Terraform throwing bucket region error when attaching bucket policy to s3 bucket

0
votes

I am trying to create and attach and attach s3 bucket policies to s3 buckets with terraform. Terraform is throwing the following errors: BucketRegionError and AccessDenied errors. It is saying the bucket I am trying to attach the policy to is not the specified region even though it is deployed in that region. Any advice on how I can attach this policy would be helpful. Below are the errors and how I am creating the buckets, the bucket policy, and how I am attaching. Thanks!

resource "aws_s3_bucket" "dest_buckets" {


provider      = aws.dest
  for_each      = toset(var.s3_bucket_names)
  bucket        = "${each.value}-replica"
  acl           = "private"
  force_destroy = "true"

  versioning {
    enabled = true
  }
}

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = each.key
  policy   = data.aws_iam_policy_document.dest_policy.json
}

data "aws_iam_policy_document" "dest_policy" {
  statement {
    actions = [
      "s3:GetBucketVersioning",
"s3:PutBucketVersioning",
    ]

    resources = [
      for bucket in aws_s3_bucket.dest_buckets : bucket.arn
    ]

    principals {
      type = "AWS"

      identifiers = [
        "arn:aws:iam::${data.aws_caller_identity.source.account_id}:role/${var.replication_role}"
      ]
    }
  }

  statement {
    actions = [
      "s3:ReplicateObject",
      "s3:ReplicateDelete",
    ]
resources = [
      for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
    ]
  }
}

Errors:

    Error: Error putting S3 policy: AccessDenied: Access Denied
        status code: 403, request id: 7F17A032D84DE672, host id: EjX+cDYt57caooCIlGX9wPf5s8B2JlXqAZpG8mA5KZtuw/4varoutQfxlkC/9JstdMdjN8EYBtg=

  on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
  36: resource "aws_s3_bucket_policy" "dest_policy" {



Error: Error putting S3 policy: BucketRegionError: incorrect region, the bucket is not in 'us-east-2' region at endpoint ''
        status code: 301, request id: , host id:

  on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
  36: resource "aws_s3_bucket_policy" "dest_policy" {

The buckets create with no issue, I'm just having issues with attaching this policy.

UPDATE: Below is the provider block for aws.dest, the variables I have defined, and also my .aws/config file.

  provider "aws" {
  alias   = "dest"
  profile = var.dest_profile
  region  = var.dest_region
}

variable "dest_region" {
default = "us-east-2"
}

variable "dest_profile" {
  default = "replica"
}

[profile replica]
region = us-east-2
output = json
2
amazon-web-servicesamazon-s3terraformterraform-provider-aws

2 Answers

0
votes

I believe you need to add provider = aws.dest to your data "aws_iam_policy_document" "dest_policy" data object.

The provider directive also works with data objects.

0
votes

I managed to execute your configuration and noticed some issues:

  1. In your policy, in the second statement the principals is missing.
statement {
  actions = [
    "s3:ReplicateObject",
    "s3:ReplicateDelete",
  ]
  resources = [
    for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
  ]
}
  1. This block is creating the bucket correctly (with -replica in the end):
  provider      = aws.dest
  for_each      = toset(var.s3_bucket_names)
  bucket        = "${each.value}-replica"
  acl           = "private"
  force_destroy = "true"

  versioning {
    enabled = true
  }
}

However, by activating the debug, I've noticed that for this resource each.key references the bucket name without -replica so that I was receiving a 404.

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = each.key
  policy   = data.aws_iam_policy_document.dest_policy.json
}

Changing to it to the same pattern as the bucket creation it worked:

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = "${each.key}-replica"
  policy   = data.aws_iam_policy_document.dest_policy.json
}

Regarding the 403, it may be the lack of permissions for the user which is creating this resource.

Let me know if this helps you.