Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow adding a policy document containing a placeholder for the bucket name #245

Open
nitrocode opened this issue Aug 24, 2024 · 0 comments

Comments

@nitrocode
Copy link
Member

Describe the Feature

If a policy document needs to be passed in for a custom s3 bucket policy, a data.aws_iam_policy_document must be defined, and then passed into the bucket via source_policy_documents.

The bucket name needs to be passed into the data source before it gets passed to the module. Both the data source and the module require the bucket name for this to work.

Here is an example of how it's setup now

locals {
  bucket_name = "<some-name>"
}

data "aws_iam_policy_document" "bucket_policy" {
  statement {
    sid    = ""
    effect = "Allow"

    resources = [
      # This is if you use the module below
      "arn:aws:s3:::${local.bucket_name}",
      "arn:aws:s3:::${local.bucket_name}/*",
      # If you use raw resources, then use the arn directly
      # aws_s3_bucket.default.arn,
      # "${aws_s3_bucket.default.arn}/*"
    ]
  
    actions   = [
      "s3:GetObject",
      "s3:List*",
      "s3:PutObject",
      "s3:DeleteObject",
    ]

    principals {
      type        = "AWS"
      identifiers = [
        aws_iam_role.default.arn,
      ]
    }
  }
}

module "bucket" {
  source  = "cloudposse/s3-bucket/aws"
  version = "4.4.0"
  # latest version https://github.com/cloudposse/terraform-aws-s3-bucket/releases

  name = local.bucket_name

  source_policy_documents = [data.aws_iam_policy_document.bucket_policy.json]
}

Expected Behavior

This would be nice instead

data "aws_iam_policy_document" "bucket_policy" {
  statement {
    sid    = ""
    effect = "Allow"

    resources = [
      # This is if you use the module below
      "${bucket_arn}",
      "${bucket_arnbucket_name}/*",
      # If you use raw resources, then use the arn directly
      # aws_s3_bucket.default.arn,
      # "${aws_s3_bucket.default.arn}/*"
    ]

    # ...

Use Case

Described above

Describe Ideal Solution

Described above

Alternatives Considered

I suppose we could avoid setting the s3 bucket policy inside of the module and do it outside of the module like this.

data "aws_iam_policy_document" "bucket_policy" {
  statement {
    sid    = ""
    effect = "Allow"

    resources = [
      # This is if you use the module below
      "${module.bucket.bucket_arn}",
      "${module.bucket.bucket_arn}/*",
      # If you use raw resources, then use the arn directly
      # aws_s3_bucket.default.arn,
      # "${aws_s3_bucket.default.arn}/*"
    ]

    # ...
resource "aws_s3_bucket_policy" "default" {
  bucket = module.bucket.bucket_id
  policy = data.aws_iam_policy_document.bucket_policy.json
}

Additional Context

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant