diff --git a/README.md b/README.md
index 3ffc5eba..b6baacc1 100644
--- a/README.md
+++ b/README.md
@@ -298,6 +298,7 @@ Available targets:
| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | object({
mode = string # Valid values are GOVERNANCE and COMPLIANCE.
days = number
years = number
}) | `null` | no |
| [privileged\_principal\_actions](#input\_privileged\_principal\_actions) | List of actions to permit `privileged_principal_arns` to perform on bucket and bucket prefixes (see `privileged_principal_arns`) | `list(string)` | `[]` | no |
| [privileged\_principal\_arns](#input\_privileged\_principal\_arns) | List of maps. Each map has a key, an IAM Principal ARN, whose associated value is
a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,
in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'. | `list(map(list(string)))` | `[]` | no |
+| [privileged\_principal\_arns\_with\_condition](#input\_privileged\_principal\_arns\_with\_condition) | List of maps. The first key of Each map, an IAM Principal ARN, whose associated value is
a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,
in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'.
The second key of each map, the test of condition, whose associated value is a list of variable and values.
example:
default = [
{
("*") = [""],
StringEquals = ["aws:SourceVpce", "vpce-xxxxxxxxx", "vpce-xxxxxxxxx2"]
}
] | `list(map(list(string)))` | `[]` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| [replication\_rules](#input\_replication\_rules) | DEPRECATED (use `s3_replication_rules`): Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | `list(any)` | `null` | no |
| [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public | `bool` | `true` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 3ff1e53a..10172693 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -90,6 +90,7 @@
| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | object({
mode = string # Valid values are GOVERNANCE and COMPLIANCE.
days = number
years = number
}) | `null` | no |
| [privileged\_principal\_actions](#input\_privileged\_principal\_actions) | List of actions to permit `privileged_principal_arns` to perform on bucket and bucket prefixes (see `privileged_principal_arns`) | `list(string)` | `[]` | no |
| [privileged\_principal\_arns](#input\_privileged\_principal\_arns) | List of maps. Each map has a key, an IAM Principal ARN, whose associated value is
a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,
in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'. | `list(map(list(string)))` | `[]` | no |
+| [privileged\_principal\_arns\_with\_condition](#input\_privileged\_principal\_arns\_with\_condition) | List of maps. The first key of Each map, an IAM Principal ARN, whose associated value is
a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,
in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'.
The second key of each map, the test of condition, whose associated value is a list of variable and values.
example:
default = [
{
("*") = [""],
StringEquals = ["aws:SourceVpce", "vpce-xxxxxxxxx", "vpce-xxxxxxxxx2"]
}
] | `list(map(list(string)))` | `[]` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| [replication\_rules](#input\_replication\_rules) | DEPRECATED (use `s3_replication_rules`): Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | `list(any)` | `null` | no |
| [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public | `bool` | `true` | no |
diff --git a/main.tf b/main.tf
index cc899c8f..1fba382c 100644
--- a/main.tf
+++ b/main.tf
@@ -469,6 +469,29 @@ data "aws_iam_policy_document" "bucket_policy" {
}
}
}
+
+ dynamic "statement" {
+ for_each = var.privileged_principal_arns_with_condition
+
+ content {
+ sid = "AllowPrivilegedPrincipal[${statement.key}]" # add indic
+ actions = var.privileged_principal_actions
+ resources = distinct(flatten([
+ "arn:${local.partition}:s3:::${local.bucket_id}",
+ formatlist("arn:${local.partition}:s3:::${local.bucket_id}/%s*", values(statement.value)[0]),
+ ]))
+ principals {
+ type = "AWS"
+ identifiers = [keys(statement.value)[0]]
+ }
+ condition {
+ test = keys(statement.value)[1]
+ variable = values(statement.value)[1][0]
+
+ values = slice(values(statement.value)[1], 1, length(values(statement.value)[1]))
+ }
+ }
+ }
}
data "aws_iam_policy_document" "aggregated_policy" {
@@ -484,6 +507,7 @@ resource "aws_s3_bucket_policy" "default" {
var.allow_encrypted_uploads_only ||
length(var.s3_replication_source_roles) > 0 ||
length(var.privileged_principal_arns) > 0 ||
+ length(var.privileged_principal_arns_with_condition) > 0 ||
length(var.source_policy_documents) > 0
) ? 1 : 0
diff --git a/variables.tf b/variables.tf
index f9511615..d19ee79c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -404,6 +404,26 @@ variable "privileged_principal_arns" {
nullable = false
}
+variable "privileged_principal_arns_with_condition" {
+ type = list(map(list(string)))
+ default = []
+
+ description = <<-EOT
+ List of maps. The first key of Each map, an IAM Principal ARN, whose associated value is
+ a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,
+ in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'.
+ The second key of each map, the test of condition, whose associated value is a list of variable and values.
+ example:
+ default = [
+ {
+ ("*") = [""],
+ StringEquals = ["aws:SourceVpce", "vpce-xxxxxxxxx", "vpce-xxxxxxxxx2"]
+ }
+ ]
+ EOT
+ nullable = false
+}
+
variable "privileged_principal_actions" {
type = list(string)
default = []