hashicorp · hydroxide · Sep 28, 2016
diff --git a/builtin/providers/aws/resource_aws_iam_group_policy_attachment.go b/builtin/providers/aws/resource_aws_iam_group_policy_attachment.go
@@ -23,8 +23,10 @@ func resourceAwsIamGroupPolicyAttachment() *schema.Resource {
 				Required: true,
 				ForceNew: true,
 			},
-			"policy_arn": &schema.Schema{
-				Type:     schema.TypeString,
+			"policy_arns": &schema.Schema{
+				Type:     schema.TypeSet,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Set:      schema.HashString,
 				Required: true,
 				ForceNew: true,
 			},
@@ -36,11 +38,13 @@ func resourceAwsIamGroupPolicyAttachmentCreate(d *schema.ResourceData, meta inte
 	conn := meta.(*AWSClient).iamconn
 
 	group := d.Get("group").(string)
-	arn := d.Get("policy_arn").(string)
+	arns := expandStringList(d.Get("policy_arns").(*schema.Set).List())
 
-	err := attachPolicyToGroup(conn, group, arn)
-	if err != nil {
-		return fmt.Errorf("[WARN] Error attaching policy %s to IAM group %s: %v", arn, group, err)
+	for _, arn := range arns {
+		err := attachPolicyToGroup(conn, group, *arn)
+		if err != nil {
+			return fmt.Errorf("[WARN] Error attaching policy %s to IAM group %s: %v", *arn, group, err)
+		}
 	}
 
 	d.SetId(resource.PrefixedUniqueId(fmt.Sprintf("%s-", group)))
@@ -50,7 +54,7 @@ func resourceAwsIamGroupPolicyAttachmentCreate(d *schema.ResourceData, meta inte
 func resourceAwsIamGroupPolicyAttachmentRead(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).iamconn
 	group := d.Get("group").(string)
-	arn := d.Get("policy_arn").(string)
+	arns := expandStringList(d.Get("policy_arns").(*schema.Set).List())
 
 	_, err := conn.GetGroup(&iam.GetGroupInput{
 		GroupName: aws.String(group),
@@ -75,15 +79,17 @@ func resourceAwsIamGroupPolicyAttachmentRead(d *schema.ResourceData, meta interf
 	}
 
 	var policy string
-	for _, p := range attachedPolicies.AttachedPolicies {
-		if *p.PolicyArn == arn {
-			policy = *p.PolicyArn
+	for _, arn := range arns {
+		for _, p := range attachedPolicies.AttachedPolicies {
+			if *p.PolicyArn == *arn {
+				policy = *p.PolicyArn
+			}
+		}
+		if policy == "" {
+			log.Printf("[WARN] No such policy found for Group Policy Attachment (%s)", group)
+			d.SetId("")
+			return nil
 		}
-	}
-
-	if policy == "" {
-		log.Printf("[WARN] No such policy found for Group Policy Attachment (%s)", group)
-		d.SetId("")
 	}
 
 	return nil
@@ -92,11 +98,13 @@ func resourceAwsIamGroupPolicyAttachmentRead(d *schema.ResourceData, meta interf
 func resourceAwsIamGroupPolicyAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).iamconn
 	group := d.Get("group").(string)
-	arn := d.Get("policy_arn").(string)
+	arns := expandStringList(d.Get("policy_arns").(*schema.Set).List())
 
-	err := detachPolicyFromGroup(conn, group, arn)
-	if err != nil {
-		return fmt.Errorf("[WARN] Error removing policy %s from IAM Group %s: %v", arn, group, err)
+	for _, arn := range arns {
+		err := detachPolicyFromGroup(conn, group, *arn)
+		if err != nil {
+			return fmt.Errorf("[WARN] Error removing policy %s from IAM Group %s: %v", *arn, group, err)
+		}
 	}
 	return nil
 }

diff --git a/builtin/providers/aws/resource_aws_iam_group_policy_attachment_test.go b/builtin/providers/aws/resource_aws_iam_group_policy_attachment_test.go
@@ -114,7 +114,7 @@ EOF
 
 resource "aws_iam_group_policy_attachment" "test-attach" {
     group = "${aws_iam_group.group.name}"
-    policy_arn = "${aws_iam_policy.policy.arn}"
+    policy_arns = ["${aws_iam_policy.policy.arn}"]
 }
 `
 
