Adds concept of additional bucket policies

[asiegman]

What

This allows a user of this module to specify additional arbitrary policies they would like to apply to the bucket.

Why

Currently, the allow_encrypted_uploads_only option uses the only attachment available for bucket policies on the s3 bucket. If a user needs to add their own policies, say to enable cross account access to the bucket, they cannot. This allows them to do that.

Example usage

data "aws_iam_policy_document" "additional_policies" {
  count = "${length(var.trusted_roles) > 0 ? 1 : 0}"

  statement {
    effect = "Allow"
    principals = {
      type = "AWS"
      identifiers = "${var.trusted_roles}"
    }

    actions = [
      "s3:Get*",
      "s3:Put*",
      "s3:List*"
    ]

    resources = [
      "${module.s3_bucket.bucket_arn}"
    ]
  }
}

module "s3_bucket" {
  source                       = "git::https://github.com/asiegman/terraform-aws-s3-bucket.git?ref=moar-bucket-policy-0.11"
  enabled                      = "true"
  versioning_enabled           = "true"
  kms_master_key_arn           = "${module.my_kms_key.key_arn}"
  sse_algorithm                = "aws:kms"
  allow_encrypted_uploads_only = "true"
  name                         = "${var.name}"
  stage                        = "${var.stage}"
  namespace                    = "${var.namespace}"
  additional_bucket_policies   = ["${data.aws_iam_policy_document.additional_policies.*.json}"]
}

Example Output:

# Cleaned up and redacted new policy output from terraform plan
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-staging-example/*",
      "Principal": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": [
            "aws:kms"
          ]
        }
      }
    },
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-staging-example/*",
      "Principal": "*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": [
            "true"
          ]
        }
      }
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "s3:Put*",
        "s3:List*",
        "s3:Get*"
      ],
      "Resource": "arn:aws:s3:::example-staging-example",
      "Principal": {
        "AWS": "arn:aws:iam::331539668475:role/example-x-account-server-role"
      }
    }
  ]
}

[aknysh]

thanks @asiegman
LGTM, just a few comments.

Also please rebuild README by executing these commands:

make init
make readme/deps
make readme

It will add the new variables and outputs to README.md automatically.

In general, any changes to README should be made in README.yaml (not in this case), and after that executing the commands above will rebuild README.yaml into README.md and add all new variables and outputs to README.md

thanks

[asiegman]

@aknysh Thanks for the comments, agreed on both. Updated and READMEs generated.

[aknysh]

count = "${var.enabled == "true" ? 1 : 0}"

let's add count to this resource as well.
Because if var.enabled is set to false, all resources w/o a count=0 will still be created by terraform.

[asiegman]

This is a bit tidier; done. No need for the state to have that intermediate resource if not needed.

[aknysh]

Suggested change

	policy = "${module.aggregated_policy.result_document}"
	policy = "${join("", module.aggregated_policy.*.result_document)}"

because of the count, it's now a list, not a single item

[aknysh]

@asiegman
just one minor addition

[asiegman]

@aknysh it seems count is not valid on module statements?

https://travis-ci.org/cloudposse/terraform-aws-s3-bucket/builds/574024219#L245

Did I miss something?

[aknysh]

@asiegman
sorry, I meant to add enabled to the module, but that module does not have it, so please discard my comment about the count

comments were addressed