From 2b06e16d42c904c70c2e2e241d1bc170780d874e Mon Sep 17 00:00:00 2001
From: rpoluri <38321430+rpoluri@users.noreply.github.com>
Date: Wed, 11 Nov 2020 09:59:53 -0600
Subject: [PATCH] fix policy with empty_customer_accounts (#180)

* fix policy with empty_customer_accounts

* update changelog

Co-authored-by: Raj Poluri <rpoluri@expediagroup.com>
---
 CHANGELOG.md | 4 ++++
 s3.tf        | 3 +--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7fdf6df..5d683fe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.7.1] - 2020-11-11
+### Fixed
+- Fix managed bucket policy with empty_customer_accounts.
+
 ## [6.7.0] - 2020-11-09
 ### Added
 - Support to override customer accounts per managed schema.
diff --git a/s3.tf b/s3.tf
index e9c38dd..5413948 100644
--- a/s3.tf
+++ b/s3.tf
@@ -16,8 +16,7 @@ data "template_file" "bucket_policy" {
 
   vars = {
     #if apiary_shared_schemas is empty or contains current schema, allow customer accounts to access this bucket.
-    customer_principal = "${length(var.apiary_shared_schemas) == 0 || contains(var.apiary_shared_schemas, each.key) ?
-    join("\",\"", formatlist("arn:aws:iam::%s:root", split(",", each.value["customer_accounts"]))) : ""}"
+    customer_principal = (length(var.apiary_shared_schemas) == 0 || contains(var.apiary_shared_schemas, each.key)) && each.value["customer_accounts"] != "" ? join("\",\"", formatlist("arn:aws:iam::%s:root", split(",", each.value["customer_accounts"]))) : ""
 
     bucket_name       = each.value["data_bucket"]
     encryption        = each.value["encryption"]