, arn string) error {
+	_, err := conn.AttachRolePolicy(&iam.AttachRolePolicyInput{
+		RoleName:  aws.String(role),
+		PolicyArn: aws.String(arn),
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func detachPolicyFromRole(conn *iam.IAM, role string, arn string) error {
+	_, err := conn.DetachRolePolicy(&iam.DetachRolePolicyInput{
+		RoleName:  aws.String(role),
+		PolicyArn: aws.String(arn),
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}

builtin/providers/aws/resource_aws_iam_role_policy_attachment_test.go

@@ -0,0 +1,222 @@
+package aws
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSRolePolicyAttachment_basic(t *testing.T) {
+	var out iam.ListAttachedRolePoliciesOutput
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSRolePolicyAttachmentDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSRolePolicyAttachConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSRolePolicyAttachmentExists("aws_iam_role_policy_attachment.test-attach", 1, &out),
+					testAccCheckAWSRolePolicyAttachmentAttributes([]string{"test-policy"}, &out),
+				),
+			},
+			resource.TestStep{
+				Config: testAccAWSRolePolicyAttachConfigUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSRolePolicyAttachmentExists("aws_iam_role_policy_attachment.test-attach", 2, &out),
+					testAccCheckAWSRolePolicyAttachmentAttributes([]string{"test-policy2", "test-policy3"}, &out),
+				),
+			},
+		},
+	})
+}
+func testAccCheckAWSRolePolicyAttachmentDestroy(s *terraform.State) error {
+	return nil
+}
+
+func testAccCheckAWSRolePolicyAttachmentExists(n string, c int, out *iam.ListAttachedRolePoliciesOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No policy name is set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).iamconn
+		role := rs.Primary.Attributes["role"]
+
+		attachedPolicies, err := conn.ListAttachedRolePolicies(&iam.ListAttachedRolePoliciesInput{
+			RoleName: aws.String(role),
+		})
+		if err != nil {
+			return fmt.Errorf("Error: Failed to get attached policies for role %s (%s)", role, n)
+		}
+		if c != len(attachedPolicies.AttachedPolicies) {
+			return fmt.Errorf("Error: Role (%s) has wrong number of policies attached on initial creation", n)
+		}
+
+		*out = *attachedPolicies
+		return nil
+	}
+}
+func testAccCheckAWSRolePolicyAttachmentAttributes(policies []string, out *iam.ListAttachedRolePoliciesOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		matched := 0
+
+		for _, p := range policies {
+			for _, ap := range out.AttachedPolicies {
+				// *ap.PolicyArn like arn:aws:iam::111111111111:policy/test-policy
+				parts := strings.Split(*ap.PolicyArn, "/")
+				if len(parts) == 2 && p == parts[1] {
+					matched++
+				}
+			}
+		}
+		if matched != len(policies) || matched != len(out.AttachedPolicies) {
+			return fmt.Errorf("Error: Number of attached policies was incorrect: expected %d matched policies, matched %d of %d", len(policies), matched, len(out.AttachedPolicies))
+		}
+		return nil
+	}
+}
+
+const testAccAWSRolePolicyAttachConfig = `
+resource "aws_iam_role" "role" {
+    name = "test-role"
+	  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "policy" {
+    name = "test-policy"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "test-attach" {
+    role = "${aws_iam_role.role.name}"
+    policy_arn = "${aws_iam_policy.policy.arn}"
+}
+`
+
+const testAccAWSRolePolicyAttachConfigUpdate = `
+resource "aws_iam_role" "role" {
+    name = "test-role"
+	  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "policy" {
+    name = "test-policy"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "policy2" {
+    name = "test-policy2"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "policy3" {
+    name = "test-policy3"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "test-attach" {
+    role = "${aws_iam_role.role.name}"
+    policy_arn = "${aws_iam_policy.policy2.arn}"
+}
+
+resource "aws_iam_role_policy_attachment" "test-attach2" {
+    role = "${aws_iam_role.role.name}"
+    policy_arn = "${aws_iam_policy.policy3.arn}"
+}
+`

