Skip to content

Allow adding a policy document containing a placeholder for the bucket name #245

New issue
New issue
Open
Open
Allow adding a policy document containing a placeholder for the bucket name#245
@nitrocode

Description

@nitrocode
nitrocode
opened on Aug 24, 2024

Describe the Feature

If a policy document needs to be passed in for a custom s3 bucket policy, a data.aws_iam_policy_document must be defined, and then passed into the bucket via source_policy_documents.

The bucket name needs to be passed into the data source before it gets passed to the module. Both the data source and the module require the bucket name for this to work.

Here is an example of how it's setup now

locals {
  bucket_name = "<some-name>"
}

data "aws_iam_policy_document" "bucket_policy" {
  statement {
    sid    = ""
    effect = "Allow"

    resources = [
      # This is if you use the module below
      "arn:aws:s3:::${local.bucket_name}",
      "arn:aws:s3:::${local.bucket_name}/*",
      # If you use raw resources, then use the arn directly
      # aws_s3_bucket.default.arn,
      # "${aws_s3_bucket.default.arn}/*"
    ]
  
    actions   = [
      "s3:GetObject",
      "s3:List*",
      "s3:PutObject",
      "s3:DeleteObject",
    ]

    principals {
      type        = "AWS"
      identifiers = [
        aws_iam_role.default.arn,
      ]
    }
  }
}

module "bucket" {
  source  = "cloudposse/s3-bucket/aws"
  version = "4.4.0"
  # latest version https://github.com/cloudposse/terraform-aws-s3-bucket/releases

  name = local.bucket_name

  source_policy_documents = [data.aws_iam_policy_document.bucket_policy.json]
}

Expected Behavior

This would be nice instead

data "aws_iam_policy_document" "bucket_policy" {
  statement {
    sid    = ""
    effect = "Allow"

    resources = [
      # This is if you use the module below
      "${bucket_arn}",
      "${bucket_arnbucket_name}/*",
      # If you use raw resources, then use the arn directly
      # aws_s3_bucket.default.arn,
      # "${aws_s3_bucket.default.arn}/*"
    ]

    # ...

Use Case

Described above

Describe Ideal Solution

Described above

Alternatives Considered

I suppose we could avoid setting the s3 bucket policy inside of the module and do it outside of the module like this.

data "aws_iam_policy_document" "bucket_policy" {
  statement {
    sid    = ""
    effect = "Allow"

    resources = [
      # This is if you use the module below
      "${module.bucket.bucket_arn}",
      "${module.bucket.bucket_arn}/*",
      # If you use raw resources, then use the arn directly
      # aws_s3_bucket.default.arn,
      # "${aws_s3_bucket.default.arn}/*"
    ]

    # ...
resource "aws_s3_bucket_policy" "default" {
  bucket = module.bucket.bucket_id
  policy = data.aws_iam_policy_document.bucket_policy.json
}

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions