Anyone from Hashicorp -- y'all are gonna end me. Please put the best way to do things into your own docs. You have https://www.terraform.io/docs/providers/aws/d/iam_policy_doc... and can do

  data "aws_iam_policy_document" "s3_bucket" {
    version = "2012-10-17"
    statement {
      sid = "PublicReadGetObject"

      principals {
        type = "*"
        identifiers = ["*"]
      }
      actions = [
        "s3:GetObject"
      ]

      resources = [
        "arn:aws:s3:::${var.bucket_name}/*"
      ]
    }
  }

  resource "aws_s3_bucket" "s3_bucket" {
    bucket = var.bucket_name

    acl    = "public-read"

    policy = data.aws_iam_policy_document.s3_bucket.json

    website {
      index_document = "index.html"
      error_document = "error.html"
    }

    tags = var.tags
  }

Oh, or like the Consul TLS tutorial from two weeks back, which had (has?) invalid configuration examples and incorrect documentation.

As much documentation as they have, Hashicorp products can be very confusing.

FWIW, the "Learn" link on terraform.io goes to the same codelabs in the blog and there's some existing guidance in the docs. I don't mind separate domains for these kinds of things, but I agree that they should at least add links in the docs.

Are you referring to the learn guide demonstrating the policy JSON reference in the aws_s3_bucket.policy vs the provider documentation demonstrating the reference inside an aws_iam_policy.policy?

The guide.

Also, like, most of their examples ignore this data resource. That specific data resource, with terraform 0.12 makes building IAMs so much nicer, because you can mash a bunch of common ones together with for_each and generate policies in a dynamic way without having to learn dynamic IAM stuff, which is it's own thing entirely.

Since HN threads often attract a bit of a negative vibe, may I take the opportunity to say to any Hashicorp employees reading this that I think your products are fantastic.

Terraform is particularly excellent, but everything you produce is carefully designed, well built, and reliable.

So great job, Hashicorp. Keep it up.

The product is fantastic, but don't expect upgrades to work.

0.11->0.12 totally hosed me. Not necessarily because of TF itself, but because of the scaleway provider I was using changed everything around such that coming up with the right state file that didn't destroy all my existing instances, was very difficult. I eventually gave up and found someone to do my hosting for me cause it was just too much work to deal with TF changes over time.

I also feel like the concept of looping is a weird afterthought. I want to create 10 vms of the exact same type. Now I have to build a module for reusability, remember to put count everywhere and use dynamic variables all over the place, after studying all the documentation 1000 times. I wish this had been thought out a bit more.

That's because looping was an afterthought. I think the project was initially supposed to be a purely declarative language, with Hashicorp pushing back against proposals for common functions.

Then they succumbed to demand with HCL 2. As much as I like Terraform in the general sense, their obsession with this weird DSL bothers me immensely.

Alternatively, I'm really enjoying the AWS CDK and hope Pulumi garners some more traction here.

Oh, thanks for the tip on Pulumi. I will definitely take a look at in the future. I agree, HCL is weird and I always wondered why people didn't just write this stuff as code. Using Typescript is great for this, but I wonder why they need to support 'any language'... seems like a documentation/support nightmare. Just do one thing well!

I realize now my comment comes across as pretty bad, but I love (and use) every single Hashicorp product. They are the company that gets the entire DevOps paradigm more than any other single entity.