Resource: awsS3ControlMultiRegionAccessPointPolicy
Provides a resource to manage an S3 Multi-Region Access Point access control policy.
Example Usage
Basic Example
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketFooBucket = new aws.s3Bucket.S3Bucket(this, "foo_bucket", {
bucket: "example-bucket-foo",
});
const awsS3ControlMultiRegionAccessPointExample =
new aws.s3ControlMultiRegionAccessPoint.S3ControlMultiRegionAccessPoint(
this,
"example",
{
details: {
name: "example",
region: [
{
bucket: awsS3BucketFooBucket.id,
},
],
},
}
);
const awsS3ControlMultiRegionAccessPointPolicyExample =
new aws.s3ControlMultiRegionAccessPointPolicy.S3ControlMultiRegionAccessPointPolicy(
this,
"example_2",
{
details: {
name: `\${element(split(":", ${awsS3ControlMultiRegionAccessPointExample.id}), 1)}`,
policy:
'${jsonencode({\n "Version" : "2012-10-17",\n "Statement" : [\n {\n "Sid" : "Example",\n "Effect" : "Allow",\n "Principal" : {\n "AWS" : data.aws_caller_identity.current.account_id\n },\n "Action" : ["s3:GetObject", "s3:PutObject"],\n "Resource" : "arn:${data.aws_partition.current.partition}:s3::${data.aws_caller_identity.current.account_id}:accesspoint/${aws_s3control_multi_region_access_point.example.alias}/object/*"\n }\n ]\n })}',
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3ControlMultiRegionAccessPointPolicyExample.overrideLogicalId("example");
new aws.dataAwsCallerIdentity.DataAwsCallerIdentity(this, "current", {});
const dataAwsPartitionCurrent = new aws.dataAwsPartition.DataAwsPartition(
this,
"current_4",
{}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsPartitionCurrent.overrideLogicalId("current");
Argument Reference
The following arguments are supported:
accountId
- (Optional) The AWS account ID for the owner of the Multi-Region Access Point. Defaults to automatically determined account ID of the Terraform AWS provider.details
- (Required) A configuration block containing details about the policy for the Multi-Region Access Point. See Details Configuration Block below for more details
Details Configuration
The details
block supports the following:
name
- (Required) The name of the Multi-Region Access Point.policy
- (Required) A valid JSON document that specifies the policy that you want to associate with this Multi-Region Access Point. Once applied, the policy can be edited, but not deleted. For more information, see the documentation on Multi-Region Access Point Permissions.
-> NOTE: When you update the policy
, the update is first listed as the proposed policy. After the update is finished and all Regions have been updated, the proposed policy is listed as the established policy. If both policies have the same version number, the proposed policy is the established policy.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
established
- The last established policy for the Multi-Region Access Point.id
- The AWS account ID and access point name separated by a colon (:
).proposed
- The proposed policy for the Multi-Region Access Point.
Timeouts
create
- (Default15M
)update
- (Default15M
)
Import
Multi-Region Access Point Policies can be imported using the accountId
and name
of the Multi-Region Access Point separated by a colon (:
), e.g.