Referencing S3 bucket ARN in S3 policy string

nyue · March 2, 2020, 11:11pm

How should I be referencing the generated S3 ARN ?

The following fails ?

provider "aws" {
  region = "ca-central-1"
}

resource "aws_s3_bucket" "b" {
  bucket = "nicholas-yue-my-tf-test-bucket"
}

resource "aws_s3_bucket_policy" "b" {
  bucket = aws_s3_bucket.b.id

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Example permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::083230063072:role/ACI-Webhooks"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "${aws_s3_bucket.b.arn}"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::083230063072:role/ACI-Webhooks"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::nicholas-yue-my-tf-test-bucket/*"
        }
    ]
}
POLICY
}

output "S3-ARN" {
  value = aws_s3_bucket.b.arn
}

nyue · March 3, 2020, 6:37pm

I have figure out a workable solution. I have moved the content out into an external file and I am now using templatefile to read in the file so that I can update the variables.

policy = templatefile("${path.module}/s3_bucket_policy.tpl", {
  s3_arn = aws_s3_bucket.b.arn
})

Cheers