IAM permissions are not adopted for custom S3 bucket

[atokartricentis]

Describe the Bug

If we enable S3 cache for AWS CodeBuild and use custom S3 bucket, we will get:

│ Error: creating IAM Policy (codebuild-myproject-cache-bucket): operation error IAM: CreatePolicy, https response error StatusCode: 400, RequestID: 08ef41e9-35fa-42ba-a223-06bb810a6925, MalformedPolicyDocument: Resource /* must be in ARN format or "*".
│
│   with module.codebuild-myproject.aws_iam_policy.default_cache_bucket[0],
│   on .terraform/modules/codebuild-myproject/main.tf line 179, in resource "aws_iam_policy" "default_cache_bucket":
│  179: resource "aws_iam_policy" "default_cache_bucket" {

Expected Behavior

An IAM policy with the required permissions to read from and write to the S3 bucket specified by the s3_cache_bucket_name input should be created.

Steps to Reproduce

module "codebuild-myproject" {
  source  = "cloudposse/codebuild/aws"
  version = "v2.0.2"

  description = "GitHub Actions Runner"
  enabled     = true
  name        = "codebuild-myproject"

  artifact_type       = "NO_ARTIFACTS"

  # Enabling S3 cache to the existing S3 bucket
  cache_type                  = "S3"
  s3_cache_bucket_name        = "codebuild-myproject-s3-cache-bucket"
}

Screenshots

terraform plan produces the following output for aws_iam_policy "default_cache_bucket":

  # module.codebuild-myproject.aws_iam_policy.default_cache_bucket[0] will be created
  + resource "aws_iam_policy" "default_cache_bucket" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + id               = (known after apply)
      + name             = "codebuild-myproject-cache-bucket"
      + name_prefix      = (known after apply)
      + path             = "/service-role/"
      + policy           = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = "s3:*"
                      + Effect   = "Allow"
                      + Resource = [
                          + "/*",
                          + "",
                        ]
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id        = (known after apply)
      + tags             = {
          + "Name" = "codebuild-myproject"
        }
      + tags_all         = {
          + "Name" = "codebuild-myproject"
        }
    }

Environment

• OS: MacOS 15.5
• Platform: darwin_arm64
• Module version: 2.0.2
• Terraform version: 1.12.2
  • aws provider: 5.48.0
  • random provider: 3.7.2

Additional Context

Root cause analysis

local.s3_cache_enabled will be true if we enable S3 caching:

locals {
  s3_cache_enabled       = var.cache_type == "S3"
}

which results in the IAM policy with the following IAM policy document:

data "aws_iam_policy_document" "permissions_cache_bucket" {
  count = module.this.enabled && local.s3_cache_enabled ? 1 : 0
  statement {
    sid = ""

    actions = [
      "s3:*",
    ]

    effect = "Allow"

    resources = [
      join("", aws_s3_bucket.cache_bucket[*].arn),
      "${join("", aws_s3_bucket.cache_bucket[*].arn)}/*",
    ]
  }
}

As we can see the policy document resources are not adopted for input s3_cache_bucket_name - it only works if creating a new S3 bucket. Therefore, when using a custom bucket we get empty string from join, which results in invalid Resources.