Enabling attach_access_log_delivery_policy without any other attach arguments fails to attach a bucket policy

[brycewade1]

Description

The logic used to compute local.attach_policy does not factor in the var.attach_access_log_delivery_policy variable, so if that is the only "attach" boolean set it will fail to create and attach a bucket policy.

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version 3.15.0:

• Terraform version:

Terraform v1.3.4
on linux_amd64

and

Terraform v1.5.4
on linux_amd64

• Provider version(s):

+ provider registry.terraform.io/hashicorp/aws v4.64.0

Reproduction Code [Required]

module "access_log_bucket" {
  source                            = "terraform-aws-modules/s3-bucket/aws"
  version                           = "3.15.0"
  bucket                            = "s3-log-bucket-${local.region}-${local.account_id}"
  attach_access_log_delivery_policy = true
}

Steps to reproduce the behavior:

Using workspaces on a fresh container in CircleCI with no caching.

I run into this error when creating a new bucket to be used solely for S3 access logs.

Expected behavior

I would expect the bucket to be created and to have a bucket policy attached that allows logging.s3.amazonaws.com to put objects, similar to this (but not exactly like):

{
    "Version": "2012-10-17",
    "Id": "S3-Console-Auto-Gen-Policy-1684856677602",
    "Statement": [
        {
            "Sid": "S3PolicyStmt-DO-NOT-MODIFY-1684856677457",
            "Effect": "Allow",
            "Principal": {
                "Service": "logging.s3.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::pivotbio-s3-logging-us-west-2-588598685737/*"
        }
    ]
}

Actual behavior

The data "aws_iam_policy_document" "access_log_delivery" resource is created, but no data "aws_iam_policy_document" "combined" is created, nor is resource "aws_s3_bucket_policy" "this".

Terminal Output Screenshot(s)

Here is a copy/paste of the non-existent bucket policy. 😁

Additional context

This looks like it was just a simple oversight to include the variable in the logic from antonbabenko feature.

[mvoitko]

Reproduces also with attach_deny_incorrect_kms_key_sse

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.