From 52e56253a48b92de0bfb93232e5f1b4ee9a2b675 Mon Sep 17 00:00:00 2001
From: Abel Luck <abel@guardianproject.info>
Date: Fri, 11 Aug 2023 07:54:47 +0000
Subject: [PATCH] Allow multiple path_prefixes and update documentation

---
 README.yaml   | 12 +++++++++---
 deprecated.tf |  3 +--
 variables.tf  |  7 ++++---
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/README.yaml b/README.yaml
index 0881db2f..43467395 100644
--- a/README.yaml
+++ b/README.yaml
@@ -79,9 +79,15 @@ usage: |-
     dns_alias_enabled = true
     parent_zone_name  = "cloudposse.com"
 
-    deployment_principal_arns = {
-      "arn:aws:iam::123456789012:role/principal1" = ["prefix1/", "prefix2/"]
-      "arn:aws:iam::123456789012:role/principal2" = [""]
+    deployment_principals = {
+      "principal1": {
+        "arn": "arn:aws:iam::123456789012:role/principal1"
+        "path_prefixes": ["prefix1/", "prefix2/"]
+      },
+      "principal2": {
+        "arn": "arn:aws:iam::123456789012:role/principal2"
+        "path_prefixes": [""]
+      }
     }
   }
   ```
diff --git a/deprecated.tf b/deprecated.tf
index 15eb0cbe..25d18f55 100644
--- a/deprecated.tf
+++ b/deprecated.tf
@@ -18,5 +18,4 @@ locals {
 
   # New variables, but declare them here for consistency
   cloudfront_access_log_create_bucket = var.cloudfront_access_log_create_bucket
-}
-
+}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 0bbe4dc9..dce02878 100644
--- a/variables.tf
+++ b/variables.tf
@@ -481,10 +481,11 @@ variable "versioning_enabled" {
 }
 
 variable "deployment_principals" {
-  type        = map(object({ path_prefix = string, arn = string }))
+  type        = map(object({ path_prefix = list(string), arn = string }))
   default     = {}
   description = <<-EOT
-    (Optional) Map of IAM Principal ARNs to lists of S3 path prefixes to grant `deployment_actions` permissions.
+    (Optional) Map of objects that define the IAM Principal's to grant `deployment_actions` permissions. Each object in the map should have an IAM Principal ARN and a list of S3 path
+    prefixes to scope that principal's actions in the bucket.
     Resource list will include the bucket itself along with all the prefixes. Prefixes should not begin with '/'.
     EOT
 }
@@ -492,7 +493,7 @@ variable "deployment_principals" {
 variable "deployment_actions" {
   type        = list(string)
   default     = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:AbortMultipartUpload"]
-  description = "List of actions to permit `deployment_principal_arns` to perform on bucket and bucket prefixes (see `deployment_principal_arns`)"
+  description = "List of actions to permit `deployment_principals` to perform on bucket and bucket prefixes (see `deployment_principals`)"
 }
 
 variable "cloudfront_origin_access_identity_iam_arn" {