From dce02f29a56ae28ef9008566e4dac6488ded5e92 Mon Sep 17 00:00:00 2001
From: RB <7775707+nitrocode@users.noreply.github.com>
Date: Thu, 14 Nov 2024 04:54:30 -0600
Subject: [PATCH] fix: use new destination.bucket key in policy (#256)

Signed-off-by: nitrocode <7775707+nitrocode@users.noreply.github.com>
---
 replication.tf | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/replication.tf b/replication.tf
index ee1d767..1087d32 100644
--- a/replication.tf
+++ b/replication.tf
@@ -1,11 +1,7 @@
-locals {
-  replication_role = format("%s-replication", local.bucket_name)
-}
-
 resource "aws_iam_role" "replication" {
   count = local.replication_enabled ? 1 : 0
 
-  name                 = local.replication_role
+  name                 = format("%s-replication", local.bucket_name)
   assume_role_policy   = data.aws_iam_policy_document.replication_sts[0].json
   permissions_boundary = var.s3_replication_permissions_boundary_arn
 
@@ -32,7 +28,7 @@ data "aws_iam_policy_document" "replication_sts" {
 resource "aws_iam_policy" "replication" {
   count = local.replication_enabled ? 1 : 0
 
-  name   = local.replication_role
+  name   = aws_iam_role.replication[0].name
   policy = data.aws_iam_policy_document.replication[0].json
 
   tags = module.this.tags
@@ -68,6 +64,7 @@ data "aws_iam_policy_document" "replication" {
     resources = toset(concat(
       try(length(var.s3_replica_bucket_arn), 0) > 0 ? ["${var.s3_replica_bucket_arn}/*"] : [],
       [for rule in local.s3_replication_rules : "${rule.destination_bucket}/*" if try(length(rule.destination_bucket), 0) > 0],
+      [for rule in local.s3_replication_rules : "${rule.destination.bucket}/*" if try(length(rule.destination.bucket), 0) > 0],
     ))
   }
 }