For resource-based policies, like S3 bucket policies, where you can only attach one policy to the resource the current aws_iam_policy_document is not adequate.
Say you have a module that creates a bucket policy that does things like enforcing ACLs and server-side encryption. Now you need to add cross-account federation to the policy for one of your buckets. At the moment your option is basically to create an entirely new policy document that replicates the existing one with the only difference being adding one additional statement. For even moderate scale you're going to end up with an explosion of bucket policies that are all 90%+ duplicate code.
Being able to generate statement fragments for injection into a template or being able to add/merge statements to an existing policy document would be greatly beneficial for these resource policy use cases.
For resource-based policies, like S3 bucket policies, where you can only attach one policy to the resource the current aws_iam_policy_document is not adequate.
Say you have a module that creates a bucket policy that does things like enforcing ACLs and server-side encryption. Now you need to add cross-account federation to the policy for one of your buckets. At the moment your option is basically to create an entirely new policy document that replicates the existing one with the only difference being adding one additional statement. For even moderate scale you're going to end up with an explosion of bucket policies that are all 90%+ duplicate code.
Being able to generate statement fragments for injection into a template or being able to add/merge statements to an existing policy document would be greatly beneficial for these resource policy use cases.