builtin/providers/aws/resource_aws_iam_user_policy_attachment.go

@@ -0,0 +1,123 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsIamUserPolicyAttachment() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsIamUserPolicyAttachmentCreate,
+		Read:   resourceAwsIamUserPolicyAttachmentRead,
+		Delete: resourceAwsIamUserPolicyAttachmentDelete,
+
+		Schema: map[string]*schema.Schema{
+			"user": &schema.Schema{
+				Type:     schema.TypeString,
+				ForceNew: true,
+				Required: true,
+			},
+			"policy_arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceAwsIamUserPolicyAttachmentCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+
+	user := d.Get("user").(string)
+	arn := d.Get("policy_arn").(string)
+
+	err := attachPolicyToUser(conn, user, arn)
+	if err != nil {
+		return fmt.Errorf("[WARN] Error attaching policy %s to IAM User %s: %v", arn, user, err)
+	}
+
+	d.SetId(resource.PrefixedUniqueId(fmt.Sprintf("%s-", user)))
+	return resourceAwsIamUserPolicyAttachmentRead(d, meta)
+}
+
+func resourceAwsIamUserPolicyAttachmentRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+	user := d.Get("user").(string)
+	arn := d.Get("policy_arn").(string)
+
+	_, err := conn.GetUser(&iam.GetUserInput{
+		UserName: aws.String(user),
+	})
+
+	if err != nil {
+		if awsErr, ok := err.(awserr.Error); ok {
+			if awsErr.Code() == "NoSuchEntity" {
+				log.Printf("[WARN] No such entity found for Policy Attachment (%s)", user)
+				d.SetId("")
+				return nil
+			}
+		}
+		return err
+	}
+
+	attachedPolicies, err := conn.ListAttachedUserPolicies(&iam.ListAttachedUserPoliciesInput{
+		UserName: aws.String(user),
+	})
+	if err != nil {
+		return err
+	}
+
+	var policy string
+	for _, p := range attachedPolicies.AttachedPolicies {
+		if *p.PolicyArn == arn {
+			policy = *p.PolicyArn
+		}
+	}
+
+	if policy == "" {
+		log.Printf("[WARN] No such User found for Policy Attachment (%s)", user)
+		d.SetId("")
+	}
+	return nil
+}
+
+func resourceAwsIamUserPolicyAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).iamconn
+	user := d.Get("user").(string)
+	arn := d.Get("policy_arn").(string)
+
+	err := detachPolicyFromUser(conn, user, arn)
+	if err != nil {
+		return fmt.Errorf("[WARN] Error removing policy %s from IAM User %s: %v", arn, user, err)
+	}
+	return nil
+}
+
+func attachPolicyToUser(conn *iam.IAM, user string, arn string) error {
+	_, err := conn.AttachUserPolicy(&iam.AttachUserPolicyInput{
+		UserName:  aws.String(user),
+		PolicyArn: aws.String(arn),
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func detachPolicyFromUser(conn *iam.IAM, user string, arn string) error {
+	_, err := conn.DetachUserPolicy(&iam.DetachUserPolicyInput{
+		UserName:  aws.String(user),
+		PolicyArn: aws.String(arn),
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}

