I am creating a bucket and then a bucket policy to allow all the listed accounts access. Seems to pass on terraform plan/apply, but looking at the console, only one account is listed, seems to be trampling previous policy adds.
I have a variable list and code to generate bucket/policy:
variable "accounts" {
type = "list"
default = [
"111111111111",
"222222222222",
"333333333333",
"444444444444",
"555555555555",
"666666666666",
"777777777777"
]
}
resource "aws_s3_bucket" "my_bucket" {
bucket = "${var.bucket_name}"
}
resource "aws_s3_bucket_policy" "my_bucket_policy" {
bucket = "${aws_s3_bucket.my_bucket.id}"
count = "${length(var.accounts)}"
policy =<<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${element(var.accounts, count.index)}:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${var.bucket_name}/CloudTrail/AWSLogs/${element(var.accounts, count.index)}/*"
}
]
}
EOF
}
Is there a way to just iterate the variable list in the Resource or Principal sections only? Goal would be to generate a single bucket policy that has all arns from the variables.