Following https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-ddb.html i want to ensure all dynamodb access is through the gateway endpoint.
I want to use a datasource to filter down the gateway details
data "aws_vpc_endpoint_service" "dynamodb" {
service = "dynamodb"
filter {
name = "service-type"
values = ["Gateway"]
}
}
data "aws_iam_policy_document" "policy" {
statement {
sid = "policy"
effect = "Allow"
actions = [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:UpdateItem",
]
resources = ["*"]
condition {
test = "StringEquals"
variable = "aws:sourceVpce"
values = [data.aws_vpc_endpoint_service.dynamodb.id]
}
}
}
resource "aws_iam_policy" "db" {
name = "policy"
policy = data.aws_iam_policy_document.policy.json
path = "/"
}
This though isnt working The plan is showing 9 numbers rather than the Endpoint ID
# aws_iam_policy.db will be created
resource "aws_iam_policy" "db" {
arn = (known after apply)
id = (known after apply)
name = "policy"
path = "/"
policy = jsonencode(
{
Statement = [
{
Action = [
"dynamodb:UpdateItem",
"dynamodb:Scan",
"dynamodb:PutItem",
"dynamodb:GetItem",
]
Condition = {
StringEquals = {
aws:sourceVpce = "808703518"
}
}
Effect = "Allow"
Resource = "*"
Sid = "policy"
},
]
Version = "2012-10-17"
}
)
policy_id = (known after apply)
tags_all = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Can anyone suggest where i have gone wrong?
Changing the attribute to "arn" from "id" correctly populates the arn. I am just unable to return the correct dynamodb endpoint ID
CodePudding user response:
You need to use the service_id property:
values = [data.aws_vpc_endpoint_service.dynamodb.service_id]
id is a "special" attribute that is used by Terraform to uniquely identify the resource. Generally speaking, you never really want to use it.