Great article. Thank you for sharing. Regarding the IAM policy my personal preference is to use aws_iam_policy_document instead of an encoded Json, but i guess that this is a matter of "flavor"
Thanks for your kind words and your feedback, Stefan.
You are right, the aws_iam_policy_document is easier to reason and work with.
I just wanted to take the shortcut to post a working policy to get IAM out of the way, but now I am considering just rewriting the IAM parts.