Giters

scaleway / terraform-provider-scaleway

Terraform Scaleway provider

Home Page:https://www.terraform.io/docs/providers/scaleway/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Add a `scaleway_bucket_policy_document` data resource, akin to `aws_iam_policy_document`

rbarrois opened this issue · comments

commented

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently, there is a limitation with the use of a proper Terraform resource to describe policy documents (e.g. for buckets):

  • Scaleway bucket policies wishing to use IAM-based credentials, and specifically the application_id: principal style, MUST use the 2023-04-17 policy version;
  • The most comfortable way to declare those policies in a terraform file would be to use the aws_iam_policy_document data source
  • However, the aws_iam_policy_document resource does not accept the Version = "2023-04-17" statement.

New or Affected Resource(s)

  • scaleway_iam_policy_document

Potential Terraform Configuration

data "scaleway_iam_policy_document" "policy" {
  version = "2023-04-17"
  statement {
    sid    = "Delegate access"
    effect = "Allow"
    principals {
      type        = "SCW"
      identifiers = ["application_id:${scaleway_iam_application.reading-app.id}"]
    }
    actions = ["s3:ListBucket"]
    resources = [
      "${scaleway_object_bucket.bucket.name}",
      "${scaleway_object_bucket.bucket.name}/*"
    ]
  }
}

References

See #2133

Workaround

For now, the following seems to work:

resource "scaleway_object_bucket_policy" "main" {
  bucket = scaleway_object_bucket.bucket.id
  policy = jsonencode(
    merge(
      jsondecode(data.aws_iam_policy_document.policy.json),
      {"Version": "2023-04-17"},
    )
  )
}

data "aws_iam_policy_document" "policy" {
  statement {
    sid    = "Delegate access"
    effect = "Allow"
    principals {
      type        = "SCW"
      identifiers = ["application_id:${scaleway_iam_application.reading-app.id}"]
    }
    actions = ["s3:ListBucket"]
    resources = [
      "${scaleway_object_bucket.bucket.name}",
      "${scaleway_object_bucket.bucket.name}/*"
    ]
  }
}