From b6fbb42be6a3217f4cf777fecc995fc9f887db53 Mon Sep 17 00:00:00 2001
From: Andrew Haines <andrew@haines.org.nz>
Date: Wed, 4 Apr 2018 09:35:31 +0100
Subject: [PATCH] Add required DynamoDB IAM permissions for state locking to S3
 backend docs

---
 website/docs/backends/types/s3.html.md | 28 ++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/website/docs/backends/types/s3.html.md b/website/docs/backends/types/s3.html.md
index f958c20e1..e82087971 100644
--- a/website/docs/backends/types/s3.html.md
+++ b/website/docs/backends/types/s3.html.md
@@ -67,6 +67,34 @@ This is seen in the following AWS IAM Statement:
 }
 ```
 
+### DynamoDB Table Permissions
+
+If you are using state locking, Terraform will need the following AWS IAM
+permissions on the DynamoDB table (`arn:aws:dynamodb:::table/mytable`):
+
+* `dynamodb:GetItem`
+* `dynamodb:PutItem`
+* `dynamodb:DeleteItem`
+
+This is seen in the following AWS IAM Statement:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "dynamodb:GetItem",
+        "dynamodb:PutItem",
+        "dynamodb:DeleteItem"
+      ],
+      "Resource": "arn:aws:dynamodb:*:*:table/mytable"
+    }
+  ]
+}
+```
+
 ## Using the S3 remote state
 
 To make use of the S3 remote state we can use the