Adding a sub object to a data resource


I have a situation where I want to add a grant ACL to an existing S3 bucket that is managed outside of my current terraform deployment.

With a regular resource, I would do like this:

resource aws_s3_bucket bucket {
  bucket = "mybucket"

  grant {
    id          = var.the_id
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]

But because the S3 bucket is not to be managed by terraform, I have declared it like this:

data aws_s3_bucket mybucket {
    bucket = "mybucket"

    provider = aws

And this is where I’m a bit stuck because terraform tells me that grant is an unsupported block type here.
I understand the reason why, but how can I proceed then? I know I could use a local-exec provisioner to call the AWS CLI myself but I was wondering if there was a solution with only Terraform.

As the bucket is not managed by Terraform you aren’t able to do anything other than retrieve information via the data source.

You either need to change the bucket to be managed by Terraform (terraform import and a resource in your code) or make the change you are wanting using whatever mechanism you are currently using to manage that bucket.

Ok, that’s what I thought.
Sad thing is that had the grant been an object in and of themselves, I could have added them via terraform, like what can be done with the link between an IAM policy and an IAM role.

Ah well, I’ll manage something else then.

Hi @obones,

What is and isn’t separated into separate resource types is often determined by the design of the underlying remote API: if the API doesn’t have a separate operation for creating, updating, and deleting just the sub-object then a Terraform provider typically can’t safely provide that operation separately either.

If this “grant” block type does represent something that has extra management actions in the S3 API then the AWS provider team may be open to supporting it as a separate resource type, if you share your use-case in their GitHub repository.

Thanks, I’ll see what I can find in the AWS docs and post in the provider issue tracker if need be.