principals question in aws_iam_policy_document

[Miguel Cruz]

I'm currently migrating old buckets into new buckets (created via TF), I've run into a bucket policy (pasted at the bottom) that has a principal entry like so =>  "AIDAXXXXXXXXXXXXY6"

I have the following resource which works IF i remove the principal  "AIDAXXXXXXXXXXXXY6" problem is, I do need to keep that principal in there.

data "aws_iam_policy_document" "stuff-in" {

  statement {

    sid    = "DenyUnEncryptedObjectUploads"

    effect = "Deny"

    principals = {

      type        = "AWS"

      identifiers = ["*"]

    }

    actions   = ["s3:PutObject"]

    resources = ["arn:aws:s3:::${aws_s3_bucket.stuff-in.id}/*"]

    condition {

      test     = "StringNotEquals"

      variable = "s3:x-amz-server-side-encryption"

      values   = ["AES256"]

    }

  }

  statement {

    sid    = "DenyNoSSL"

    effect = "Deny"

    principals = {

      type        = "AWS"

      identifiers = ["*"]

    }

    actions   = ["s3:*"]

    resources = ["arn:aws:s3:::${aws_s3_bucket.stuff-in.id}/*"]

    condition {

      test     = "Bool"

      variable = "aws:SecureTransport"

      values   = ["false"]

    }

  }

  statement {

    sid    = "AllowExternalAccounts"

    effect = "Allow"

    principals = {

      type = "AWS"

      identifiers = [

        "arn:aws:iam::3xxxxxxxxxxx4:user/user1",

        "arn:aws:iam::3xxxxxxxxxxx4:user/user2",

        "AIDAXXXXXXXXXXXXY6",      <===== Not sure if this syntax is supported in Terraform

        ]

     }

    actions = [

      "s3:ListBucketVersions",

      "s3:GetBucketCORS",

      "s3:GetObjectVersionTorrent",

      "s3:GetObjectAcl",

      "s3:GetObjectTorrent",

      "s3:GetBucketRequestPayment",

      "s3:GetBucketTagging",

      "s3:ListBucket",

      "s3:GetBucketLogging",

      "s3:GetObject",

      "s3:GetBucketPolicy",

      "s3:GetBucketVersioning",

      "s3:GetObjectVersionAcl",

      "s3:GetBucketNotification",

      "s3:GetBucketAcl",

      "s3:GetObjectVersion",

      "s3:ListBucketMultipartUploads",

      "s3:GetLifecycleConfiguration",

      "s3:ListMultipartUploadParts",

      "s3:GetBucketLocation",

      "s3:GetBucketWebsite",

    ]

    resources = [

      "arn:aws:s3:::${aws_s3_bucket.stuff-in.id}",

      "arn:aws:s3:::${aws_s3_bucket.stuff-in.id}/*",

    ]

  }

I've tried a separate principals section to just put the access key looking principal (and TF crashed when i did that), not sure what else to try.

Original policy from AWS (s3) console:

{

            "Sid": "Stmt1407965911374",

            "Effect": "Allow",

            "Principal": {

                "AWS": [

                    "arn:aws:iam::3xxxxxxxxxxx4:user/user1",

                    "arn:aws:iam::3xxxxxxxxxxx4:user/user2",

                    "AIDAXXXXXXXXXXXXY6"

                ]

            },

            "Action": [

                "s3:ListBucketVersions",

                "s3:GetBucketCORS",

                "s3:GetObjectVersionTorrent",

                "s3:GetObjectAcl",

                "s3:GetObjectTorrent",

                "s3:GetBucketRequestPayment",

                "s3:GetBucketTagging",

                "s3:ListBucket",

                "s3:GetBucketLogging",

                "s3:GetObject",

                "s3:GetBucketPolicy",

                "s3:GetBucketVersioning",

                "s3:GetObjectVersionAcl",

                "s3:GetBucketNotification",

                "s3:GetBucketAcl",

                "s3:GetObjectVersion",

                "s3:ListBucketMultipartUploads",

                "s3:GetLifecycleConfiguration",

                "s3:ListMultipartUploadParts",

                "s3:GetBucketLocation",

                "s3:GetBucketWebsite"

            ],

            "Resource": [

                "arn:aws:s3:::old-stuff",

                "arn:aws:s3:::old-stuff/*"

            ]

        },