Fixes issues with interpolated values

Tagged v5.3.3 (same as previous PR)

base/codebuild_splunk_apps/cloudwatch.tf

@@ -83,7 +83,7 @@ POLICY
 resource "aws_iam_policy_attachment" "service_role_attachment" {
   name       = "splunk_apps_policy_attachment"
   policy_arn = aws_iam_policy.codebuild_policy.arn
-  roles      = ["${aws_iam_role.codebuild_role.id}"]
+  roles      = [aws_iam_role.codebuild_role.id]
 }
 
 resource "aws_cloudwatch_event_target" "trigger_build" {

base/github_actions_s3_bucket/main.tf

@@ -19,23 +19,23 @@ resource "aws_s3_bucket_acl" "s3_acl_bucket" {
 }
 
 resource "aws_s3_bucket_versioning" "s3_version_bucket" {
-  bucket   = aws_s3_bucket.bucket.id
+  bucket = aws_s3_bucket.bucket.id
   versioning_configuration {
     status = "Enabled"
   }
 }
 
 resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
-  bucket   = aws_s3_bucket.bucket.id
-  
+  bucket = aws_s3_bucket.bucket.id
+
   rule {
     id     = "STANDARD_IA"
     status = "Enabled"
-    
+
     abort_incomplete_multipart_upload {
       days_after_initiation = 2
     }
-    
+
     transition {
       days          = 30
       storage_class = "STANDARD_IA"
@@ -45,13 +45,13 @@ resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
   bucket = aws_s3_bucket.bucket.id
-  
+
   rule {
     apply_server_side_encryption_by_default {
       kms_master_key_id = aws_kms_key.bucketkey.arn
       sse_algorithm     = "aws:kms"
-      }
     }
+  }
 }
 
 resource "aws_s3_bucket_public_access_block" "public_access_block" {
@@ -66,32 +66,32 @@ resource "aws_s3_bucket_public_access_block" "public_access_block" {
   depends_on = [aws_s3_bucket_policy.policy]
 }
 
-resource "aws_s3_bucket_policy" "policy" {
-  bucket = aws_s3_bucket.bucket.id
+data "aws_iam_policy_document" "policy" {
+  statement {
+    sid    = "AccountAllow"
+    effect = "Allow"
+
+    resources = [
+      aws_s3_bucket.bucket.arn,
+      "${aws_s3_bucket.bucket.arn}/*",
+    ]
 
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Id": "AllowThisAccount",
-  "Statement": [
-    {
-      "Sid": "AccountAllow",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": ${jsonencode(local.account_arns)}
-      },
-      "Action": [
-        "s3:GetObject",
-        "s3:ListBucket"
-      ],
-      "Resource": [
-        "${aws_s3_bucket.bucket.arn}",
-        "${aws_s3_bucket.bucket.arn}/*"
-      ]
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = local.account_arns
     }
-  ]
+  }
 }
-POLICY
+
+resource "aws_s3_bucket_policy" "policy" {
+  bucket = aws_s3_bucket.bucket.id
+
+  policy = data.aws_iam_policy_document.policy.json
 }
 
 //AWS Provider outdated arguments <4.4.0
@@ -127,4 +127,4 @@ POLICY
     }
   }
 }
-*/
+*/

base/globally_accessible_bucket/main.tf

@@ -132,7 +132,7 @@ data "aws_iam_policy_document" "s3" {
     effect = "Allow"
 
     resources = [
-      "${aws_s3_bucket.bucket.arn}",
+      aws_s3_bucket.bucket.arn,
       "${aws_s3_bucket.bucket.arn}/*",
     ]
 

base/phantom_s3_bucket/main.tf

@@ -11,7 +11,7 @@ locals {
 resource "aws_s3_bucket" "bucket" {
   # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
   # checkov:skip=CKV_AWS_144: TODO: cross replication
-  
+
   bucket = local.bucket_name
   tags   = merge(local.standard_tags, var.tags)
 }
@@ -67,34 +67,32 @@ resource "aws_s3_bucket_public_access_block" "public_access_block" {
   # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
   depends_on = [aws_s3_bucket_policy.policy]
 }
-resource "aws_s3_bucket_policy" "policy" {
-  depends_on = [aws_iam_role.phantom_s3_role]
+data "aws_iam_policy_document" "policy" {
+  statement {
+    sid    = "AccountAllow"
+    effect = "Allow"
 
