diff --git a/examples/s3-policy/README.md b/examples/s3-policy/README.md
new file mode 100644
index 00000000..381015db
--- /dev/null
+++ b/examples/s3-policy/README.md
@@ -0,0 +1,58 @@
+# Complete S3 bucket with most of supported features enabled
+
+This configuration allows for deployment of a S3 Bucket Policy independent of S3 Bucket creation
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0 |
+| [aws](#requirement\_aws) | >= 5.70 |
+| [random](#requirement\_random) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 5.70 |
+| [random](#provider\_random) | >= 2.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [s3\_bucket](#module\_s3\_bucket) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname. |
+| [s3\_bucket\_id](#output\_s3\_bucket\_id) | The name of the bucket. |
+| [s3\_bucket\_policy](#output\_s3\_bucket\_policy) | The policy of the bucket, if the bucket is configured with a policy. If not, this will be an empty string. |
+
diff --git a/examples/s3-policy/main.tf b/examples/s3-policy/main.tf
new file mode 100644
index 00000000..616d9b02
--- /dev/null
+++ b/examples/s3-policy/main.tf
@@ -0,0 +1,82 @@
+provider "aws" {
+ region = local.region
+
+ # Improve speed by skipping unnecessary checks
+ skip_metadata_api_check = true
+ skip_region_validation = true
+ skip_credentials_validation = true
+}
+
+locals {
+ bucket_name = "s3-bucket-${random_pet.this.id}"
+ region = "eu-west-1"
+ create_bucket = false
+ attach_policy = true
+ force_destroy = true
+ versioning = true
+ enable_logging = true
+ acl = "private"
+}
+
+resource "random_pet" "this" {
+ length = 2
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_canonical_user_id" "current" {}
+
+resource "aws_iam_role" "this" {
+ assume_role_policy = < s3_bucket_public_access_block -> s3_bucket_policy )
# to prevent "A conflicting conditional operation is currently in progress against this resource."
# Ref: https://github.com/hashicorp/terraform-provider-aws/issues/7628
- bucket = aws_s3_bucket.this[0].id
+ bucket = local.create_bucket ? aws_s3_bucket.this[0].id : var.bucket
policy = data.aws_iam_policy_document.combined[0].json
depends_on = [
@@ -549,7 +549,7 @@ resource "aws_s3_bucket_policy" "this" {
}
data "aws_iam_policy_document" "combined" {
- count = local.create_bucket && local.attach_policy ? 1 : 0
+ count = local.attach_policy ? 1 : 0
source_policy_documents = compact([
var.attach_elb_log_delivery_policy ? data.aws_iam_policy_document.elb_log_delivery[0].json : "",