-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Stop requiring s3:ListAllMyBuckets
IAM permission unless needed (for bucket ACL)
#243
feat: Stop requiring s3:ListAllMyBuckets
IAM permission unless needed (for bucket ACL)
#243
Conversation
s3:ListAllMyBuckets
IAM permission unless needed.s3:ListAllMyBuckets
IAM permission unless needed.
ef20375
to
f99ead3
Compare
This PR has been automatically marked as stale because it has been open 30 days |
This removes the otherwise unnecessary need for the `s3:ListAllMyBuckets` permission.
If `var.owner["id"]` is provided, then `aws_canonical_user_id` is still not needed.
f99ead3
to
f2af914
Compare
Bump please |
s3:ListAllMyBuckets
IAM permission unless needed.s3:ListAllMyBuckets
IAM permission unless needed (for bucket ACL)
s3:ListAllMyBuckets
IAM permission unless needed (for bucket ACL)s3:ListAllMyBuckets
IAM permission unless needed (for bucket ACL)
## [3.15.0](v3.14.1...v3.15.0) (2023-08-22) ### Features * Stop requiring `s3:ListAllMyBuckets` IAM permission unless needed (for bucket ACL) ([#243](#243)) ([74fcc60](74fcc60))
This PR is included in version 3.15.0 🎉 |
…ovisionerBrokenSSH Ubuntu 2204 broke SSH connectivity fix key type
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
This skips executing the
data.aws_canonical_user_id.this
data source unless it is actually needed.The data source is only needed when the
aws_s3_bucket_acl.this
resource needs to be created and thevar.owner["id"]
value isn't available.Motivation and Context
As per the
data.aws_canonical_user_id
documentation, this data source requires thes3:ListAllMyBuckets
IAM permission. Note that this permission isn't required by anything else in this module.When the data source isn't needed, then by the principle of least privilege, we shouldn't require the
s3:ListAllMyBuckets
permission.This additional permission is particularly obvious when migrating existing
aws_s3_*
resources into this module.Breaking Changes
Not a breaking change:
s3:ListAllMyBuckets
permission, the module will continue to behave as before except simply skip theListBuckets
S3 API calls.How Has This Been Tested?
examples/*
to demonstrate and validate my change(s) - No interface changes.examples/*
projectspre-commit run -a
on my pull request