builtin/providers/aws/resource_aws_iam_user_policy_attachment_test.go

@@ -0,0 +1,192 @@
+package aws
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSUserPolicyAttachment_basic(t *testing.T) {
+	var out iam.ListAttachedUserPoliciesOutput
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSUserPolicyAttachmentDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSUserPolicyAttachConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSUserPolicyAttachmentExists("aws_iam_user_policy_attachment.test-attach", 1, &out),
+					testAccCheckAWSUserPolicyAttachmentAttributes([]string{"test-policy"}, &out),
+				),
+			},
+			resource.TestStep{
+				Config: testAccAWSUserPolicyAttachConfigUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSUserPolicyAttachmentExists("aws_iam_user_policy_attachment.test-attach", 2, &out),
+					testAccCheckAWSUserPolicyAttachmentAttributes([]string{"test-policy2", "test-policy3"}, &out),
+				),
+			},
+		},
+	})
+}
+func testAccCheckAWSUserPolicyAttachmentDestroy(s *terraform.State) error {
+	return nil
+}
+
+func testAccCheckAWSUserPolicyAttachmentExists(n string, c int, out *iam.ListAttachedUserPoliciesOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No policy name is set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).iamconn
+		user := rs.Primary.Attributes["user"]
+
+		attachedPolicies, err := conn.ListAttachedUserPolicies(&iam.ListAttachedUserPoliciesInput{
+			UserName: aws.String(user),
+		})
+		if err != nil {
+			return fmt.Errorf("Error: Failed to get attached policies for user %s (%s)", user, n)
+		}
+		if c != len(attachedPolicies.AttachedPolicies) {
+			return fmt.Errorf("Error: User (%s) has wrong number of policies attached on initial creation", n)
+		}
+
+		*out = *attachedPolicies
+		return nil
+	}
+}
+func testAccCheckAWSUserPolicyAttachmentAttributes(policies []string, out *iam.ListAttachedUserPoliciesOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		matched := 0
+
+		for _, p := range policies {
+			for _, ap := range out.AttachedPolicies {
+				// *ap.PolicyArn like arn:aws:iam::111111111111:policy/test-policy
+				parts := strings.Split(*ap.PolicyArn, "/")
+				if len(parts) == 2 && p == parts[1] {
+					matched++
+				}
+			}
+		}
+		if matched != len(policies) || matched != len(out.AttachedPolicies) {
+			return fmt.Errorf("Error: Number of attached policies was incorrect: expected %d matched policies, matched %d of %d", len(policies), matched, len(out.AttachedPolicies))
+		}
+		return nil
+	}
+}
+
+const testAccAWSUserPolicyAttachConfig = `
+resource "aws_iam_user" "user" {
+    name = "test-user"
+}
+
+resource "aws_iam_policy" "policy" {
+    name = "test-policy"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_user_policy_attachment" "test-attach" {
+    user = "${aws_iam_user.user.name}"
+    policy_arn = "${aws_iam_policy.policy.arn}"
+}
+`
+
+const testAccAWSUserPolicyAttachConfigUpdate = `
+resource "aws_iam_user" "user" {
+    name = "test-user"
+}
+
+resource "aws_iam_policy" "policy" {
+    name = "test-policy"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "policy2" {
+    name = "test-policy2"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "policy3" {
+    name = "test-policy3"
+    description = "A test policy"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:ChangePassword"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_user_policy_attachment" "test-attach" {
+    user = "${aws_iam_user.user.name}"
+    policy_arn = "${aws_iam_policy.policy2.arn}"
+}
+
+resource "aws_iam_user_policy_attachment" "test-attach2" {
+    user = "${aws_iam_user.user.name}"
+    policy_arn = "${aws_iam_policy.policy3.arn}"
+}
+`

website/source/docs/providers/aws/r/iam_group_policy_attachment.markdown

@@ -0,0 +1,35 @@
+---
+layout: "aws"
+page_title: "AWS: aws_iam_group_policy_attachment"
+sidebar_current: "docs-aws-resource-iam-group-policy-attachment"
+description: |-
+  Attaches a Managed IAM Policy to an IAM group
+---
+
+# aws\_iam\_group\_policy\_attachment
+
+Attaches a Managed IAM Policy to an IAM group
+
+```
+resource "aws_iam_group" "group" {
+    name = "test-group"
+}
+
+resource "aws_iam_policy" "policy" {
+    name = "test-policy"
+    description = "A test policy"
+    policy = 	#omitted
+}
+
+resource "aws_iam_group_policy_attachment" "test-attach" {
+    group = "${aws_iam_group.group.name}"
+    policy_arn = "${aws_iam_policy.policy.arn}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `group`		(Required) - The group the policy should be applied to
+* `policy_arn`	(Required) - The ARN of the policy you want to apply

