AWS S3 VPC Endpoint Policy Document

Question

I am trying to create a policy for my AWS S3 VPC Endpoint through Terraform.

My terraform:

  policy = jsonencode({
      Sid    = "Restrict-Access-To-Specific-Bucket"
      Principal = "*"
      Action = "*"
      Effect = "Allow"
      Resource = [
        "arn:aws:s3:::${aws_s3_bucket.snowflake-data-bucket-raw.id}",
        "arn:aws:s3:::${aws_s3_bucket.snowflake-data-bucket-raw.id}/*"
      ]
  })

When using this, I am getting the following error:

│ Error: Error creating VPC Endpoint: InvalidPolicyDocument: Please provide a valid VPC Endpoint policy
│       status code: 400, request id: 1b08a075-0c65-4f1c-92a9-bcbeced15db1

I am not sure if my formatting is off or if I am missing a field somewhere. Any help would be appreciated.

Answer 1

You are missing Statement array that should wrap all that's inside jsonencode({.

Check for examples here:

https://cloudonaut.io/defining-iam-policies-with-terraform/ https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy

Answer 2

VPC endpoint policy

  policy = jsonencode({
      Sid    = "Restrict-Access-To-Specific-Bucket"
      Principal = "*"
      Action = "*"
      Effect = "Allow"
      Resource = [
        "arn:aws:s3:::${aws_s3_bucket.snowflake-data-bucket-raw.id}",
        "arn:aws:s3:::${aws_s3_bucket.snowflake-data-bucket-raw.id}/*"
      ],
      "Principal": "*",
      "Condition": {
      "StringEquals": {
      "aws:PrincipalAccount": "${account_id}"
     }
   }
  }
)

main.tf

data "aws_caller_identity" "current" {} 
module "vpc_endpoint" {
  source                 = "./modules/vpc-endpoint"
  vpc_id                 = module.vpc.vpc_id
  iam                    = module.iam.iam.arn
  service_name           = "com.amazonaws.${local.region}.s3"
  route_table_id         = module.vpc.private_route_table_ids
  account_id             = data.aws_caller_identity.current.account_id
}

S3 Bucket Policy

{
    "Version": "2008-10-17",
    "Id": "Access-to-bucket-using-specific-endpoint",
    "Statement": [
      {
        "Sid": "DenyIfNotFromAllowedVPCendpoint",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": [
          "arn:aws:s3:::${aws_s3_bucket.snowflake-data-bucket-raw.id}",
          "arn:aws:s3:::${aws_s3_bucket.snowflake-data-bucket-raw.id}/*"
                    ],
        "Condition": {
          "StringNotEquals": {
            "aws:userid" : [
             "${userid}"
             ],
            "aws:sourceVpce": "${vpc_endpoint}"
          }
        }
      }
    ]
  }

main.tf

data "aws_vpc_endpoint" "s3" {
  vpc_id       = module.vpc.vpc_id
  service_name = "com.amazonaws.${local.region}.s3"
}
module "s3" {
  source           = "./modules/s3"
  userid           = "FFFFV3SSS3PH1E2LSSS2D"
  vpc_endpoint     = data.aws_vpc_endpoint.s3.id
}

if you need userid run command below:

aws sts get-caller-identity

Attention in S3 Bucket Policy here we put your id for run terraform without errors

"StringNotEquals": {
            "aws:userid" : [
             "${userid}"
             ],