Automic VaultAutomic Vault

brew

Install terraform-iam-policy-validator with Homebrew, Nix

CLI to validate AWS IAM policies in Terraform templates for best practices. Version 0.0.9 via Homebrew; verified 2026-05-15.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install terraform-iam-policy-validator

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#terraform-iam-policy-validator

nixpkgs package indexes · pkgs/by-name/te/terraform-iam-policy-validator/package.nix · source: api.github.com

overview

Package summary

CLI to validate AWS IAM policies in Terraform templates for best practices

Commands and aliases

  • tf-policy-validator

history

Project history and usage

terraform-iam-policy-validator is an AWS Labs security CLI, installed as `tf-policy-validator`, that checks IAM policies extracted from Terraform plan output with IAM Access Analyzer validation and custom policy checks.

Project history

The awslabs/terraform-iam-policy-validator repository was created on GitHub in August 2022. Its README describes a command-line tool that parses Terraform templates for IAM identity-based and resource-based policies, then runs them through IAM Access Analyzer policy validation checks and optional custom policy checks.

Adoption history

The project is narrower than general Terraform linters because it focuses specifically on AWS IAM policy semantics. The input package facts list Homebrew and Nix packaging, while the official README documents Python installation with `pip install tf-policy-validator`, indicating use both as a Python CLI and as a packaged security tool.

How it is used

The documented workflow is to run Terraform, convert a plan to JSON with `terraform show -json`, and pass that file to `tf-policy-validator validate` with an AWS region and config file. The tool can fail a pipeline when findings of selected severity levels are treated as blocking.

The README also documents custom checks for no-new-access, access-not-granted, and no-public-access. Because those checks call AWS IAM Access Analyzer APIs through boto3, the tool uses normal AWS credential resolution, including environment variables, shared credentials, AWS config, assume-role providers, and EC2 instance metadata.

Why package nerds care

For package-manager users, terraform-iam-policy-validator represents the compliance side of Terraform packaging: it is a standalone executable meant to be dropped into CI after `terraform plan`, with policy behavior controlled by command flags and config files. Its importance is strongest in AWS-heavy shops that want IAM policy review before apply.

Timeline

  • 2022: GitHub repository created.
  • 2024: v0.0.6 and v0.0.7 releases published.
  • 2024: v0.0.8 release added custom-check changes including check-no-public-access.
  • 2025: v0.0.9 listed as the latest GitHub release during research.

Related projects

  • The README ties the tool to AWS IAM Access Analyzer, boto3 credential handling, Terraform plan JSON, and AWS sample material for IAM Access Analyzer custom policy checks.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for terraform-iam-policy-validator. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 2 runtime dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Credential files

Credential-bearing paths to review before unattended agent runs.

Unix
~/.aws/credentials~/.aws/config

executables

Installed executables

CommandKindExposureNote
tf-policy-validatorcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.0.9
manager updated2026-05-15
local dataok
upstreamnot checked
latest detectednot detected

https://github.com/awslabs/terraform-iam-policy-validator

install metadata

Package metadata

Package keybrew:terraform-iam-policy-validator
Version0.0.9
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/terraform-iam-policy-validator
Homepagehttps://github.com/awslabs/terraform-iam-policy-validator
Repositoryhttps://github.com/awslabs/terraform-iam-policy-validator
Upstream docshttps://github.com/awslabs/terraform-iam-policy-validator#readme
LicenseMIT-0
Source archivehttps://files.pythonhosted.org/packages/89/6b/bdb90f2fcb4a0033f138d52d5b24af9a2f8a84703ef94cbc31d51f0afaed/tf_policy_validator-0.0.9.tar.gz
Last updated2026-05-15T11:14:03Z
Pulseupdated
Dependencieslibyaml, python@3.14
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameterraform-iam-policy-validator
Version Scheme0
Revision4
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

terraform-iam-policy-validator

nix profile install nixpkgs#terraform-iam-policy-validator
  • normalized package name match
  • Matched by: Terraform Iam Policy Validator
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/te/terraform-iam-policy-validator/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment