diff --git a/README.md b/README.md
index 447198c3..93ef93ab 100644
--- a/README.md
+++ b/README.md
@@ -83,9 +83,15 @@ module "cdn" {
dns_alias_enabled = true
parent_zone_name = "cloudposse.com"
- deployment_principal_arns = {
- "arn:aws:iam::123456789012:role/principal1" = ["prefix1/", "prefix2/"]
- "arn:aws:iam::123456789012:role/principal2" = [""]
+ deployment_principals = {
+ "principal1": {
+ "arn": "arn:aws:iam::123456789012:role/principal1"
+ "path_prefixes": ["prefix1/", "prefix2/"]
+ },
+ "principal2": {
+ "arn": "arn:aws:iam::123456789012:role/principal2"
+ "path_prefixes": [""]
+ }
}
}
```
@@ -484,8 +490,9 @@ Available targets:
| [default\_root\_object](#input\_default\_root\_object) | Object that CloudFront return when requests the root URL | `string` | `"index.html"` | no |
| [default\_ttl](#input\_default\_ttl) | Default amount of time (in seconds) that an object is in a CloudFront cache | `number` | `60` | no |
| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
-| [deployment\_actions](#input\_deployment\_actions) | List of actions to permit `deployment_principal_arns` to perform on bucket and bucket prefixes (see `deployment_principal_arns`) | `list(string)` | [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
]
| no |
-| [deployment\_principal\_arns](#input\_deployment\_principal\_arns) | (Optional) Map of IAM Principal ARNs to lists of S3 path prefixes to grant `deployment_actions` permissions.
Resource list will include the bucket itself along with all the prefixes. Prefixes should not begin with '/'. | `map(list(string))` | `{}` | no |
+| [deployment\_actions](#input\_deployment\_actions) | List of actions to permit `deployment_principals` to perform on bucket and bucket prefixes (see `deployment_principals`) | `list(string)` | [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
]
| no |
+| [deployment\_principal\_arns](#input\_deployment\_principal\_arns) | DEPRECATED. Use `deployment_principals` instead. | `map(list(string))` | `null` | no |
+| [deployment\_principals](#input\_deployment\_principals) | (Optional) Map of objects that define the IAM Principal's to grant `deployment_actions` permissions. Each object in the map should have an IAM Principal ARN and a list of S3 path
prefixes to scope that principal's actions in the bucket.
Resource list will include the bucket itself along with all the prefixes. Prefixes should not begin with '/'. | `map(object({ path_prefix = list(string), arn = string }))` | `{}` | no |
| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| [distribution\_enabled](#input\_distribution\_enabled) | Set to `false` to create the distribution but still prevent CloudFront from serving requests. | `bool` | `true` | no |
| [dns\_alias\_enabled](#input\_dns\_alias\_enabled) | Create a DNS alias for the CDN. Requires `parent_zone_id` or `parent_zone_name` | `bool` | `false` | no |
diff --git a/README.yaml b/README.yaml
index 2ef85ec6..29d982e9 100644
--- a/README.yaml
+++ b/README.yaml
@@ -79,9 +79,15 @@ usage: |-
dns_alias_enabled = true
parent_zone_name = "cloudposse.com"
- deployment_principal_arns = {
- "arn:aws:iam::123456789012:role/principal1" = ["prefix1/", "prefix2/"]
- "arn:aws:iam::123456789012:role/principal2" = [""]
+ deployment_principals = {
+ "principal1": {
+ "arn": "arn:aws:iam::123456789012:role/principal1"
+ "path_prefixes": ["prefix1/", "prefix2/"]
+ },
+ "principal2": {
+ "arn": "arn:aws:iam::123456789012:role/principal2"
+ "path_prefixes": [""]
+ }
}
}
```
diff --git a/deprecated.tf b/deprecated.tf
index 81dc6e85..25d18f55 100644
--- a/deprecated.tf
+++ b/deprecated.tf
@@ -7,7 +7,15 @@ locals {
cloudfront_access_log_include_cookies = var.log_include_cookies == null ? var.cloudfront_access_log_include_cookies : var.log_include_cookies
cloudfront_access_log_prefix = var.log_prefix == null ? var.cloudfront_access_log_prefix : var.log_prefix
+ deployment_principals_from_deprecated_deployment_principal_arns = {
+ for arn, path_prefix in coalesce(var.deployment_principal_arns, {}) :
+ arn => {
+ "arn" : arn,
+ "path_prefix" : path_prefix
+ }
+ }
+ deployment_principals = var.deployment_principal_arns == null ? var.deployment_principals : local.deployment_principals_from_deprecated_deployment_principal_arns
+
# New variables, but declare them here for consistency
cloudfront_access_log_create_bucket = var.cloudfront_access_log_create_bucket
-}
-
+}
\ No newline at end of file
diff --git a/docs/terraform.md b/docs/terraform.md
index ff4cf8a0..ca357389 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -83,8 +83,9 @@
| [default\_root\_object](#input\_default\_root\_object) | Object that CloudFront return when requests the root URL | `string` | `"index.html"` | no |
| [default\_ttl](#input\_default\_ttl) | Default amount of time (in seconds) that an object is in a CloudFront cache | `number` | `60` | no |
| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
-| [deployment\_actions](#input\_deployment\_actions) | List of actions to permit `deployment_principal_arns` to perform on bucket and bucket prefixes (see `deployment_principal_arns`) | `list(string)` | [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
]
| no |
-| [deployment\_principal\_arns](#input\_deployment\_principal\_arns) | (Optional) Map of IAM Principal ARNs to lists of S3 path prefixes to grant `deployment_actions` permissions.
