-1

I'm trying to use the output generated by the answer of this question to generate a list of arns for an IAM policy:

data "aws_iam_policy_document" "test" {
  statement {
    effect    = "Allow"
    actions   = [ "s3:*" ]
    resources = [
        for arn in local.s3_folder_arns: [
            arn
        ]
    ]
  }
}

And I keep getting such errors:

Error: Missing item separator
│
│   on lambda.tf line 111, in data "aws_iam_policy_document" "test":
│  111:     resources = [
│  112:         for arn in local.s3_folder_arns: [
│  114:             arn
│  115:         ]
│  116:     ]
│     ├────────────────
│     │ local.s3_folder_arns is list of string with 9 elements
│
│ Inappropriate value for attribute "resources": element 0: string required.

Even though outputting the variable confirms it looks like what I want:

Changes to Outputs:
  + s3_folder_arns = [
      + "arn:aws:s3:::<my bucket>/Partner1/client1/User1/output/*",
      + "arn:aws:s3:::<my bucket>/Partner1/client1/User2/output/*",
      + "arn:aws:s3:::<my bucket>/Partner1/client1/User3/output/*",
      + "arn:aws:s3:::<my bucket>/Partner1/client1/User4/output/*",
      + "arn:aws:s3:::<my bucket>/Partner1/client1/User5/output/*",
      + "arn:aws:s3:::<my bucket>/Partner1/client2/User1/output/*",
      + "arn:aws:s3:::<my bucket>/Partner1/client3/User1/output/*",
      + "arn:aws:s3:::<my bucket>/Partner2/client1/User1/output/*",
      + "arn:aws:s3:::<my bucket>/Partner3/client1/User1/output/*",
    ]

If I index the resource as arn[0], that works, but that's not what I want. I would like the list of resources that populate the IAM policy to be generated dynamically.

What am I doing wrong?

hyperwiser
  • 437
  • 1
  • 5
  • 19

1 Answers1

1

Turns out I was using an extra pair of square brackets. Changing

resources = [
        for arn in local.s3_folder_arns: [
            arn
        ]
    ]

to

resources = [
        for arn in local.s3_folder_arns: arn
    ]

fixed the issue.

hyperwiser
  • 437
  • 1
  • 5
  • 19