Terraform - Add arn of resource only if it exists to IAM policy

Question

My pipeline is going to be run across several different AWS accounts. Some accounts have all the S3 buckets needed, while some are missing some of the buckets.

I need my IAM policy to include ARNs of all S3 buckets if they exist. If an account has some s3 buckets that do not exist, those ARNs should be omitted from the policy. Something along the lines of:

#Check if S3 bucket 1 exists
data "aws_s3_bucket" "1" {
count =  "${var.bucket1_exist == "true" ? 1 : 0 }"
  bucket = "bucket1"
}
.
.
.
.
#Check if S3 bucket N exists
data "aws_s3_bucket" "N" {
count =  "${var.bucketN_exist == "true" ? 1 : 0 }"
  bucket = "bucketN"
}

#Dynamic IAM policy
data "aws_iam_policy_document" "conditional" {
  statement {
    sid = "1"

    actions = [
      "s3:ListAllMyBuckets",
      "s3:GetBucketLocation",
    ]

    resources = [
      "data.aws_s3_bucket.1.arn",
      .
      .
      "data.aws_s3_bucket.N.arn",
  }
}

Is there any way I can dynamically set this IAM policy? I know Terraform requires explicit declaration of existing resources, but is there no way to work around dynamic environments with similar code?

Answer 1

You can't do this with plain TF as TF does not have functionality to check if something exists or not. For such functionality you would have to develop probably an external resource in TF for that. You could also do same with aws_lambda_invocation.

What ever you choose, its ultimately up to you to implement logic for checking if something exists or not.