How to refer conditional resources on another resource in terraform

vickyrathore1212 · October 29, 2021, 11:19am

I created 2 buckets. One will create always and one will create when env is QA.

resource "aws_s3_bucket" "bucket_always" {
  bucket_prefix = format("bucket.always")
  acl           = "private"

  versioning {
    enabled = true
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "aws:kms"
      }
    }
  }
} 

resource "aws_s3_bucket" "bucket_conditional" {
  count = var.name == "qa" ? 1 : 0
  bucket_prefix = format("bucket.conditional")
  acl           = "private"

  versioning {
    enabled = true
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "aws:kms"
      }
    }
  }
}

Now how can I create an IAM and add both buckets arn? The below policy won’t work because of conditional bucket

data "aws_iam_policy_document" "test_policy_document" {
  statement {
    actions = [
      "s3:ListBucket",
    ]

    resources = [
      aws_s3_bucket.bucket_always.arn,
      aws_s3_bucket.bucket_conditional.arn,
    ]
  }

  statement {
    actions = [
      "s3:PutObject",
      "s3:GetObject",
      "s3:DeleteObject",
    ]

    resources = [
      "${aws_s3_bucket.bucket_always.arn}/*",
      "${aws_s3_bucket.bucket_conditional.arn}/*",
    ]
  }
}

stuart-c · October 29, 2021, 4:07pm

You need to add the conditional where you are using it too. So only try to reference the QA bucket if the environment is set to QA.

apparentlymart · October 29, 2021, 9:09pm

If you’ll be frequently using “all of the buckets” in expressions and want to factor out the conditional handling then you could declare a local value like this;

locals {
  s3_buckets = concat(
    [aws_s3_bucket.bucket_always],
    aws_s3_bucket.bucket_conditional,
  )
}

Because aws_s3_bucket.bucket_always doesn’t have count set we need to construct a single-element sequence to concatenate here, but concat then concatenates them together to make a single flat sequence of bucket objects, which will have either one or two elements. (Another way to go here would be to set unconditional count = 1 on that first resource so that they’ll both appear as lists of objects, but I think that would probably be surprising for future readers.)

You can then use local.s3_buckets in all of the ways you might typically use to work with all instances of a resource with count set. For example:

  resources = local.s3_buckets[*].arn

  resources = [for b in local.s3_buckets : "${b.arn}/*"]

Topic		Replies	Views
Conditional s3 bucket creation Terraform hcp-terraform	6	2557	July 22, 2022
Conditionally set a variable in a aws_s3_bucket resource Terraform	0	775	July 19, 2020
Can I use conditional logic (% if ) in data.aws_iam_policy_document resources Terraform	3	3336	March 18, 2020
Conditionally creating a resource if variable is not empty Terraform	3	37987	November 23, 2021
Conditional creation Terraform	5	14159	October 13, 2022

How to refer conditional resources on another resource in terraform

Related topics