-  bucket = aws_s3_bucket.bucket.id
+    resources = [
+      aws_s3_bucket.bucket.arn,
+      "${aws_s3_bucket.bucket.arn}/*",
+    ]
+
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
 
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Id": "AllowThisAccount",
-  "Statement": [
-    {
-      "Sid": "AccountAllow",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": ${jsonencode(local.principals)}
-      },
-      "Action": [
-        "s3:GetObject",
-        "s3:ListBucket"
-      ],
-      "Resource": [
-        "${aws_s3_bucket.bucket.arn}",
-        "${aws_s3_bucket.bucket.arn}/*"
-      ]
+    principals {
+      type        = "AWS"
+      identifiers = local.principals
     }
-  ]
+  }
 }
-POLICY
+resource "aws_s3_bucket_policy" "policy" {
+  depends_on = [aws_iam_role.phantom_s3_role]
+
+  bucket = aws_s3_bucket.bucket.id
+  policy = data.aws_iam_policy_document.policy.json
 }
 
 //AWS Provider outdated arguments <4.4.0

base/splunk_servers/frozen_s3_bucket/main.tf

@@ -81,32 +81,31 @@ resource "aws_s3_bucket_public_access_block" "public_access_block" {
   depends_on = [aws_s3_bucket_policy.policy]
 }
 
-resource "aws_s3_bucket_policy" "policy" {
-  bucket = aws_s3_bucket.bucket.id
-
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Id": "AllowThisAccount",
-  "Statement": [
-    {
-      "Sid": "AccountAllow",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": ${jsonencode(local.account_arns)}
-      },
-      "Action": [
-        "s3:GetObject",
-        "s3:ListBucket"
-      ],
-      "Resource": [
-        "${aws_s3_bucket.bucket.arn}",
-        "${aws_s3_bucket.bucket.arn}/*"
-      ]
+data "aws_iam_policy_document" "policy" {
+  statement {
+    sid    = "AccountAllow"
+    effect = "Allow"
+
+    resources = [
+      aws_s3_bucket.bucket.arn,
+      "${aws_s3_bucket.bucket.arn}/*",
+    ]
+
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = local.account_arns
     }
-  ]
+  }
 }
-POLICY
+
+resource "aws_s3_bucket_policy" "policy" {
+  bucket = aws_s3_bucket.bucket.id
+  policy = data.aws_iam_policy_document.policy.json
 }
 
 //AWS Provider outdated arguments <4.4.0

base/splunk_servers/smartstore_s3_bucket/main.tf

@@ -71,32 +71,31 @@ resource "aws_s3_bucket_public_access_block" "public_access_block" {
   depends_on = [aws_s3_bucket_policy.policy]
 }
 
-resource "aws_s3_bucket_policy" "policy" {
-  bucket = aws_s3_bucket.bucket.id
-
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Id": "AllowThisAccount",
-  "Statement": [
-    {
-      "Sid": "AccountAllow",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": ${jsonencode(local.account_arns)}
-      },
-      "Action": [
-        "s3:GetObject",
-        "s3:ListBucket"
-      ],
-      "Resource": [
-        "${aws_s3_bucket.bucket.arn}",
-        "${aws_s3_bucket.bucket.arn}/*"
-      ]
+data "aws_iam_policy_document" "policy" {
+  statement {
+    sid    = "AccountAllow"
+    effect = "Allow"
+
+    resources = [
+      aws_s3_bucket.bucket.arn,
+      "${aws_s3_bucket.bucket.arn}/*",
+    ]
+
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = local.account_arns
     }
-  ]
+  }
 }
-POLICY
+
+resource "aws_s3_bucket_policy" "policy" {
+  bucket = aws_s3_bucket.bucket.id
+  policy = data.aws_iam_policy_document.policy.json
 }
 
 //AWS Provider outdated arguments <4.4.0
@@ -135,4 +134,4 @@ POLICY
     }
   }
 }
-*/
+*/