Describe the Bug
If we enable S3 cache for AWS CodeBuild and use custom S3 bucket, we will get:
│ Error: creating IAM Policy (codebuild-myproject-cache-bucket): operation error IAM: CreatePolicy, https response error StatusCode: 400, RequestID: 08ef41e9-35fa-42ba-a223-06bb810a6925, MalformedPolicyDocument: Resource /* must be in ARN format or "*".
│
│ with module.codebuild-myproject.aws_iam_policy.default_cache_bucket[0],
│ on .terraform/modules/codebuild-myproject/main.tf line 179, in resource "aws_iam_policy" "default_cache_bucket":
│ 179: resource "aws_iam_policy" "default_cache_bucket" {
Expected Behavior
An IAM policy with the required permissions to read from and write to the S3 bucket specified by the s3_cache_bucket_name input should be created.
Steps to Reproduce
module "codebuild-myproject" {
source = "cloudposse/codebuild/aws"
version = "v2.0.2"
description = "GitHub Actions Runner"
enabled = true
name = "codebuild-myproject"
artifact_type = "NO_ARTIFACTS"
# Enabling S3 cache to the existing S3 bucket
cache_type = "S3"
s3_cache_bucket_name = "codebuild-myproject-s3-cache-bucket"
}
Screenshots
terraform plan produces the following output for aws_iam_policy "default_cache_bucket":
# module.codebuild-myproject.aws_iam_policy.default_cache_bucket[0] will be created
+ resource "aws_iam_policy" "default_cache_bucket" {
+ arn = (known after apply)
+ attachment_count = (known after apply)
+ id = (known after apply)
+ name = "codebuild-myproject-cache-bucket"
+ name_prefix = (known after apply)
+ path = "/service-role/"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "s3:*"
+ Effect = "Allow"
+ Resource = [
+ "/*",
+ "",
]
},
]
+ Version = "2012-10-17"
}
)
+ policy_id = (known after apply)
+ tags = {
+ "Name" = "codebuild-myproject"
}
+ tags_all = {
+ "Name" = "codebuild-myproject"
}
}
Environment
- OS: MacOS 15.5
- Platform: darwin_arm64
- Module version: 2.0.2
- Terraform version: 1.12.2
- aws provider: 5.48.0
- random provider: 3.7.2
Additional Context
Root cause analysis
local.s3_cache_enabled will be true if we enable S3 caching:
locals {
s3_cache_enabled = var.cache_type == "S3"
}
which results in the IAM policy with the following IAM policy document:
data "aws_iam_policy_document" "permissions_cache_bucket" {
count = module.this.enabled && local.s3_cache_enabled ? 1 : 0
statement {
sid = ""
actions = [
"s3:*",
]
effect = "Allow"
resources = [
join("", aws_s3_bucket.cache_bucket[*].arn),
"${join("", aws_s3_bucket.cache_bucket[*].arn)}/*",
]
}
}
As we can see the policy document resources are not adopted for input s3_cache_bucket_name - it only works if creating a new S3 bucket. Therefore, when using a custom bucket we get empty string from join, which results in invalid Resources.
Describe the Bug
If we enable S3 cache for AWS CodeBuild and use custom S3 bucket, we will get:
Expected Behavior
An IAM policy with the required permissions to read from and write to the S3 bucket specified by the
s3_cache_bucket_nameinput should be created.Steps to Reproduce
Screenshots
terraform planproduces the following output for aws_iam_policy "default_cache_bucket":Environment
Additional Context
Root cause analysis
local.s3_cache_enabled will be true if we enable S3 caching:
which results in the IAM policy with the following IAM policy document:
As we can see the policy document resources are not adopted for input
s3_cache_bucket_name- it only works if creating a new S3 bucket. Therefore, when using a custom bucket we get empty string from join, which results in invalid Resources.