Enabling attach_access_log_delivery_policy without any other attach arguments fails to attach a bucket policy
brycewade1 opened this issue · comments
Description
The logic used to compute local.attach_policy does not factor in the var.attach_access_log_delivery_policy variable, so if that is the only "attach" boolean set it will fail to create and attach a bucket policy.
- ✋ I have searched the open/closed issues and my issue is not listed.
Versions
-
Module version 3.15.0:
-
Terraform version:
Terraform v1.3.4
on linux_amd64
and
Terraform v1.5.4
on linux_amd64
- Provider version(s):
+ provider registry.terraform.io/hashicorp/aws v4.64.0
Reproduction Code [Required]
module "access_log_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.15.0"
bucket = "s3-log-bucket-${local.region}-${local.account_id}"
attach_access_log_delivery_policy = true
}
Steps to reproduce the behavior:
Using workspaces on a fresh container in CircleCI with no caching.
I run into this error when creating a new bucket to be used solely for S3 access logs.
Expected behavior
I would expect the bucket to be created and to have a bucket policy attached that allows logging.s3.amazonaws.com to put objects, similar to this (but not exactly like):
{
"Version": "2012-10-17",
"Id": "S3-Console-Auto-Gen-Policy-1684856677602",
"Statement": [
{
"Sid": "S3PolicyStmt-DO-NOT-MODIFY-1684856677457",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::pivotbio-s3-logging-us-west-2-588598685737/*"
}
]
}Actual behavior
The data "aws_iam_policy_document" "access_log_delivery" resource is created, but no data "aws_iam_policy_document" "combined" is created, nor is resource "aws_s3_bucket_policy" "this".
Terminal Output Screenshot(s)
Here is a copy/paste of the non-existent bucket policy. 😁
Additional context
This looks like it was just a simple oversight to include the variable in the logic from antonbabenko feature.