Is there a way to append IAM Bucket Policy Statement to Existing Statements using terraform?

Question

I currently have a centralised S3 bucket in a central account accessed via multiple other child accounts. I would like to dynamically update the bucket policy from each of the child accounts by taking the existing IAM Bucket Policy and append a new statement allowing the IAM role from the calling account to have access to the bucket.

I tried to use a combination of aws_iam_policy_document and source_json with a new statement. However, all this does is overwrite the existing statement.

What I am trying to achieve is take this existing policy json and either merge or append to a new statement. Any ideas how to achieve this?

Does anyone have a working example of managing cross account s3 bucket policies and dynamically updating the policy to allow access from roles within child accounts?

Answer 1

The aws_iam_policy_document data source's source_json argument works by merging policy statements using their statement id ("sid") values, so in order for statements from the previous JSON to appear in the result the sid arguments in the new statements must be distinct from the ones in the source document.

Another option is to do the transformations more manually within the Terraform language itself. This requires working directly with the raw statement data structures, and so it'll be your responsibility to ensure that you handle the input robustly and produce a valid IAM policy data structure as the result.

For example:

locals {
  policy_a = jsondecode(file("${path.module}/policy_a.json"))
  policy_b = jsondecode(file("${path.module}/policy_b.json"))
  policy_c = {
    Version: local.policy_a.Version,
    Statement: concat(
      local.policy_a.Statement,
      local.policy_b.Statement,
    ),
  }
}

You can then produce a JSON version of policy_c somewhere else in your module using jsonencode(local.policy_c).

Because this is using concat, the result will be literally the two lists of statements concatenated together, so you'll need to ensure that the result is sensible yourself: there will be no automatic overriding by statement id or any similar normalizations.