Skip to content

Resource: awsS3ControlAccessPointPolicy

Provides a resource to manage an S3 Access Point resource policy.

\~> NOTE on Access Points and Access Point Policies: Terraform provides both a standalone Access Point Policy resource and an Access Point resource with a resource policy defined in-line. You cannot use an Access Point with in-line resource policy in conjunction with an Access Point Policy resource. Doing so will cause a conflict of policies and will overwrite the access point's resource policy.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
  bucket: "example",
});
const awsS3AccessPointExample = new aws.s3AccessPoint.S3AccessPoint(
  this,
  "example_1",
  {
    bucket: awsS3BucketExample.id,
    name: "example",
    publicAccessBlockConfiguration: {
      blockPublicAcls: true,
      blockPublicPolicy: false,
      ignorePublicAcls: true,
      restrictPublicBuckets: false,
    },
  }
);
awsS3AccessPointExample.addOverride("lifecycle", [
  {
    ignore_changes: ["${policy}"],
  },
]);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3AccessPointExample.overrideLogicalId("example");
const awsS3ControlAccessPointPolicyExample =
  new aws.s3ControlAccessPointPolicy.S3ControlAccessPointPolicy(
    this,
    "example_2",
    {
      accessPointArn: awsS3AccessPointExample.arn,
      policy:
        '${jsonencode({\n    Version = "2008-10-17"\n    Statement = [{\n      Effect = "Allow"\n      Action = "s3:GetObjectTagging"\n      Principal = {\n        AWS = "*"\n      }\n      Resource = "${aws_s3_access_point.example.arn}/object/*"\n    }]\n  })}',
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3ControlAccessPointPolicyExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • accessPointArn - (Required) The ARN of the access point that you want to associate with the specified policy.
  • policy - (Required) The policy that you want to apply to the specified access point.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • hasPublicAccessPolicy - Indicates whether this access point currently has a policy that allows public access.
  • id - The AWS account ID and access point name separated by a colon (:).

Import

Access Point policies can be imported using the accessPointArn, e.g.

$ terraform import aws_s3control_access_point_policy.example arn:aws:s3:us-west-2:123456789012:accesspoint/example