@@ -182,11 +182,7 @@ EOF
 
 resource "aws_iam_group_policy_attachment" "test-attach" {
     group = "${aws_iam_group.group.name}"
-    policy_arn = "${aws_iam_policy.policy2.arn}"
-}
-
-resource "aws_iam_group_policy_attachment" "test-attach2" {
-    group = "${aws_iam_group.group.name}"
-    policy_arn = "${aws_iam_policy.policy3.arn}"
+    policy_arns = ["${aws_iam_policy.policy2.arn}",
+                   "${aws_iam_policy.policy3.arn}"]
 }
 `
diff --git a/builtin/providers/aws/resource_aws_iam_role_policy_attachment.go b/builtin/providers/aws/resource_aws_iam_role_policy_attachment.go
@@ -23,8 +23,10 @@ func resourceAwsIamRolePolicyAttachment() *schema.Resource {
 				Required: true,
 				ForceNew: true,
 			},
-			"policy_arn": &schema.Schema{
-				Type:     schema.TypeString,
+			"policy_arns": &schema.Schema{
+				Type:     schema.TypeSet,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Set:      schema.HashString,
 				Required: true,
 				ForceNew: true,
 			},
@@ -36,11 +38,13 @@ func resourceAwsIamRolePolicyAttachmentCreate(d *schema.ResourceData, meta inter
 	conn := meta.(*AWSClient).iamconn
 
 	role := d.Get("role").(string)
-	arn := d.Get("policy_arn").(string)
+	arns := expandStringList(d.Get("policy_arns").(*schema.Set).List())
 
-	err := attachPolicyToRole(conn, role, arn)
-	if err != nil {
-		return fmt.Errorf("[WARN] Error attaching policy %s to IAM Role %s: %v", arn, role, err)
+	for _, arn := range arns {
+		err := attachPolicyToRole(conn, role, *arn)
+		if err != nil {
+			return fmt.Errorf("[WARN] Error attaching policy %s to IAM Role %s: %v", *arn, role, err)
+		}
 	}
 
 	d.SetId(resource.PrefixedUniqueId(fmt.Sprintf("%s-", role)))
@@ -50,7 +54,7 @@ func resourceAwsIamRolePolicyAttachmentCreate(d *schema.ResourceData, meta inter
 func resourceAwsIamRolePolicyAttachmentRead(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).iamconn
 	role := d.Get("role").(string)
-	arn := d.Get("policy_arn").(string)
+	arns := expandStringList(d.Get("policy_arns").(*schema.Set).List())
 
 	_, err := conn.GetRole(&iam.GetRoleInput{
 		RoleName: aws.String(role),
@@ -71,21 +75,24 @@ func resourceAwsIamRolePolicyAttachmentRead(d *schema.ResourceData, meta interfa
 		RoleName: aws.String(role),
 	}
 	var policy string
-	err = conn.ListAttachedRolePoliciesPages(&args, func(page *iam.ListAttachedRolePoliciesOutput, lastPage bool) bool {
-		for _, p := range page.AttachedPolicies {
-			if *p.PolicyArn == arn {
-				policy = *p.PolicyArn
+	for _, arn := range arns {
+		err = conn.ListAttachedRolePoliciesPages(&args, func(page *iam.ListAttachedRolePoliciesOutput, lastPage bool) bool {
+			for _, p := range page.AttachedPolicies {
+				if *p.PolicyArn == *arn {
+					policy = *p.PolicyArn
+				}
 			}
-		}
 
-		return policy == ""
-	})
-	if err != nil {
-		return err
-	}
-	if policy == "" {
-		log.Printf("[WARN] No such policy found for Role Policy Attachment (%s)", role)
-		d.SetId("")
+			return policy == ""
+		})
+		if err != nil {
+			return err
+		}
+		if policy == "" {
+			log.Printf("[WARN] No such policy found for Role Policy Attachment (%s)", role)
+			d.SetId("")
+			return nil
+		}
 	}
 
 	return nil
@@ -94,11 +101,13 @@ func resourceAwsIamRolePolicyAttachmentRead(d *schema.ResourceData, meta interfa
 func resourceAwsIamRolePolicyAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).iamconn
 	role := d.Get("role").(string)
-	arn := d.Get("policy_arn").(string)
+	arns := expandStringList(d.Get("policy_arns").(*schema.Set).List())
 
