👀 Views: 54 💬 Answers: 1 📅 Created: 2025-07-04

terraform aws s3 iam hcl

Does anyone know how to I'm optimizing some code but I'm performance testing and Can someone help me understand I'm writing unit tests and I've been banging my head against this for hours... I'm currently working on a Terraform configuration to create an S3 bucket with a dynamic policy based on the tags assigned to the bucket. The intention is to allow access only to certain IAM users if the bucket has specific tags set. However, I'm working with an scenario where the IAM conditions in the policy do not apply as expected, and I see the following behavior message when I try to apply the configuration: ``` behavior: Invalid principal in policy: "*" ``` Here is a snippet of my Terraform code: ```hcl resource "aws_s3_bucket" "my_bucket" { bucket = "my-example-bucket" tags = { Environment = "Dev" } } resource "aws_iam_policy" "bucket_policy" { name = "S3AccessPolicy" description = "Policy to restrict access based on tags" policy = jsonencode({ Version = "2012-10-17", Statement = [{ Effect = "Allow", Action = "s3:*", Resource = aws_s3_bucket.my_bucket.arn, Condition = { StringEquals = { "s3:ExistingObjectTag/Team" = "DevTeam" } } }] }) } resource "aws_s3_bucket_policy" "bucket_policy_attachment" { bucket = aws_s3_bucket.my_bucket.id policy = aws_iam_policy.bucket_policy.policy } ``` I've tried changing the resource in the policy statement to the bucket ARN directly but still receive the same behavior. I also ensured that the IAM user has the correct permissions to assume the policy, but it seems like the scenario stems from the conditions not being recognized correctly in the policy. I've searched through the documentation and found that IAM policies can use conditions, but I'm unsure if I’m using them correctly. What am I missing here? Is there a specific way to structure the conditions in the policy for S3 buckets, or is there a limitation in how Terraform processes these configurations? Any guidance or suggestions would be greatly appreciated. Is there a better approach? I'm on macOS using the latest version of Hcl. My development environment is Debian. Is there a better approach? I've been using Hcl for about a year now. Any examples would be super helpful. For context: I'm using Hcl on Linux. Could this be a known issue? I'm using Hcl 3.10 in this project. Any feedback is welcome!