Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to override policy of existing S3 bucket #152

Closed
c42-dana-mckiernan opened this issue Apr 15, 2021 · 0 comments · Fixed by #154
Closed

Unable to override policy of existing S3 bucket #152

c42-dana-mckiernan opened this issue Apr 15, 2021 · 0 comments · Fixed by #154
Labels
bug 🐛 An issue with the system

Comments

@c42-dana-mckiernan
Copy link

Describe the Bug

When using the origin_bucket and override_origin_bucket_policy inputs, I consistently got the following error:

│ Error: Error putting S3 policy: InvalidParameter: 1 validation error(s) found.
│ - minimum field size of 1, PutBucketPolicyInput.Bucket.
│
│
│   on .terraform/modules/cdn/main.tf line 79, in resource "aws_s3_bucket_policy" "default":
│   79: resource "aws_s3_bucket_policy" "default" {
│
╵

Expected Behavior

I was expecting the resulting generated AWS objects to use my provided S3 bucket with it's policy replaced with that of the automagically generated policies equivalent to what would have happened if I'd had the module create the bucket.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Create a terraform module resource using both origin_bucket and override_origin_bucket_policy
  2. Run terraform apply

Environment (please complete the following information):

This happened initially with version 0.52.0, but I also tried it with 0.58.1 and 0.59.0

Additional Context

What I think is happening is that the bucket attribute of the aws_s3_bucket_policy resource is required, and the code for the aws_s3_bucket_policy.default in main.tf is:

resource "aws_s3_bucket_policy" "default" {
   count  = (module.this.enabled && (! local.using_existing_origin || var.override_origin_bucket_policy)) ? 1 : 0
   bucket = join("", aws_s3_bucket.origin.*.bucket)
   policy = local.iam_policy_document
}

But if you are providing an external, preexisting S3 bucket, aws_s3_bucket.origin.*.bucket isn't going to have a value.

Lower down in the code, in the second locals block, there is a bucket variable defined like so:

bucket = join("",
  compact(
    concat([var.origin_bucket], concat([""], aws_s3_bucket.origin.*.id))
  )
)

If I set the bucket attribute in aws_s3_bucket_policy.default to local.bucket, I am able to cleanly apply, as now bucket contains at least my externally supplied bucket.

There may be subtleties I'm missing, but this seems to be the crux of things.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 An issue with the system
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow creating a policy for an existing S3 bucket
1 participant
@c42-dana-mckiernan