What's the correct way of merging bucket policy inputs?
Hello! We have an s3 module in envcommon with the following policy: ``` bucket_policy_statements = { DenyUnEncryptedObjectUploads = { effect = "Deny" actions = ["s3:PutObject"] keys = [ "", "/*" ] principals = { AWS = ["*"] } condition = { RequireSSE = { test = "StringNotEquals" variable = "aws:kms" values = ["s3:x-amz-server-side-encryption"] } } } } ``` Then we have modules in each env for different S3 buckets. The thing is, whenever we specify additional values for `bucket_policy_statements` in these modules, the policy statement in envcommon is overwritten. Ideally, we'd like to merge the global, "all buckets must have this" envcommon policy with whatever custom policy each individual bucket requires. What's the correct way of doing this? [r:terraform-aws-data-storage](https://github.com/gruntwork-io/terraform-aws-data-storage)
Hi, I was thinking that extraction in common file and include with `merge_strategy=deep` should help ``` # common.hcl inputs = { bucket_policy_statements = { DenyUnEncryptedObjectUploads = { effect = "Deny" actions = ["s3:PutObject"] keys = [ "", "/*" ] principals = { AWS = ["*"] } condition = { RequireSSE = { test = "StringNotEquals" variable = "aws:kms" values = ["s3:x-amz-server-side-encryption"] } } } } } # app1/terragrunt.hcl include "inputs" { path = find_in_parent_folders("common.hcl") merge_strategy = "deep" } inputs = { bucket_policy_statements = { aaa = "bbb" } } # app1/main.tf variable "bucket_policy_statements" {} resource "local_file" "foo" { content = var.bucket_policy_statements filename = "${path.module}/file.json" } ``` Test: ``` $ cd app1 $ terragrunt apply $ cat file.json { "DenyUnEncryptedObjectUploads": { "actions": [ ... }, "aaa": "bbb" } ``` Full example: https://github.com/denis256/terragrunt-tests/tree/master/dependency-merge