While investigating another preemptive issue I found an interesting statement in the logs about PutObject was being rejected. I’m guessing I overlooked these configuration settings. Perhaps it’s time to really buckle down and understand S3 and the way Terraform wants to configure them.

Terraform’s support for bucket policy feels a bit half baked. Policy documents need to refer back to the target bucket and really have a subset of operations available. As a result the policy document can’t be built in-line of the resource. This leads to an interetsing situation where an additional resource must attach policy to the bucket. Effectively the configuration appeared similar to:

resource "aws_s3_bucket_policy" "media_bucket_permissions" {
	bucket = "${aws_s3_bucket.media.id}"
	policy = <<MEDIA_POLICY
{
	"Version": "2012-10-17",
	"Statement" : {
		"Sid" : "monolith-read-write",
		"Effect" : "Allow",
		"Principal" : {
			"AWS" : "${aws_iam_role.monolith-role.arn}"
		},
		"Action" : "s3:*",
		"Resource" : "${aws_s3_bucket.media.arn}"
	}
}
MEDIA_POLICY
}

Easy enough and appears to work.