I am am trying to ensure my network origin for s3 access points is vpc using terraform. The two options available should be vpc or internet from the terraform doc however the value keeps defaulting to true. My terraform configuration included an s3 bucket the s3 access point with vpc configuration block, vpc resource, vpc endpoint resource and even the s3 access point resource policy. l equally alternatively added an already created vpc with the hopes of it defaulting to true to no avail. Any idea how to do this please?
Please share your current code and any errors you’re getting.
Please observe Welcome to the forum - please reformat your message when you do so.
Thank you @macmiranda here’s my code.
resource “aws_s3_bucket” “example” {
bucket = “example”
}
resource “aws_s3_access_point” “example” {
bucket = aws_s3_bucket.example.arn
name = “example”
vpc_configuration {
vpc_id = aws_vpc.example.id
}
public_access_block_configuration {
ignore_public_acls = true
block_public_acls = true
block_public_policy = true
restrict_public_buckets = true
}
}
resource “aws_vpc” “example” {
cidr_block = “10.0.0.0/16”
}
resource “aws_vpc_endpoint” “s3” {
vpc_id = aws_vpc.example.id
service_name = “com.amazonaws.us-west-2.s3”
tags = {
Environment = “test”
}
}
resource “aws_s3control_access_point_policy” “example” {
access_point_arn = aws_s3_access_point.example.arn
policy = jsonencode({
Version = “2008-10-17”
Statement = [{
Effect = “Allow”
Action = “s3:GetObjectTagging”
Principal = {
AWS = “"
}
Resource = "${aws_s3_access_point.example.arn}/object/”
}]
})
}
What value keeps defaulting to true? Please post the output of the plan and show what you mean.
Your code is still not formatted correctly, btw.
oh l am sorry about that
# aws_s3_access_point.example will be created
+ resource "aws_s3_access_point" "example" {
+ account_id = (known after apply)
+ alias = (known after apply)
+ arn = (known after apply)
+ bucket = (known after apply)
+ domain_name = (known after apply)
+ endpoints = (known after apply)
+ has_public_access_policy = (known after apply)
+ id = (known after apply)
+ name = "example"
+ network_origin = (known after apply)
+ policy = (known after apply)
+ public_access_block_configuration {
+ block_public_acls = true
+ block_public_policy = true
+ ignore_public_acls = true
+ restrict_public_buckets = true
}
+ vpc_configuration {
+ vpc_id = "vpc-019153890d27402ef"
}
}
# aws_s3_bucket.example will be created
+ resource "aws_s3_bucket" "example" {
+ acceleration_status = (known after apply)
+ acl = (known after apply)
+ arn = (known after apply)
+ bucket = "example"
+ bucket_domain_name = (known after apply)
+ bucket_regional_domain_name = (known after apply)
+ force_destroy = false
+ hosted_zone_id = (known after apply)
+ id = (known after apply)
+ object_lock_enabled = (known after apply)
+ policy = (known after apply)
+ region = (known after apply)
+ request_payer = (known after apply)
+ tags_all = (known after apply)
+ website_domain = (known after apply)
+ website_endpoint = (known after apply)
+ cors_rule {
+ allowed_headers = (known after apply)
+ allowed_methods = (known after apply)
+ allowed_origins = (known after apply)
+ expose_headers = (known after apply)
+ max_age_seconds = (known after apply)
}
+ grant {
+ id = (known after apply)
+ permissions = (known after apply)
+ type = (known after apply)
+ uri = (known after apply)
}
+ lifecycle_rule {
+ abort_incomplete_multipart_upload_days = (known after apply)
+ enabled = (known after apply)
+ id = (known after apply)
+ prefix = (known after apply)
+ tags = (known after apply)
+ expiration {
+ date = (known after apply)
+ days = (known after apply)
+ expired_object_delete_marker = (known after apply)
}
+ noncurrent_version_expiration {
+ days = (known after apply)
}
+ noncurrent_version_transition {
+ days = (known after apply)
+ storage_class = (known after apply)
}
+ transition {
+ date = (known after apply)
+ days = (known after apply)
+ storage_class = (known after apply)
}
}
+ logging {
+ target_bucket = (known after apply)
+ target_prefix = (known after apply)
}
+ object_lock_configuration {
+ object_lock_enabled = (known after apply)
+ rule {
+ default_retention {
+ days = (known after apply)
+ mode = (known after apply)
+ years = (known after apply)
}
}
}
+ replication_configuration {
+ role = (known after apply)
+ rules {
+ delete_marker_replication_status = (known after apply)
+ id = (known after apply)
+ prefix = (known after apply)
+ priority = (known after apply)
+ status = (known after apply)
+ destination {
+ account_id = (known after apply)
+ bucket = (known after apply)
+ replica_kms_key_id = (known after apply)
+ storage_class = (known after apply)
+ access_control_translation {
+ owner = (known after apply)
}
+ metrics {
+ minutes = (known after apply)
+ status = (known after apply)
}
+ replication_time {
+ minutes = (known after apply)
+ status = (known after apply)
}
}
+ filter {
+ prefix = (known after apply)
+ tags = (known after apply)
}
+ source_selection_criteria {
+ sse_kms_encrypted_objects {
+ enabled = (known after apply)
}
}
}
}
+ server_side_encryption_configuration {
+ rule {
+ bucket_key_enabled = (known after apply)
+ apply_server_side_encryption_by_default {
+ kms_master_key_id = (known after apply)
+ sse_algorithm = (known after apply)
}
}
}
+ versioning {
+ enabled = (known after apply)
+ mfa_delete = (known after apply)
}
+ website {
+ error_document = (known after apply)
+ index_document = (known after apply)
+ redirect_all_requests_to = (known after apply)
+ routing_rules = (known after apply)
}
}
network origin is not known until apply but l would expect the sentinel mocks to be able to pick up the network origin as there is a vpc configuration and set it to VPC however it just sets to true
"account_id": true,
"alias": true,
"arn": true,
"bucket": true,
"domain_name": true,
"endpoints": true,
"has_public_access_policy": true,
"id": true,
"network_origin": true,
"policy": true,
"public_access_block_configuration": [],
Dude, you completely lost me there. Is this about the Terraform code or the Sentinel policy?
Don’t you think it would have been a good idea to at least mention Sentinel in your original post?
network_origin is an exported attribute, meaning it’s only known after the configuration has been applied. This is why it is always represented as true in the terraform plan. You cannot use policy to analyse computed values.
@macmiranda pardon me for not indicating that from the start. I thought l was configuring the terraform code wrong on my part so wanted to understand the right configuration. Thank you @hcrhall for clarifying this.