The buckets are locked up
• Mark Eschbach
While investigating another preemptive issue I found an interesting statement in the logs about PutObject
was being rejected. I’m guessing I overlooked these configuration settings. Perhaps it’s time to really buckle down and understand S3 and the way Terraform wants to configure them.
Terraform’s support for bucket policy feels a bit half baked. Policy documents need to refer back to the target bucket and really have a subset of operations available. As a result the policy document can’t be built in-line of the resource. This leads to an interetsing situation where an additional resource must attach policy to the bucket. Effectively the configuration appeared similar to:
resource "aws_s3_bucket_policy" "media_bucket_permissions" {
bucket = "${aws_s3_bucket.media.id}"
policy = <<MEDIA_POLICY
{
"Version": "2012-10-17",
"Statement" : {
"Sid" : "monolith-read-write",
"Effect" : "Allow",
"Principal" : {
"AWS" : "${aws_iam_role.monolith-role.arn}"
},
"Action" : "s3:*",
"Resource" : "${aws_s3_bucket.media.arn}"
}
}
MEDIA_POLICY
}
Easy enough and appears to work.