Allow multiple policies to be attached to an s3 bucket

[hashibot]

This issue was originally opened by @evanstachowiak as hashicorp/terraform#10543. It was migrated here as part of the provider split. The original body of the issue is below.

---

Hi there,

Terraform Version

0.7.13

Affected Resource(s)

• aws_s3_bucket_policy

Expected Behavior

Instead of using a different bucket for different logs, I'm trying to use one bucket with different prefixes. The issue with this is that I cannot use more than one aws_s3_bucket_policy. If I specify this resource multiple times, the previous gets overwritten and only the last one is used. Ideally, there would be something like aws_iam_policy_attachment resource.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Try to use multiple s3 policies on a bucket.

[mblakele]

A related suggestion: provide a way to merge a list of data.aws_iam_policy_document into a single policy. The existing resource.aws_s3_bucket_policy could support a list of policies, and automatically merge them into a single policy.

This would allow modularization of the data.aws_iam_policy_document for specific purposes. As of tf 0.11, lack of something like this can result in a lot of repetition.

[JonRoma]

We want to be able to dynamically add policy statements to an S3 bucket policy.

We first tried having the count on the data object. This strategy generated N self-contained policy documents. In order to be useful, the N policy statements should really be concatenated into a single policy document that can be interpolated into the bucket_policy.

data "aws_iam_policy_document" "default" {
 count  = "${length(keys(var.statement))}"

  statement {
    sid       = "CloudfrontBucketActions"
    actions   = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.default.arn}/${element(values(var.origin-access-identities), count.index)}/*"]
    principals {
      type        = "AWS"
      identifiers = ["${element(keys(var.statement), count.index)}"]
    }
  }

Next, we tried putting a count parameter on the statement block in the hope that Terraform would create N instances of that statement, each with the proper values.

data "aws_iam_policy_document" "default" {

  statement {
    count  = "${length(keys(var.statement))}"
    sid       = "CloudfrontBucketActions"
    actions   = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.default.arn}/${element(values(var.origin-access-identities), count.index)}/*"]
    principals {
      type        = "AWS"
      identifiers = ["${element(keys(var.statement), count.index)}"]
    }
  }

This failed with the error invalid or unknown key: count

[bflad]

In #2890, which was released in v1.9.0 of the AWS provider, we added "layering" functionality to the aws_iam_policy_document data source via the source_json and override_json attributes. It should support functionality similar to what is mentioned in #409 (comment) (among other use cases) where you can merge these data sources together.

[bflad]

For the count use case mentioned above in #409 (comment), we have some upcoming improvements to the Terraform configuration, which should allow better handling of looping through "sub" resources: hashicorp/terraform#17179 and hashicorp/terraform#7034

[bflad]

Hi folks 👋 There are a few solutions to this problem nowadays:

• As mentioned above, the aws_iam_policy_document data source supports "layering" via the source_json and override_json arguments
• Terraform 0.12 supports the new dynamic block, which can be used to dynamically build statement configuration blocks

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

[YakDriver]

We have merged #12055 in to the Terraform AWS Provider. With this, aws_iam_policy_document provides the ability to merge multiple source and override policy documents. This is available now on the main branch and when version 3.28.0 is released (likely Feb. 11, 2021). If you have problems with the functionality or need further enhancements, please open a new issue. Thanks for your interest in the AWS Provider! 🎉

[ghost]

This has been released in version 3.28.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!