Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Circular dependency when trying to use s3_bucket_id when attaching a policy #305

Open
madpipeline opened this issue Jan 22, 2025 · 1 comment
Open

Circular dependency when trying to use s3_bucket_id when attaching a policy #305

madpipeline opened this issue Jan 22, 2025 · 1 comment

Comments

@madpipeline
Copy link

I'm creating a Cloudfront distribution with OAC using the module terraform-aws-modules/cloudfront/aws and using the bucket name as the OAC config map ID.

I'm also creating the S3 bucket using this module to serve as the origin for the CloudFront distribution.

I'm also attaching an S3 bucket policy to the s3 Bucket by using the attach_policy and policy variables. The policy references both the S3 and the CF Distribution.

Since the policy resource is a separate resource from the s3_bucket resource there should be no circular dependency, but because the module output variable s3_bucket_id is linked to the policy first, I'm getting a circular dependency error in terraform.

Using a different string for the OAC config ID does not trigger this circular dependency error.

Using the bucket ID here is a requirement for us, since we have multiple origins in the CF distribution, and multiple CF distributions.

Here's some example code, extracted from our module that we use in multiple deployments:

data "aws_iam_policy_document" "contents_bucket_policy" {
  statement {
    sid    = "AllowCloudFrontServicePrincipal"
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["cloudfront.amazonaws.com"]
    }
    actions = [
      "s3:GetObject",
      "s3:ListBucket",
    ]
    resources = [
      module.contents_bucket.s3_bucket_arn,
      "${module.contents_bucket.s3_bucket_arn}/*"
    ]
    condition {
      test     = "StringEquals"
      variable = "AWS:SourceArn"
      values = [
        module.cloudfront.cloudfront_distribution_arn
      ]
    }
  }
}

module "contents_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "~> 4.0"

  attach_policy = true
  policy        = data.aws_iam_policy_document.contents_bucket_policy.json

# no other attach_* variables are being used here.

# [...]
}

module "cloudfront" {
  source  = "terraform-aws-modules/cloudfront/aws"
  version = "~> 4.0"

create_origin_access_control = true
  origin_access_control = {
    (module.contents_bucket.s3_bucket_id) = {
      description      = "CloudFront access to S3"
      origin_type      = "s3"
      signing_behavior = "always"
      signing_protocol = "sigv4"
    }
  }

# [...]

}
@madpipeline
Copy link
Author

I tried to reference this line in the issue, but apparently the button for this in GitHub does nothing: https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/blob/master/outputs.tf#L3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@madpipeline