From cc05728c69719421d58eb98e1a2622a1a431b439 Mon Sep 17 00:00:00 2001 From: Alex Siegman Date: Fri, 28 Feb 2020 11:52:33 -0600 Subject: [PATCH] Adds concept of additional bucket policies (#17) * Add concept of additional bucket policies * Make linter happy maybe * Update README * Fix conditional Co-Authored-By: Andriy Knysh * Fix description Co-Authored-By: Andriy Knysh * Update README * Conditionally create the aggregate policy as well * Line up some white space, terraform fmt * Revert aggregated_policy count conditional as not-supported Co-authored-by: Andriy Knysh --- README.md | 1 + docs/terraform.md | 1 + main.tf | 11 ++++++++--- variables.tf | 6 ++++++ 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b30aaf6b..7cf0d9b8 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,7 @@ Available targets: | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| | acl | The canned ACL to apply. We recommend `private` to avoid exposing sensitive information | string | `private` | no | +| additional_bucket_policies | Set this to a list of strings containing valid JSON policy statements if you want to add arbitrary additions to the bucket policy | list | `` | no | | allow_encrypted_uploads_only | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | string | `false` | no | | allowed_bucket_actions | List of actions the user is permitted to perform on the S3 bucket | list | `` | no | | attributes | Additional attributes (e.g. `1`) | list | `` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 2368b9f3..916167ae 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -3,6 +3,7 @@ | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| | acl | The canned ACL to apply. We recommend `private` to avoid exposing sensitive information | string | `private` | no | +| additional_bucket_policies | Set this to a list of strings containing valid JSON policy statements if you want to add arbitrary additions to the bucket policy | list | `` | no | | allow_encrypted_uploads_only | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | string | `false` | no | | allowed_bucket_actions | List of actions the user is permitted to perform on the S3 bucket | list | `` | no | | attributes | Additional attributes (e.g. `1`) | list | `` | no | diff --git a/main.tf b/main.tf index cdac5e51..5ac36dc2 100644 --- a/main.tf +++ b/main.tf @@ -87,9 +87,14 @@ data "aws_iam_policy_document" "bucket_policy" { } } +module "aggregated_policy" { + source = "git::https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator.git?ref=tags/0.1.2" + source_documents = "${flatten(list(data.aws_iam_policy_document.bucket_policy.*.json, var.additional_bucket_policies))}" +} + resource "aws_s3_bucket_policy" "default" { - count = "${var.enabled == "true" && var.allow_encrypted_uploads_only == "true" ? 1 : 0}" - bucket = "${join("", aws_s3_bucket.default.*.id)}" + count = "${var.enabled == "true" && (var.allow_encrypted_uploads_only == "true" || length(var.additional_bucket_policies) > 0) ? 1 : 0}" - policy = "${join("", data.aws_iam_policy_document.bucket_policy.*.json)}" + bucket = "${join("", aws_s3_bucket.default.*.id)}" + policy = "${module.aggregated_policy.result_document}" } diff --git a/variables.tf b/variables.tf index 73422234..b15dc82f 100644 --- a/variables.tf +++ b/variables.tf @@ -96,3 +96,9 @@ variable "allow_encrypted_uploads_only" { default = "false" description = "Set to `true` to prevent uploads of unencrypted objects to S3 bucket" } + +variable "additional_bucket_policies" { + type = "list" + default = [] + description = "Set this to a list of strings containing valid JSON policy statements if you want to add arbitrary additions to the bucket policy" +}