fix policy with empty_customer_accounts (#180)

* fix policy with empty_customer_accounts * update changelog Co-authored-by: Raj Poluri <[email protected]>
ExpediaGroup · Nov 11, 2020 · 2b06e16 · 2b06e16
1 parent 92e7287
commit 2b06e16
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.7.1] - 2020-11-11
+### Fixed
+- Fix managed bucket policy with empty_customer_accounts.
+
 ## [6.7.0] - 2020-11-09
 ### Added
 - Support to override customer accounts per managed schema.

diff --git a/s3.tf b/s3.tf
@@ -16,8 +16,7 @@ data "template_file" "bucket_policy" {
 
   vars = {
     #if apiary_shared_schemas is empty or contains current schema, allow customer accounts to access this bucket.
-    customer_principal = "${length(var.apiary_shared_schemas) == 0 || contains(var.apiary_shared_schemas, each.key) ?
-    join("\",\"", formatlist("arn:aws:iam::%s:root", split(",", each.value["customer_accounts"]))) : ""}"
+    customer_principal = (length(var.apiary_shared_schemas) == 0 || contains(var.apiary_shared_schemas, each.key)) && each.value["customer_accounts"] != "" ? join("\",\"", formatlist("arn:aws:iam::%s:root", split(",", each.value["customer_accounts"]))) : ""
 
     bucket_name       = each.value["data_bucket"]
     encryption        = each.value["encryption"]