Attaching bucket policies to multiple S3 bucket for Cross Region Replication

isandozi · July 9, 2020, 4:30pm

I am setting up Cross Region Replication across 2 AWS accounts. I have multiple buckets that I have made using the new for_each command. The buckets create successfully with no issue. I am having an issue getting the bucket policies to attach to the destination buckets. I am being presented with 2 errors which I cannot seem to figure out why is happening. Any advice would be appreciated. Below is the code on how my destination buckets and policies are created:

resource "aws_s3_bucket" "dest_buckets" {
  provider      = aws.dest
  for_each      = toset(var.s3_bucket_names)
  bucket        = "${each.value}-replica"
  acl           = "private"
  force_destroy = "true"
  region        = var.dest_region

  versioning {
    enabled = true
  }
}

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = each.key
  policy   = data.aws_iam_policy_document.dest_policy.json
}

data "aws_iam_policy_document" "dest_policy" {
  statement {
    actions = [
    "s3:GetBucketVersioning",
      "s3:PutBucketVersioning",
    ]

    resources = [
      for a in aws_s3_bucket.dest_buckets : a.arn
    ]

    principals {
      identifiers = [
        "arn:aws:iam::Source-Account-ID:role/Source-Account-Role",
      ]

      type = "AWS"
    }
  }
  statement {
    actions = [
      "s3:ReplicateObject",
      "s3:ReplicateDelete",
    ]

    resources = [
`    for a in aws_s3_bucket.dest_buckets : "${a.arn}/*"
    ]

    principals {
      identifiers = [
        "arn:aws:iam::source-account-id:role/Source-Account-Role",
      ]

      type = "AWS"
    }

    effect = "Allow"
  }
}

These are the two errors I am getting:

`Error: Error putting S3 policy: AccessDenied: Access Denied
    status code: 403, request id: BF13D12DF080AB7F, host id: TFz2smedKwq9XIwkOGnksILvbpxFa6rtBEEwNeMmHtR1rL1BPZS5YetCptnKbelaDGO6hfX/LwY=

      on main.tf line 42, in resource "aws_s3_bucket_policy" "dest_policy":
      42: resource "aws_s3_bucket_policy" "dest_policy" {



Error: Error putting S3 policy: BucketRegionError: incorrect region, the bucket is not in 'us-east-2' region at endpoint ''
        status code: 301, request id: , host id:

  on main.tf line 42, in resource "aws_s3_bucket_policy" "dest_policy":
  42: resource "aws_s3_bucket_policy" "dest_policy" {

Any advice would be appreciated.

isandozi · July 10, 2020, 5:38am

@apparentlymart, any insight?

Yashwant0108 · August 25, 2022, 7:15am

check the terraform permission in the destination account and verify the S3 bucket region of destination bucket

Topic		Replies	Views
How to apply aws s3 bucket policy to multiple buckets in multiple regions AWS	0	292	September 14, 2022
Replication_configuration s3 bucket without creating the destination bucket Terraform	0	758	March 23, 2020
S3 Buckets Policies for multiple buckets using for-each Terraform	12	13286	July 5, 2023
Variably create 1 or more AWS Buckets across multiple regions AWS	0	469	July 31, 2020
How to avoid S3 bucket policy conflict AWS	0	1141	December 16, 2020

Attaching bucket policies to multiple S3 bucket for Cross Region Replication

Related topics