Terraform - attach policy to s3 bucket

Question

I created an earlier post to resolve an issue for creating multiple s3 buckets without trying to duplicate code. It worked well!

Terraform - creating multiple buckets

Answer 1

I don't think you can inline variables inside the policy like that. Instead you need to create a template_file, and feed the result of the template through to the policy.

This will create a policy for each bucket (names taken from the previous question)

• UserPolicy-prod_bucket
• UserPolicy-stage-bucket
• UserPolicy-qa-bucket

You then need to attach each of the policies to the aws_iam_user.user.name by using count again. Like so

data "template_file" "policy" {
  count = "${length(var.s3_bucket_name)}"

  template = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:GetLifecycleConfiguration",
        "s3:PutLifecycleConfiguration",
        "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:DeleteObjectTagging" ],
      "Resource": [
        "arn:aws:s3:::$${bucket}",
        "arn:aws:s3:::$${bucket}/*"
      ]
    }
  ]
}
EOF

  vars {
    bucket = "${var.s3_bucket_name[count.index]}"
  }
}

resource "aws_iam_policy" "user_policy" {
  count = "${length(var.s3_bucket_name)}"
  name  = "UserPolicy-${element(var.s3_bucket_name, count.index)}"

  policy = "${element(data.template_file.policy.*.rendered, count.index)}"
}

resource "aws_iam_user_policy_attachment" "user_policy_attach" {
  count      = "${length(var.s3_bucket_name)}"
  user       = "${aws_iam_user.user.name}"
  policy_arn = "${element(aws_iam_policy.user_policy.*.arn, count.index)}"
}