website/source/docs/providers/aws/r/iam_role_policy_attachment.markdown

@@ -0,0 +1,35 @@
+---
+layout: "aws"
+page_title: "AWS: aws_iam_role_policy_attachment"
+sidebar_current: "docs-aws-resource-iam-role-policy-attachment"
+description: |-
+  Attaches a Managed IAM Policy to an IAM role
+---
+
+# aws\_iam\_role\_policy\_attachment
+
+Attaches a Managed IAM Policy to an IAM role
+
+```
+resource "aws_iam_role" "role" {
+    name = "test-role"
+}
+
+resource "aws_iam_policy" "policy" {
+    name = "test-policy"
+    description = "A test policy"
+    policy = 	#omitted
+}
+
+resource "aws_iam_role_policy_attachment" "test-attach" {
+    role = "${aws_iam_role.role.name}"
+    policy_arn = "${aws_iam_policy.policy.arn}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `role`		(Required) - The role the policy should be applied to
+* `policy_arn`	(Required) - The ARN of the policy you want to apply

website/source/docs/providers/aws/r/iam_user_policy_attachment.markdown

@@ -0,0 +1,35 @@
+---
+layout: "aws"
+page_title: "AWS: aws_iam_user_policy_attachment"
+sidebar_current: "docs-aws-resource-iam-user-policy-attachment"
+description: |-
+  Attaches a Managed IAM Policy to an IAM user
+---
+
+# aws\_iam\_user\_policy\_attachment
+
+Attaches a Managed IAM Policy to an IAM user
+
+```
+resource "aws_iam_user" "user" {
+    name = "test-user"
+}
+
+resource "aws_iam_policy" "policy" {
+    name = "test-policy"
+    description = "A test policy"
+    policy = 	#omitted
+}
+
+resource "aws_iam_user_policy_attachment" "test-attach" {
+    user = "${aws_iam_user.user.name}"
+    policy_arn = "${aws_iam_policy.policy.arn}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `user`		(Required) - The user the policy should be applied to
+* `policy_arn`	(Required) - The ARN of the policy you want to apply

website/source/layouts/aws.erb

@@ -384,6 +384,10 @@
                             <a href="/docs/providers/aws/r/iam_group_policy.html">aws_iam_group_policy</a>
                         </li>
 
+                        <li<%= sidebar_current("docs-aws-resource-iam-group-policy-attachment") %>>
+                            <a href="/docs/providers/aws/r/iam_group_policy_attachment.html">aws_iam_group_policy_attachment</a>
+                        </li>
+
                         <li<%= sidebar_current("docs-aws-resource-iam-group-membership") %>>
                             <a href="/docs/providers/aws/r/iam_group_membership.html">aws_iam_group_membership</a>
                         </li>
@@ -407,6 +411,10 @@
                             <a href="/docs/providers/aws/r/iam_role_policy.html">aws_iam_role_policy</a>
                         </li>
 
+                        <li<%= sidebar_current("docs-aws-resource-iam-role-policy-attachment") %>>
+                            <a href="/docs/providers/aws/r/iam_role_policy_attachment.html">aws_iam_role_policy_attachment</a>
+                        </li>
+
                         <li<%= sidebar_current("docs-aws-resource-iam-saml-provider") %>>
                             <a href="/docs/providers/aws/r/iam_saml_provider.html">aws_iam_saml_provider</a>
                         </li>
@@ -423,6 +431,10 @@
                             <a href="/docs/providers/aws/r/iam_user_policy.html">aws_iam_user_policy</a>
                         </li>
 
+                        <li<%= sidebar_current("docs-aws-resource-iam-user-policy-attachment") %>>
+                            <a href="/docs/providers/aws/r/iam_user_policy_attachment.html">aws_iam_user_policy_attachment</a>
+                        </li>
+
                         <li<%= sidebar_current("docs-aws-resource-iam-user-ssh-key") %>>
                           <a href="/docs/providers/aws/r/iam_user_ssh_key.html">aws_iam_user_ssh_key</a>
                         </li>