Terraform module that creates an S3 bucket with an optional IAM user for external CI/CD systems
source_ip_allow_list
variable.Use cases:
Replaced the count with a for_each inside aws_s3_bucket_logging.default
there's no point in the try since the type is clearly defined as list
When the bucket_name
within logging
attribute is dynamically defined, like in the case of referencing a bucket created by terraform for logging
logging = [
{
bucket_name = module.logging_bucket.bucket_id
prefix = "data/"
}
]
we get this error
For each can work better in this case and will solve the previous error
This is an auto-generated PR that updates the README.md and docs
To have most recent changes of README.md and doc from origin templates
Error: Invalid dynamic for_each value
on .terraform/main.tf line 225, in resource "aws_s3_bucket_replication_configuration" "default":
225: for_each = try(compact(concat(
226: [try(rule.value.destination.encryption_configuration.replica_kms_key_id, "")],
227: [try(rule.value.destination.replica_kms_key_id, "")]
228: ))[0], [])
βββββββββββββββββ
β rule.value.destination.encryption_configuration is null
β rule.value.destination.replica_kms_key_id is "arn:aws:kms:my-region:my-account-id:my-key-alias"
Cannot use a string value in for_each. An iterable collection is required.
s3_replication_rules.destination.encryption_configuration.replica_kms_key_id
set.There is a bug when trying to create an S3 bucket, which causes an error that stops the bucket being created
s3_replication_rules.destination.encryption_configuration.replica_kms_key_id
(newer)s3_replication_rules.destination.replica_kms_key_id
(older)This error is easily replicable by trying compact(concat([try("string", "")], [try("string", "")]))[0]
in the Terraform console, which is a simplified version of the existing logic used above
The table below demonstrates the possible values of the existing code - you can see the outputs for value 2, value 3, and value 4 are not lists:
Key | Value 1 | Value 2 | Value 3 | Value 4 |
---|---|---|---|---|
newer | null |
"string1" |
null |
"string1" |
older | null |
null |
"string2" |
"string2" |
output | [] |
"string1" |
"string2" |
"string1" |
Terraform version 1.3.0 or later is now required.
policy
input removedThe deprecated policy
input has been removed. Use source_policy_documents
instead.
Convert from
policy = data.aws_iam_policy_document.log_delivery.json
to
source_policy_documents = [data.aws_iam_policy_document.log_delivery.json]
Do not use list modifiers like sort
, compact
, or distinct
on the list, or it will trigger an Error: Invalid count argument
. The length of the list must be known at plan time.
To fix #182, the logging
input has been converted to a list. If you have a logging configuration, simply surround it with brackets.
Previously, the s3_replication_rules
input had some deviations from the aws_s3_bucket_replication_configuration Terraform resource. Via the use of optional attributes, the input now closely matches the resource while providing backward compatibility, with a few exceptions.
source_selection_criteria.sse_kms_encrypted_objects
was documented as an object with one member, enabled
, of type bool
. However, it only worked when set to the string
"Enabled". It has been replaced with the resource's choice of status
of type String.replication_time
. To enable Metrics without Replication Time Control, you must set replication_time.status = "Disabled"
.These are not changes, just continued deviations from the resources:
existing_object_replication
cannot be set.token
to allow replication to be enabled on an Object Lock-enabled bucket cannot be set.local.source_policy_documents
and deprecated variable policy
(because of that, pump the module to a major version)lifecycle_configuration_rules
and s3_replication_rules
from loosely typed objects to fully typed objects with optional attributes.bucket_id
variablepolicy
was empty, meaning it had to be removed based on content, which would not be known at plan time if the policy
input was being generated.Any list manipulation functions should not be used in count
since it can lead to the error:
β Error: Invalid count argument
β
β on ./modules/s3_bucket/main.tf line 462, in resource "aws_s3_bucket_policy" "default":
β 462: count = local.enabled && (var.allow_ssl_requests_only || var.allow_encrypted_uploads_only || length(var.s3_replication_source_roles) > 0 || length(var.privileged_principal_arns) > 0 || length(local.source_policy_documents) > 0) ? 1 : 0
β
β The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to
β first apply only the resources that the count depends on.
