fix: use new destination.bucket key in policy (#256)

Signed-off-by: nitrocode <[email protected]>
cloudposse · Nov 14, 2024 · dce02f2 · dce02f2
1 parent 424de84
commit dce02f2
Showing 1 changed file with 3 additions and 6 deletions.
diff --git a/replication.tf b/replication.tf
@@ -1,11 +1,7 @@
-locals {
-  replication_role = format("%s-replication", local.bucket_name)
-}
-
 resource "aws_iam_role" "replication" {
   count = local.replication_enabled ? 1 : 0
 
-  name                 = local.replication_role
+  name                 = format("%s-replication", local.bucket_name)
   assume_role_policy   = data.aws_iam_policy_document.replication_sts[0].json
   permissions_boundary = var.s3_replication_permissions_boundary_arn
 
@@ -32,7 +28,7 @@ data "aws_iam_policy_document" "replication_sts" {
 resource "aws_iam_policy" "replication" {
   count = local.replication_enabled ? 1 : 0
 
-  name   = local.replication_role
+  name   = aws_iam_role.replication[0].name
   policy = data.aws_iam_policy_document.replication[0].json
 
   tags = module.this.tags
@@ -68,6 +64,7 @@ data "aws_iam_policy_document" "replication" {
     resources = toset(concat(
       try(length(var.s3_replica_bucket_arn), 0) > 0 ? ["${var.s3_replica_bucket_arn}/*"] : [],
       [for rule in local.s3_replication_rules : "${rule.destination_bucket}/*" if try(length(rule.destination_bucket), 0) > 0],
+      [for rule in local.s3_replication_rules : "${rule.destination.bucket}/*" if try(length(rule.destination.bucket), 0) > 0],
     ))
   }
 }