You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a policy document needs to be passed in for a custom s3 bucket policy, a data.aws_iam_policy_document must be defined, and then passed into the bucket via source_policy_documents.
The bucket name needs to be passed into the data source before it gets passed to the module. Both the data source and the module require the bucket name for this to work.
Here is an example of how it's setup now
locals {
bucket_name="<some-name>"
}
data"aws_iam_policy_document""bucket_policy" {
statement {
sid=""effect="Allow"resources=[
# This is if you use the module below"arn:aws:s3:::${local.bucket_name}",
"arn:aws:s3:::${local.bucket_name}/*",
# If you use raw resources, then use the arn directly# aws_s3_bucket.default.arn,# "${aws_s3_bucket.default.arn}/*"
]
actions=[
"s3:GetObject",
"s3:List*",
"s3:PutObject",
"s3:DeleteObject",
]
principals {
type="AWS"identifiers=[
aws_iam_role.default.arn,
]
}
}
}
module"bucket" {
source="cloudposse/s3-bucket/aws"version="4.4.0"# latest version https://github.com/cloudposse/terraform-aws-s3-bucket/releasesname=local.bucket_namesource_policy_documents=[data.aws_iam_policy_document.bucket_policy.json]
}
Expected Behavior
This would be nice instead
data"aws_iam_policy_document""bucket_policy" {
statement {
sid=""effect="Allow"resources=[
# This is if you use the module below"${bucket_arn}",
"${bucket_arnbucket_name}/*",
# If you use raw resources, then use the arn directly# aws_s3_bucket.default.arn,# "${aws_s3_bucket.default.arn}/*"
]
# ...
Use Case
Described above
Describe Ideal Solution
Described above
Alternatives Considered
I suppose we could avoid setting the s3 bucket policy inside of the module and do it outside of the module like this.
data"aws_iam_policy_document""bucket_policy" {
statement {
sid=""effect="Allow"resources=[
# This is if you use the module below"${module.bucket.bucket_arn}",
"${module.bucket.bucket_arn}/*",
# If you use raw resources, then use the arn directly# aws_s3_bucket.default.arn,# "${aws_s3_bucket.default.arn}/*"
]
# ...
Describe the Feature
If a policy document needs to be passed in for a custom s3 bucket policy, a
data.aws_iam_policy_document
must be defined, and then passed into the bucket viasource_policy_documents
.The bucket name needs to be passed into the data source before it gets passed to the module. Both the data source and the module require the bucket name for this to work.
Here is an example of how it's setup now
Expected Behavior
This would be nice instead
Use Case
Described above
Describe Ideal Solution
Described above
Alternatives Considered
I suppose we could avoid setting the s3 bucket policy inside of the module and do it outside of the module like this.
Additional Context
No response
The text was updated successfully, but these errors were encountered: