Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a aws_s3_access_point_policy resource to prevent cycle errors #12235

Closed
ghost opened this issue Mar 3, 2020 · 4 comments · Fixed by #19294
Closed

Add a aws_s3_access_point_policy resource to prevent cycle errors #12235

ghost opened this issue Mar 3, 2020 · 4 comments · Fixed by #19294
Labels
new-resource Introduces a new resource. service/s3control Issues and PRs that pertain to the s3control service.
Milestone
v3.66.0

Comments

@ghost
Copy link

ghost commented Mar 3, 2020

This issue was originally opened by @AlexEshoo as hashicorp/terraform#24258. It was migrated here as a result of the provider split. The original body of the issue is below.

Current Terraform Version

Terraform v0.12.21
+ provider.aws v2.51.0

Use-cases

When creating an AWS S3 Access Point, a common task is to attach a policy to the access point.
Terraform provides this with the policy attribute of the aws_s3_access_point resource, but it cannot be used with the aws_iam_policy_document datasource when the document references the ARN of the access point without causing cycle errors.

Attempted Solutions


resource "aws_s3_access_point" "test_access_point" {
  bucket = aws_s3_bucket.my_bucket.id
  name   = "test"
  policy = data.aws_iam_policy_document.test_access_point_policy_doc.json
}

data "aws_iam_policy_document" "test_access_point_policy_doc" {
  statement {
    principals {
      type        = "AWS"
      identifiers = [aws_iam_role.my_role.arn]
    }
    effect    = "Allow"
    actions   = ["s3:ListBucket"]
    resources = [aws_s3_access_point.test_access_point.arn]
    condition {
      test     = "StringLike"
      variable = "s3:prefix"
      values   = ["test/*"]
    }
  }
}

This causes cycle errors due to the circular reference.

Proposal

This problem is resolved for the aws_s3_bucket resource by having a separate resource named aws_s3_bucket_policy that can be used to link the two resources without circular references. An example is demonstrated here

The proposal would be to create a similar aws_s3_access_point_policy resource that would handle updating the policy on the access point after creation.

References
@ghost ghost mentioned this issue Mar 3, 2020
Closed
@ghost ghost added the service/iam Issues and PRs that pertain to the iam service. label Mar 3, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Mar 3, 2020
@ewbankkit
Copy link
Contributor

Related:

@justinretzolk justinretzolk added new-resource Introduces a new resource. and removed needs-triage Waiting for first response or review from a maintainer. labels Oct 22, 2021
@ewbankkit ewbankkit added service/s3control Issues and PRs that pertain to the s3control service. and removed service/iam Issues and PRs that pertain to the iam service. labels Nov 15, 2021
@ewbankkit ewbankkit mentioned this issue Nov 15, 2021
Merged
@ewbankkit
Copy link
Contributor

ewbankkit commented Nov 15, 2021
edited
Loading

Note that the new resource will be named aws_s3control_access_point_policy to conform with new resource naming guidelines.

Also, until the next major version of the Terraform AWS Provider (v4.0.0), note that the lifecycle.ignore_changes meta-argument will need to be used on the aws_s3_access_point resource to prevent permanent diffs for the policy argument.

@ewbankkit ewbankkit mentioned this issue Nov 16, 2021
Closed
@github-actions github-actions bot added this to the v3.66.0 milestone Nov 16, 2021
@github-actions
Copy link

This functionality has been released in v3.66.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
new-resource Introduces a new resource. service/s3control Issues and PRs that pertain to the s3control service.
Projects
None yet
Milestone
v3.66.0
Development

Successfully merging a pull request may close this issue.

Implement object lambda access points for S3 gijzelaerr/terraform-provider-aws
2 participants
@ewbankkit @justinretzolk