Resource list will include the bucket itself along with all the prefixes. Prefixes should not begin with '/'. | `map(list(string))` | `{}` | no |
+| [deployment\_actions](#input\_deployment\_actions) | List of actions to permit `deployment_principals` to perform on bucket and bucket prefixes (see `deployment_principals`) | `list(string)` | [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
]
| no |
+| [deployment\_principal\_arns](#input\_deployment\_principal\_arns) | DEPRECATED. Use `deployment_principals` instead. | `map(list(string))` | `null` | no |
+| [deployment\_principals](#input\_deployment\_principals) | (Optional) Map of objects that define the IAM Principal's to grant `deployment_actions` permissions. Each object in the map should have an IAM Principal ARN and a list of S3 path
prefixes to scope that principal's actions in the bucket.
Resource list will include the bucket itself along with all the prefixes. Prefixes should not begin with '/'. | `map(object({ path_prefix = list(string), arn = string }))` | `{}` | no |
| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| [distribution\_enabled](#input\_distribution\_enabled) | Set to `false` to create the distribution but still prevent CloudFront from serving requests. | `bool` | `true` | no |
| [dns\_alias\_enabled](#input\_dns\_alias\_enabled) | Create a DNS alias for the CDN. Requires `parent_zone_id` or `parent_zone_name` | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
index 7ba9c1e3..76615a11 100644
--- a/main.tf
+++ b/main.tf
@@ -183,19 +183,19 @@ data "aws_iam_policy_document" "s3_website_origin" {
}
data "aws_iam_policy_document" "deployment" {
- for_each = local.enabled ? var.deployment_principal_arns : {}
+ for_each = local.enabled ? local.deployment_principals : {}
statement {
actions = var.deployment_actions
resources = distinct(flatten([
[local.origin_bucket.arn],
- formatlist("${local.origin_bucket.arn}/%s*", each.value),
+ formatlist("${local.origin_bucket.arn}/%s*", each.value.path_prefix),
]))
principals {
type = "AWS"
- identifiers = [each.key]
+ identifiers = [each.value.arn]
}
}
}
diff --git a/variables.tf b/variables.tf
index 256a445b..dce02878 100644
--- a/variables.tf
+++ b/variables.tf
@@ -480,11 +480,12 @@ variable "versioning_enabled" {
description = "When set to 'true' the s3 origin bucket will have versioning enabled"
}
-variable "deployment_principal_arns" {
- type = map(list(string))
+variable "deployment_principals" {
+ type = map(object({ path_prefix = list(string), arn = string }))
default = {}
description = <<-EOT
- (Optional) Map of IAM Principal ARNs to lists of S3 path prefixes to grant `deployment_actions` permissions.
+ (Optional) Map of objects that define the IAM Principal's to grant `deployment_actions` permissions. Each object in the map should have an IAM Principal ARN and a list of S3 path
+ prefixes to scope that principal's actions in the bucket.
Resource list will include the bucket itself along with all the prefixes. Prefixes should not begin with '/'.
EOT
}
@@ -492,7 +493,7 @@ variable "deployment_principal_arns" {
variable "deployment_actions" {
type = list(string)
default = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:AbortMultipartUpload"]
- description = "List of actions to permit `deployment_principal_arns` to perform on bucket and bucket prefixes (see `deployment_principal_arns`)"
+ description = "List of actions to permit `deployment_principals` to perform on bucket and bucket prefixes (see `deployment_principals`)"
}
variable "cloudfront_origin_access_identity_iam_arn" {
@@ -633,6 +634,13 @@ variable "origin_groups" {
# Variables below here are DEPRECATED and should not be used anymore
+variable "deployment_principal_arns" {
+ type = map(list(string))
+ default = null
+ description = "DEPRECATED. Use `deployment_principals` instead."
+}
+
+
variable "access_log_bucket_name" {
type = string
default = null
@@ -679,4 +687,4 @@ variable "http_version" {
type = string
default = "http2"
description = "The maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3 and http3"
-}
\ No newline at end of file
+}