-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
data source for aws_s3_bucket please #1262
Comments
Hi @gtmtech Thanks. |
Sure @radeksimko ... In a security-segregated terraform setup, one team should be responsible for all (or a subset of) Another team is a user of the bucket. They wish to manage a DNS entry for a static website to that bucket. They wish to create an aws_route53_record , type=A, with alias{} section referencing name, zone_id of the bucket. These are available through parameters website_domain, and hosted_zone_id on the bucket resource, however they cannot create a datasource to the aws_s3_bucket in order to work out what these parameters are. They end up having to hardcode values as a workaround which is bad. Modules does not solve this BTW, because in a security-segregated environment, the second team does not have the credentials to refresh the resources in the modules/submodules for good security practice- i.e. the second team is not entitled to know what the policies are on the buckets, kms keys, iam roles, they just have to work under them. |
Or you can just ignore all the security stuff above, and just say - from the teams perspective there is a bucket not managed by terraform, for which they wish to create a corresponding aws_route53_record resource object pointing to that bucket - in order to do so , they want a datasource to be able to read attributes of that bucket |
Doesn't shared remote state solve this problem also? https://www.terraform.io/docs/providers/terraform/d/remote_state.html |
No, it requires access to the remote state which would not be available due to security restrictions. E.g. team A has given team B permission to s3:Get* and s3:List* on bucket X, so a data resource would be able to retrieve the bucket attributes that might be useful in setting up a route53_record. However, team A has obviously not given team B permission to see team A's statefile which is full of passwords and sensitive information. But in any case, if thats the answer, why have any data sources at all? There are loads of useful ones, instances, volumes, odd that bucket is not in the list. |
I see, state file might have too much context - that's a reasonable worry and reason for having such data source. |
I was just looking for exactly this today. I find it strange that there's an s3_object datasource, but no bucket datasource |
#1505 was merged and is part of the recent release |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Terraform 0.9.8
Strange that there is a data source for aws_s3_bucket_object but not one for aws_s3_bucket yet...
Thanks!
The text was updated successfully, but these errors were encountered: