From 57b55f378b2dcac9d4e32948e032950d386e6912 Mon Sep 17 00:00:00 2001
From: Liam Easton <43534439+liame24@users.noreply.github.com>
Date: Mon, 10 Feb 2025 20:21:21 +0000
Subject: [PATCH 1/2] improvement: allow for policy creation for externally
 created s3 buckets

---
 main.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index ce49ab09..3c00dd03 100644
--- a/main.tf
+++ b/main.tf
@@ -534,13 +534,13 @@ resource "aws_s3_bucket_replication_configuration" "this" {
 }
 
 resource "aws_s3_bucket_policy" "this" {
-  count = local.create_bucket && local.attach_policy ? 1 : 0
+  count = local.attach_policy ? 1 : 0
 
   # Chain resources (s3_bucket -> s3_bucket_public_access_block -> s3_bucket_policy )
   # to prevent "A conflicting conditional operation is currently in progress against this resource."
   # Ref: https://github.com/hashicorp/terraform-provider-aws/issues/7628
 
-  bucket = aws_s3_bucket.this[0].id
+  bucket = local.create_bucket ? aws_s3_bucket.this[0].id : var.bucket
   policy = data.aws_iam_policy_document.combined[0].json
 
   depends_on = [
@@ -549,7 +549,7 @@ resource "aws_s3_bucket_policy" "this" {
 }
 
 data "aws_iam_policy_document" "combined" {
-  count = local.create_bucket && local.attach_policy ? 1 : 0
+  count = local.attach_policy ? 1 : 0
 
   source_policy_documents = compact([
     var.attach_elb_log_delivery_policy ? data.aws_iam_policy_document.elb_log_delivery[0].json : "",

From 7713af6a1e53221ec5886d1b2355816b3b509d9d Mon Sep 17 00:00:00 2001
From: Liam Easton <43534439+liame24@users.noreply.github.com>
Date: Tue, 11 Feb 2025 15:42:13 +0000
Subject: [PATCH 2/2] chore: Example of only modifying policy

---
 examples/s3-policy/README.md    | 58 +++++++++++++++++++++++
 examples/s3-policy/main.tf      | 82 +++++++++++++++++++++++++++++++++
 examples/s3-policy/outputs.tf   | 14 ++++++
 examples/s3-policy/variables.tf |  0
 examples/s3-policy/versions.tf  | 14 ++++++
 5 files changed, 168 insertions(+)
 create mode 100644 examples/s3-policy/README.md
 create mode 100644 examples/s3-policy/main.tf
 create mode 100644 examples/s3-policy/outputs.tf
 create mode 100644 examples/s3-policy/variables.tf
 create mode 100644 examples/s3-policy/versions.tf

diff --git a/examples/s3-policy/README.md b/examples/s3-policy/README.md
new file mode 100644
index 00000000..381015db
--- /dev/null
+++ b/examples/s3-policy/README.md
@@ -0,0 +1,58 @@
+# Complete S3 bucket with most of supported features enabled
+
+This configuration allows for deployment of a S3 Bucket Policy independent of S3 Bucket creation
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.70 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.70 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_s3_bucket_arn"></a> [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname. |
+| <a name="output_s3_bucket_id"></a> [s3\_bucket\_id](#output\_s3\_bucket\_id) | The name of the bucket. |
+| <a name="output_s3_bucket_policy"></a> [s3\_bucket\_policy](#output\_s3\_bucket\_policy) | The policy of the bucket, if the bucket is configured with a policy. If not, this will be an empty string. |
+<!-- END_TF_DOCS -->
diff --git a/examples/s3-policy/main.tf b/examples/s3-policy/main.tf
new file mode 100644
index 00000000..616d9b02
--- /dev/null
+++ b/examples/s3-policy/main.tf
@@ -0,0 +1,82 @@
+provider "aws" {
+  region = local.region
+
+  # Improve speed by skipping unnecessary checks
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+  skip_credentials_validation = true
+}
+
+locals {
+  bucket_name    = "s3-bucket-${random_pet.this.id}"
+  region         = "eu-west-1"
+  create_bucket  = false
+  attach_policy  = true
+  force_destroy  = true
+  versioning     = true
+  enable_logging = true
+  acl           = "private"
+}
+
+resource "random_pet" "this" {
+  length = 2
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_canonical_user_id" "current" {}
+
+resource "aws_iam_role" "this" {
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+# S3 Bucket Policy Document
+data "aws_iam_policy_document" "bucket_policy" {
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.this.arn]
+    }
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${local.bucket_name}",
+    ]
+  }
+}
+
+# S3 Bucket Module
+module "s3_bucket" {
+  source = "../../"
+
+  create_bucket = local.create_bucket
+  bucket        = local.bucket_name
+
+  attach_policy = local.attach_policy
+  policy        = data.aws_iam_policy_document.bucket_policy.json
+
+  force_destroy = local.force_destroy
+  versioning    = { enabled = local.versioning }
+
+  tags = {
+    Environment = "Dev"
+    ManagedBy   = "Terraform"
+  }
+}
\ No newline at end of file
diff --git a/examples/s3-policy/outputs.tf b/examples/s3-policy/outputs.tf
new file mode 100644
index 00000000..e7489400
--- /dev/null
+++ b/examples/s3-policy/outputs.tf
@@ -0,0 +1,14 @@
+output "bucket_id" {
+  description = "The ID of the existing S3 bucket"
+  value       = module.s3_bucket.s3_bucket_id
+}
+
+output "bucket_arn" {
+  description = "The ARN of the existing S3 bucket"
+  value       = module.s3_bucket.s3_bucket_arn
+}
+
+output "policy" {
+  description = "The applied bucket policy"
+  value       = module.s3_bucket.s3_bucket_policy
+}
diff --git a/examples/s3-policy/variables.tf b/examples/s3-policy/variables.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/examples/s3-policy/versions.tf b/examples/s3-policy/versions.tf
new file mode 100644
index 00000000..6d9488f3
--- /dev/null
+++ b/examples/s3-policy/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.70"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.0"
+    }
+  }
+}