providers/aws: resource aws_s3_bucket keeps modifying policy #2432
Comments
|
Also seems that I have to enter |
|
@phinze solution was to use the following verbose policy. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::386209384616:root"
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::foobar666"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::386209384616:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::foobar666/*"
}
]
}I don't know if it's worth spending engineering time to fix this. It would certainly make UX better for us. |
|
I'm not sure if its worth it either. It woudl require us to actually parse the policy which seems... unnecessary. I've updated the docs to note this though. |
|
@mitchellh Dealing with s3 bucket policy diffs is my largest time sink with Terraform. If a more intelligent way to deal with the policy diffs isn't practical. I suggest a trouble shooting section in the docs. Things I've learnt:
Might become:
An example: Account B modifies a resource list to be in this order: In this situation it is impossible to modify the Terraform s3 bucket policy to conform to what AWS produces. Ideally I think should Terraform do a deep equals with some smarts to resolve some of this. |
|
@coen-hyde that is a really good idea. The docs are present in this repo under the |
|
Ugh, silly AWS. Copy/paste policy from the bucket itself into template. No changes. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Repro:
a. foobar.tf
b. detailed_billing_s3.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "386209384616" }, "Action": [ "s3:GetBucketAcl", "s3:GetBucketPolicy" ], "Resource": "arn:aws:s3:::foobar666" }, { "Effect": "Allow", "Principal": { "AWS": "386209384616" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::foobar666/*" } ] }Produced state:
state
{ "version": 1, "serial": 3, "modules": [ { "path": [ "root" ], "outputs": {}, "resources": { "aws_s3_bucket.foobar": { "type": "aws_s3_bucket", "primary": { "id": "foobar666", "attributes": { "acl": "private", "bucket": "foobar666", "force_destroy": "false", "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "foobar666", "policy": "{\"Statement\":[{\"Action\":[\"s3:GetBucketAcl\",\"s3:GetBucketPolicy\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::386209384616:root\"},\"Resource\":\"arn:aws:s3:::foobar666\",\"Sid\":\"\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::386209384616:root\"},\"Resource\":\"arn:aws:s3:::foobar666/*\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", "region": "us-east-1", "tags.#": "1", "tags.Name": "Billing Reports", "website.#": "0", "website_endpoint": "" } } } } } ] }Plan keeps giving:
The actual policy on bucket is;
{ "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::386209384616:root\"},\"Action\":[\"s3:GetBucketAcl\",\"s3:GetBucketPolicy\"],\"Resource\":\"arn:aws:s3:::foobar666\"},{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::386209384616:root\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::foobar666/*\"}]}" }Am I forced to be verbose about
Principaland give its ARN instead of just account no.?Should this be handled by the Create/Update func of
aws_s3_bucket?The text was updated successfully, but these errors were encountered: