fix: use length on s3_check for updated role policy for s3 read access

bryantbiggs · bryantbiggs · commit 9f88e2e5ed6d · 2020-10-14T19:48:13.000-04:00
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -53,5 +53,7 @@ module "default" {
   kms_alias             = aws_kms_alias.datadog.name
   dd_api_key_secret_arn = data.aws_secretsmanager_secret.datadog_api_key.arn
 
+  depends_on = [aws_kms_alias.datadog]
+
   tags = { Environment = "test" }
 }
diff --git a/modules/log_forwarder/main.tf b/modules/log_forwarder/main.tf
@@ -96,7 +96,7 @@ resource "aws_iam_policy" "this" {
     "${path.module}/policy.tmpl",
     {
       vpc_check             = var.subnet_ids != null
-      s3_check              = var.s3_log_bucket_arns != []
+      s3_check              = length(var.s3_log_bucket_arns) > 0
       s3_log_bucket_arns    = jsonencode(var.s3_log_bucket_arns)
       datadog_s3_bucket     = "arn:aws:s3:::${local.bucket_name}"
       dd_api_key_secret_arn = var.dd_api_key_secret_arn
diff --git a/modules/vpc_flow_log_forwarder/main.tf b/modules/vpc_flow_log_forwarder/main.tf
@@ -59,7 +59,7 @@ resource "aws_iam_policy" "this" {
     "${path.module}/policy.tmpl",
     {
       vpc_check          = var.subnet_ids != null
-      s3_check           = var.s3_log_bucket_arns == []
+      s3_check           = length(var.s3_log_bucket_arns) > 0
       s3_log_bucket_arns = jsonencode(var.s3_log_bucket_arns)
       kms_arn            = data.aws_kms_key.this.arn
     }

Original file line number	Diff line number	Diff line change
`@@ -53,5 +53,7 @@ module "default" {`
`53`	`53`	`kms_alias = aws_kms_alias.datadog.name`
`54`	`54`	`dd_api_key_secret_arn = data.aws_secretsmanager_secret.datadog_api_key.arn`
`55`	`55`
	`56`	`+ depends_on = [aws_kms_alias.datadog]`
	`57`	`+`
`56`	`58`	`tags = { Environment = "test" }`
`57`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ resource "aws_iam_policy" "this" {`
`96`	`96`	`"${path.module}/policy.tmpl",`
`97`	`97`	`{`
`98`	`98`	`vpc_check = var.subnet_ids != null`
`99`		`- s3_check = var.s3_log_bucket_arns != []`
	`99`	`+ s3_check = length(var.s3_log_bucket_arns) > 0`
`100`	`100`	`s3_log_bucket_arns = jsonencode(var.s3_log_bucket_arns)`
`101`	`101`	`datadog_s3_bucket = "arn:aws:s3:::${local.bucket_name}"`
`102`	`102`	`dd_api_key_secret_arn = var.dd_api_key_secret_arn`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ resource "aws_iam_policy" "this" {`
`59`	`59`	`"${path.module}/policy.tmpl",`
`60`	`60`	`{`
`61`	`61`	`vpc_check = var.subnet_ids != null`
`62`		`- s3_check = var.s3_log_bucket_arns == []`
	`62`	`+ s3_check = length(var.s3_log_bucket_arns) > 0`
`63`	`63`	`s3_log_bucket_arns = jsonencode(var.s3_log_bucket_arns)`
`64`	`64`	`kms_arn = data.aws_kms_key.this.arn`
`65`	`65`	`}`