Using the local like this
source_policy_documents = var.policy != "" && var.policy != null ? concat([var.policy], var.source_policy_documents) : var.source_policy_documents
would not work either if var.policy
depends on apply-time resources from other TF modules.
General rules:
When using for_each
, the map keys have to be known at plan time (the map values are not required to be know at plan time)
When using count
, the length of the list must be know at plan time, the items inside the list are not. That does not mean that the list must be static with the length known in advance, the list can be dynamic and come from a remote state or data sources which Terraform evaluates first during plan, it just canβt come from other resources (which are only known after apply)
When using count
, no list manipulating functions can be used in count
- it will lead to the The "count" value depends on resource attributes that cannot be determined until apply
error in some cases
Unfortunately, this change makes count
unknown at plan time in certain situations. In general, you cannot use the output of compact()
in count
.
The solution is to stop using the deprecated policy
input and revert to 3.1.2 or upgrade to 4.0.
var.source_policy_documents
to local.source_policy_documents
so var.policy
usage was still supportedvar,source_policy_documents
so var.policy
being combined with var.source_policy_documents
into local.source_policy_documents
does not provide true
for the ternary to executeFull Changelog: https://github.com/cloudposse/terraform-aws-s3-bucket/compare/3.1.1...3.1.2
Note: this version introduced drift detection and correction for Transfer Acceleration. Unfortunately, that change prevents deployment of buckets in regions that do not support Transfer Acceleration. Version 3.1.1 reverts that change so that S3 buckets can be deployed by this module in all regions. It does, however, mean that when var.transfer_acceleration_enabled
is false
, Terraform does not track or revert changes to Transfer Acceleration made outside of this module.
aws_s3_bucket_accelerate_configuration
and aws_s3_bucket_versioning
resources even when the feature is disabled, to enable drift detectionaws_s3_bucket_versioning
resource to track changes made to bucket versioning configurationaws_s3_bucket_versioning
, the expectation is that the bucket versioning is disabled/suspend for the bucket. If bucket versioning is turned on outside of terraform (e.g. through the console), the change is not detected by terraform unless the aws_s3_bucket_versioning
resource exists.This release has what can be considered breaking changes, but mostly because it either reverts breaking changes introduced in v2.0.2 or fixes features that were previously broken and unusable.
website_inputs
input is replaced by website_configuration
and website_redirect_all_requests_to
. The cors_rule_inputs
input is replaced by cors_configuration
. Thanks to @jurgen-weber-deltatre for helping with this. If you were not using these inputs, then this is not a breaking change.cloudposse/awsutils
Terraform provider with the AWS region and been reverted. This module no longer uses that provider.website_configuration
and cors_configuration
, or with website_redirect_all_requests_to
. The website endpoint and base domain are now available as outputs.store_access_key_in_ssm
. When stored in SSM, the secret key is not output by this module as a Terraform output, preventing it from being stored unencrypted in the Terraform state file.access_key_enabled = false
. You can also use this feature to rotate an access key by setting it to false
and applying to delete the key, then setting it to true
and applying to create a new one.Note that in general we now recommend against creating an IAM user, and recommend using AWS OIDC to create an authentication path for users and systems that do not have native IAM credentials. Also note that you can assign permissions to existing AWS users and roles via grants
or privileged_principal_arns
.
terraform-aws-s3-user
to v1.0.0 and add inputs access_key_enabled
, store_access_key_in_ssm
, and ssm_base_path
in order to
cloudposse/awsutils
Terraform provider. See terraform-aws-iam-system-user
v1.0.0 Release Notes for further details and justification.website_inputs
(which never worked) with website_configuration
and website_redirect_all_requests_to
. See #142 for further details and justification.cors_rule_inputs
with cors_configuration
to match resource name.The changes introduce in v2.0.2 were problematic and have been removed in v3.0.0. It is not recommended to use this version or version 2.0.2.
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/iam-s3-user/aws (source) | module | patch | 0.15.9 -> 0.15.10 |