-	err := detachPolicyFromRole(conn, role, arn)
-	if err != nil {
-		return fmt.Errorf("[WARN] Error removing policy %s from IAM Role %s: %v", arn, role, err)
+	for _, arn := range arns {
+		err := detachPolicyFromRole(conn, role, *arn)
+		if err != nil {
+			return fmt.Errorf("[WARN] Error removing policy %s from IAM Role %s: %v", *arn, role, err)
+		}
 	}
 	return nil
 }

diff --git a/builtin/providers/aws/resource_aws_iam_role_policy_attachment_test.go b/builtin/providers/aws/resource_aws_iam_role_policy_attachment_test.go
@@ -129,7 +129,7 @@ EOF
 
 resource "aws_iam_role_policy_attachment" "test-attach" {
     role = "${aws_iam_role.role.name}"
-    policy_arn = "${aws_iam_policy.policy.arn}"
+    policy_arns = ["${aws_iam_policy.policy.arn}"]
 }
 `
 
@@ -212,11 +212,7 @@ EOF
 
 resource "aws_iam_role_policy_attachment" "test-attach" {
     role = "${aws_iam_role.role.name}"
-    policy_arn = "${aws_iam_policy.policy2.arn}"
-}
-
-resource "aws_iam_role_policy_attachment" "test-attach2" {
-    role = "${aws_iam_role.role.name}"
-    policy_arn = "${aws_iam_policy.policy3.arn}"
+    policy_arns = ["${aws_iam_policy.policy2.arn}",
+                    ${aws_iam_policy.policy3.arn}"]
 }
 `
diff --git a/builtin/providers/aws/resource_aws_iam_user_policy_attachment.go b/builtin/providers/aws/resource_aws_iam_user_policy_attachment.go
@@ -23,8 +23,10 @@ func resourceAwsIamUserPolicyAttachment() *schema.Resource {
 				ForceNew: true,
 				Required: true,
 			},
-			"policy_arn": &schema.Schema{
-				Type:     schema.TypeString,
+			"policy_arns": &schema.Schema{
+				Type:     schema.TypeSet,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Set:      schema.HashString,
 				Required: true,
 				ForceNew: true,
 			},
@@ -36,11 +38,13 @@ func resourceAwsIamUserPolicyAttachmentCreate(d *schema.ResourceData, meta inter
 	conn := meta.(*AWSClient).iamconn
 
 	user := d.Get("user").(string)
-	arn := d.Get("policy_arn").(string)
+	arns := expandStringList(d.Get("policy_arns").(*schema.Set).List())
 
-	err := attachPolicyToUser(conn, user, arn)
-	if err != nil {
-		return fmt.Errorf("[WARN] Error attaching policy %s to IAM User %s: %v", arn, user, err)
+	for _, arn := range arns {
+		err := attachPolicyToUser(conn, user, *arn)
+		if err != nil {
+			return fmt.Errorf("[WARN] Error attaching policy %s to IAM User %s: %v", *arn, user, err)
+		}
 	}
 
 	d.SetId(resource.PrefixedUniqueId(fmt.Sprintf("%s-", user)))
@@ -50,7 +54,7 @@ func resourceAwsIamUserPolicyAttachmentCreate(d *schema.ResourceData, meta inter
 func resourceAwsIamUserPolicyAttachmentRead(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).iamconn
 	user := d.Get("user").(string)
-	arn := d.Get("policy_arn").(string)
+	arns := expandStringList(d.Get("policy_arns").(*schema.Set).List())
 
 	_, err := conn.GetUser(&iam.GetUserInput{
 		UserName: aws.String(user),
@@ -75,27 +79,32 @@ func resourceAwsIamUserPolicyAttachmentRead(d *schema.ResourceData, meta interfa
 	}
 
 	var policy string
-	for _, p := range attachedPolicies.AttachedPolicies {
-		if *p.PolicyArn == arn {
-			policy = *p.PolicyArn
+	for _, arn := range arns {
+		for _, p := range attachedPolicies.AttachedPolicies {
+			if *p.PolicyArn == *arn {
+				policy = *p.PolicyArn
+			}
+		}
+		if policy == "" {
+			log.Printf("[WARN] No such User found for Policy Attachment (%s)", user)
+			d.SetId("")
+			return nil
 		}
 	}
 
-	if policy == "" {
-		log.Printf("[WARN] No such User found for Policy Attachment (%s)", user)
-		d.SetId("")
-	}
 	return nil
 }
 
 func resourceAwsIamUserPolicyAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).iamconn
 	user := d.Get("user").(string)
-	arn := d.Get("policy_arn").(string)
+	arns := expandStringList(d.Get("policy_arns").(*schema.Set).List())
 
