New S3 bucket and policy - policy known after apply

We’re creating a new automation and want the plan to show the user what the S3 bucket policy would look like in the plan. However in creating a new bucket and policy, the TF plan will show the bucket details, but as for the bucket policy, it seems the default is policy = (known after apply).

Once the bucket has been created any change to the policy will now show the policy in the TF plan output.

Is it possible to output the actual bucket policy to be applied to a new bucket in a plan or output somehow?

Hi @bullpup597,

Unfortunately because a policy document is just a JSON string there isn’t any way for Terraform to show you a partial version of it when it includes values that won’t be known until apply time.

However, this is a situation where the aws_iam_policy_document data source can help: it is a utility for constructing policy document JSON from normal (Terraform-style) resource arguments, and so although its output will still present the same problem of only being known once all of the contributing values are known, its arguments are structured enough to usually give a good impression of what shape the resulting policy will have even though it’s not exactly the resulting JSON document. For example, if you assign an ARN that hasn’t been issued yet into resources then the Terraform plan should be able to show you that only that argument is (known after apply), while various other arguments are already known.


Yes, that is exactly what we’re trying to show the user creating the plan. The actual Principals being added within a policy, in order to present that, AND existing principals to see what would change.

In your comment, I would assume a policy document could be leveraged for an S3 bucket policy then. And that would be workable.