Allow aws_s3_bucket_policy to be optionally applied or take on additional external policies
#327
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Currently if an external user wishes to add additional bucket policies to the audit + access log buckets under this module, the only way is to set
var.use_external_audit_log_buckettotrue, which then disables most of the conveniences and requires the user to copy out the changes from this module to the external site.This is because resource
aws_s3_bucket_policydoesn't allow multiple parts applied at different times and sources, and only the last applied one takes full precedence.Describe the solution you'd like
Allow variables to include flags to disable creating "aws_s3_bucket_policy" "audit_log"
and/orresource "aws_s3_bucket_policy" "access_log_policy". And provide their respective policies asoutput` for external caller to use instead.Describe alternatives you've considered
Allow optional additional policy JSON to be passed in for
resource "aws_s3_bucket_policy" "audit_log"and/orresource "aws_s3_bucket_policy" "access_log_policy"to be incorporated.The alternative is good that the module always get to ensure the baseline bucket policy is enforced, though bad being the external caller has lesser flexibility to finally create
resource "aws_s3_bucket_policy"at the most appropriate juncture.Additional context
Nil
The text was updated successfully, but these errors were encountered: