-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
providers/aws: resource aws_s3_bucket keeps modifying policy #2432
Comments
Also seems that I have to enter |
@phinze solution was to use the following verbose policy. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::386209384616:root"
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::foobar666"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::386209384616:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::foobar666/*"
}
]
} I don't know if it's worth spending engineering time to fix this. It would certainly make UX better for us. |
I'm not sure if its worth it either. It woudl require us to actually parse the policy which seems... unnecessary. I've updated the docs to note this though. |
@mitchellh Dealing with s3 bucket policy diffs is my largest time sink with Terraform. If a more intelligent way to deal with the policy diffs isn't practical. I suggest a trouble shooting section in the docs. Things I've learnt:
Might become:
An example: Account B modifies a resource list to be in this order: In this situation it is impossible to modify the Terraform s3 bucket policy to conform to what AWS produces. Ideally I think should Terraform do a deep equals with some smarts to resolve some of this. |
@coen-hyde that is a really good idea. The docs are present in this repo under the |
Ugh, silly AWS. Copy/paste policy from the bucket itself into template. No changes. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Repro:
a. foobar.tf
b. detailed_billing_s3.json
Produced state:
state
Plan keeps giving:
The actual policy on bucket is;
Am I forced to be verbose about
Principal
and give its ARN instead of just account no.?Should this be handled by the Create/Update func of
aws_s3_bucket
?The text was updated successfully, but these errors were encountered: