Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a scaleway_bucket_policy_document data resource, akin to aws_iam_policy_document #2493

Open
rbarrois opened this issue Mar 29, 2024 · 0 comments
Open

Add a scaleway_bucket_policy_document data resource, akin to aws_iam_policy_document #2493

rbarrois opened this issue Mar 29, 2024 · 0 comments
Assignees
@Mia-Cross @Laure-di
Labels
enhancement object Object storage issues, bugs and feature requests priority:medium Improvements that are not the main priority

Comments

@rbarrois
Copy link

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently, there is a limitation with the use of a proper Terraform resource to describe policy documents (e.g. for buckets):

  • Scaleway bucket policies wishing to use IAM-based credentials, and specifically the application_id: principal style, MUST use the 2023-04-17 policy version;
  • The most comfortable way to declare those policies in a terraform file would be to use the aws_iam_policy_document data source
  • However, the aws_iam_policy_document resource does not accept the Version = "2023-04-17" statement.

New or Affected Resource(s)

  • scaleway_iam_policy_document

Potential Terraform Configuration

data "scaleway_iam_policy_document" "policy" {
  version = "2023-04-17"
  statement {
    sid    = "Delegate access"
    effect = "Allow"
    principals {
      type        = "SCW"
      identifiers = ["application_id:${scaleway_iam_application.reading-app.id}"]
    }
    actions = ["s3:ListBucket"]
    resources = [
      "${scaleway_object_bucket.bucket.name}",
      "${scaleway_object_bucket.bucket.name}/*"
    ]
  }
}

References

See #2133

Workaround

For now, the following seems to work:

resource "scaleway_object_bucket_policy" "main" {
  bucket = scaleway_object_bucket.bucket.id
  policy = jsonencode(
    merge(
      jsondecode(data.aws_iam_policy_document.policy.json),
      {"Version": "2023-04-17"},
    )
  )
}

data "aws_iam_policy_document" "policy" {
  statement {
    sid    = "Delegate access"
    effect = "Allow"
    principals {
      type        = "SCW"
      identifiers = ["application_id:${scaleway_iam_application.reading-app.id}"]
    }
    actions = ["s3:ListBucket"]
    resources = [
      "${scaleway_object_bucket.bucket.name}",
      "${scaleway_object_bucket.bucket.name}/*"
    ]
  }
}
@Mia-Cross Mia-Cross self-assigned this Apr 2, 2024
@Mia-Cross Mia-Cross added object Object storage issues, bugs and feature requests priority:medium Improvements that are not the main priority labels Apr 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Mia-Cross Mia-Cross

@Laure-di Laure-di

Labels
enhancement object Object storage issues, bugs and feature requests priority:medium Improvements that are not the main priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rbarrois @Mia-Cross @Laure-di