-	err := detachPolicyFromUser(conn, user, arn)
-	if err != nil {
-		return fmt.Errorf("[WARN] Error removing policy %s from IAM User %s: %v", arn, user, err)
+	for _, arn := range arns {
+		err := detachPolicyFromUser(conn, user, *arn)
+		if err != nil {
+			return fmt.Errorf("[WARN] Error removing policy %s from IAM User %s: %v", *arn, user, err)
+		}
 	}
 	return nil
 }

diff --git a/builtin/providers/aws/resource_aws_iam_user_policy_attachment_test.go b/builtin/providers/aws/resource_aws_iam_user_policy_attachment_test.go
@@ -114,7 +114,7 @@ EOF
 
 resource "aws_iam_user_policy_attachment" "test-attach" {
     user = "${aws_iam_user.user.name}"
-    policy_arn = "${aws_iam_policy.policy.arn}"
+    policy_arns = ["${aws_iam_policy.policy.arn}"]
 }
 `
 
@@ -182,11 +182,7 @@ EOF
 
 resource "aws_iam_user_policy_attachment" "test-attach" {
     user = "${aws_iam_user.user.name}"
-    policy_arn = "${aws_iam_policy.policy2.arn}"
-}
-
-resource "aws_iam_user_policy_attachment" "test-attach2" {
-    user = "${aws_iam_user.user.name}"
-    policy_arn = "${aws_iam_policy.policy3.arn}"
+    policy_arns = ["${aws_iam_policy.policy2.arn}",
+                   "${aws_iam_policy.policy3.arn}"]
 }
 `
diff --git a/website/source/docs/providers/aws/r/iam_group_policy_attachment.markdown b/website/source/docs/providers/aws/r/iam_group_policy_attachment.markdown
@@ -3,12 +3,12 @@ layout: "aws"
 page_title: "AWS: aws_iam_group_policy_attachment"
 sidebar_current: "docs-aws-resource-iam-group-policy-attachment"
 description: |-
-  Attaches a Managed IAM Policy to an IAM group
+  Attaches Managed IAM Policies to an IAM group
 ---
 
 # aws\_iam\_group\_policy\_attachment
 
-Attaches a Managed IAM Policy to an IAM group
+Attaches Managed IAM Policies to an IAM group
 
 ```
 resource "aws_iam_group" "group" {
@@ -23,7 +23,7 @@ resource "aws_iam_policy" "policy" {
 
 resource "aws_iam_group_policy_attachment" "test-attach" {
     group = "${aws_iam_group.group.name}"
-    policy_arn = "${aws_iam_policy.policy.arn}"
+    policy_arns = ["${aws_iam_policy.policy.arn}"]
 }
 ```
 
@@ -32,4 +32,4 @@ resource "aws_iam_group_policy_attachment" "test-attach" {
 The following arguments are supported:
 
 * `group`		(Required) - The group the policy should be applied to
-* `policy_arn`	(Required) - The ARN of the policy you want to apply
+* `policy_arns`	(Required) - A list of ARNs of the policies you want to apply
diff --git a/website/source/docs/providers/aws/r/iam_role_policy_attachment.markdown b/website/source/docs/providers/aws/r/iam_role_policy_attachment.markdown
@@ -3,12 +3,12 @@ layout: "aws"
 page_title: "AWS: aws_iam_role_policy_attachment"
 sidebar_current: "docs-aws-resource-iam-role-policy-attachment"
 description: |-
-  Attaches a Managed IAM Policy to an IAM role
+  Attaches Managed IAM Policies to an IAM role
 ---
 
 # aws\_iam\_role\_policy\_attachment
 
-Attaches a Managed IAM Policy to an IAM role
+Attaches Managed IAM Policies to an IAM role
 
 ```
 resource "aws_iam_role" "role" {
@@ -23,7 +23,7 @@ resource "aws_iam_policy" "policy" {
 
 resource "aws_iam_role_policy_attachment" "test-attach" {
     role = "${aws_iam_role.role.name}"
-    policy_arn = "${aws_iam_policy.policy.arn}"
+    policy_arns = ["${aws_iam_policy.policy.arn}"]
 }
 ```
 
@@ -32,4 +32,4 @@ resource "aws_iam_role_policy_attachment" "test-attach" {
 The following arguments are supported:
 
 * `role`		(Required) - The role the policy should be applied to
-* `policy_arn`	(Required) - The ARN of the policy you want to apply
+* `policy_arns`	(Required) - A list of ARNs of the policies you want to apply