Terraform-provider-aws: Allow multiple policies to be attached to an s3 bucket

A related suggestion: provide a way to merge a list of data.aws_iam_policy_document into a single policy. The existing resource.aws_s3_bucket_policy could support a list of policies, and automatically merge them into a single policy.

This would allow modularization of the data.aws_iam_policy_document for specific purposes. As of tf 0.11, lack of something like this can result in a lot of repetition.

We want to be able to dynamically add policy statements to an S3 bucket policy.

We first tried having the count on the data object. This strategy generated N self-contained policy documents. In order to be useful, the N policy statements should really be concatenated into a single policy document that can be interpolated into the bucket_policy.

data "aws_iam_policy_document" "default" {
 count  = "${length(keys(var.statement))}"

  statement {
    sid       = "CloudfrontBucketActions"
    actions   = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.default.arn}/${element(values(var.origin-access-identities), count.index)}/*"]
    principals {
      type        = "AWS"
      identifiers = ["${element(keys(var.statement), count.index)}"]
    }
  }

Next, we tried putting a count parameter on the statement block in the hope that Terraform would create N instances of that statement, each with the proper values.

data "aws_iam_policy_document" "default" {

  statement {
    count  = "${length(keys(var.statement))}"
    sid       = "CloudfrontBucketActions"
    actions   = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.default.arn}/${element(values(var.origin-access-identities), count.index)}/*"]
    principals {
      type        = "AWS"
      identifiers = ["${element(keys(var.statement), count.index)}"]
    }
  }

This failed with the error invalid or unknown key: count

In #2890, which was released in v1.9.0 of the AWS provider, we added "layering" functionality to the aws_iam_policy_document data source via the source_json and override_json attributes. It should support functionality similar to what is mentioned in https://github.com/terraform-providers/terraform-provider-aws/issues/409#issuecomment-348366878 (among other use cases) where you can merge these data sources together.

For the count use case mentioned above in https://github.com/terraform-providers/terraform-provider-aws/issues/409#issuecomment-376710210, we have some upcoming improvements to the Terraform configuration, which should allow better handling of looping through "sub" resources: https://github.com/hashicorp/terraform/issues/17179 and https://github.com/hashicorp/terraform/issues/7034

Hi folks 👋 There are a few solutions to this problem nowadays:

• As mentioned above, the aws_iam_policy_document data source supports "layering" via the source_json and override_json arguments
• Terraform 0.12 supports the new dynamic block, which can be used to dynamically build statement configuration blocks

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!