Newbie on Terraform

This is my code, am just starting to learn by MYSELF (and dataSources ofc) some AWS skills on terraform.
When i want apply my code that Error pop :
│ Error: Reference to undeclared resource

│ on s3_3_teams.tf line 87, in resource “aws_s3_bucket_policy” “bucket_a_policy”:
│ 87: bucket = aws_s3_bucket.bucket-team-a.id

│ A managed resource “aws_s3_bucket” “bucket-team-a” has not been declared in the root module.

There is my code :


#S3 Bucket for TEAM A, B, C created + policy A, B, C
resource "aws_s3_bucket" "Bucket_TEAM_A" {
  bucket = "bucket-team-a"
}
resource "aws_s3_bucket_policy" "bucket_a_policy" {
  bucket = aws_s3_bucket.bucket-team-a.id
  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Sid    = "DenyAccess",
        Effect = "Deny",
        Principal = {
          "AWS" : "*"
        },
        Action   = "s3:*",
        Resource = "arn:aws:s3:::bucket-team-a",
        Condition = {
          StringNotLike = {
            PrincipalArn = {
              "aws" : "arn:aws:iam::767398066589:role/team_a",
              "aws" : "arn:aws:iam::767398066589:role/team_b",
              "aws" : "arn:aws:iam::767398066589:role/team_c",
              "aws" : "arn:aws:iam::767398066589:role/admin",
              "aws" : "arn:aws:iam::767398066589:user/admin",
              "aws" : "arn:aws:iam::767398066589:user/root"
            }
          }
        }
      }
    ]
  })
}

Thanks a lot for any help

You defined the resource as Bucket_TEAM_A, but you’re referencing it later as aws_s3_bucket.bucket-team-a (which doesn’t exist).

The resource names need to match (and you need to refer to it by the Terraform resource name vs. the actual created resource’s [i.e., the bucket in this example] name); also, generally speaking, the best practice / convention in most Terraform codebases is to use (lower) snake case for the resource names.

I’d suggest:

resource "aws_s3_bucket" "bucket_team_a" {
  bucket = "bucket-team-a"
}
resource "aws_s3_bucket_policy" "bucket_a_policy" {
  bucket = aws_s3_bucket.bucket_team_a.id
  # [...]
}

Using an editor / IDE with Terraform language support, adding tools like tflint, etc. may help as well as you start learning.

1 Like

That’s Work thanks for your help and tips !

Hi,

I have an other error now, i wanted put more secure on my policy bucket. So i tried to “Allow” specific actions to roles/users.
I understand the error, but i can’t resolve it…

That is my code :

resource "aws_s3_bucket" "bucket-team-a" {
  bucket = "bucket-team-a"
}
resource "aws_s3_bucket_policy" "bucket_a_policy" {
  bucket = aws_s3_bucket.bucket-team-a.id
  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Sid       = "DenyAccess",
        Effect    = "Deny",
        Principal = "*",
        Action    = "s3:*",
        Resource  = "arn:aws:s3:::bucket-team-a",
        Condition = {
          StringNotLike = {
            "aws:PrincipalArn" : [
              "arn:aws:iam::767398066589:role/team_a",
              "arn:aws:iam::767398066589:role/team_b",
              "arn:aws:iam::767398066589:role/team_c",
              "arn:aws:iam::767398066589:role/Admin",
              "arn:aws:iam::767398066589:user/Mehdi",
              "arn:aws:iam::767398066589:user/root"
            ]
          }
        }
      },
      {
        Sid    = "AllowReadBucketA",
        Effect = "Allow",
        Principal = {
          "AWS" : [
            "arn:aws:iam::767398066589:role/team_a",
            "arn:aws:iam::767398066589:role/team_b",
            "arn:aws:iam::767398066589:role/team_c",
            "arn:aws:iam::767398066589:role/Admin",
            "arn:aws:iam::767398066589:user/Mehdi",
            "arn:aws:iam::767398066589:user/root"
          ]
        },
        Action = [
          "s3:GetObject"
        ],
        Resource = [
          "arn:aws:s3:::bucket-team-a/*"
        ]
      },

Here the error when i apply:

Error: putting S3 Bucket (bucket-team-a) Policy: operation error S3: PutBucketPolicy, https response error StatusCode: 400, RequestID: 64SBX<…>, HostID: adsko<…>, api error MalformedPolicy: Invalid principal in policy

│ with aws_s3_bucket_policy.bucket_a_policy,
│ on s3_3_teams.tf line 98, in resource “aws_s3_bucket_policy” “bucket_a_policy”:
│ 98: resource “aws_s3_bucket_policy” “bucket_a_policy” {

So, i understood error is in

Principal = {
“AWS” : [
“arn:aws:iam::767398066589:role/team_a”,
“arn:aws:iam::767398066589:role/team_b”,
“arn:aws:iam::767398066589:role/team_c”,
“arn:aws:iam::767398066589:role/Admin”,
“arn:aws:iam::767398066589:user/Mehdi”,
“arn:aws:iam::767398066589:user/root”
]
But i can’t resolve it
Thanks again for any help !

jsonencode() turns HCL into JSON. Is there anything inside your policy that doesn’t look like valid HCL?

Can i share you all my code ?
i am not sure to understand what you mean :sweat_smile:

Hi,
Do you have a user named root?
I reproduced the error when I added a user/role that doesn’t exist in my account.
I also recommend changing the bucket reference in your policy:

"arn:aws:s3:::bucket-team-a" >>  "${aws_s3_bucket.bucket-team-a.arn}"
"arn:aws:s3:::bucket-team-a/*" >>  "${aws_s3_bucket.bucket-team-a.arn}/*"

The error is telling you the exact section of the code where it looks to me like you have an issue:

          "AWS" : [
            "arn:aws:iam::767398066589:role/team_a",

Compare how this list is defined vs. other maps / lists in this data structure. Is this JSON or HCL?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.