Add deployment ARNs to S3 path prefixes map (#15)

* Update `aws_iam_policy_document` * Add deployment ARNs to S3 prefixes mapping * Change `replication_source_principal_arn` to `replication_source_principal_arns`
cloudposse · Oct 25, 2017 · 283be0b · 283be0b
1 parent 234fca4
commit 283be0b
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 22 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # terraform-aws-s3-website
 
-Terraform module for Creating S3 backed Websites
+Terraform module for creating S3 backed Websites
 
 ## Further Reading
 
@@ -68,8 +68,8 @@ module "website_with_cname" {
 | `logs_standard_transition_days`     | `30`           | Number of days to persist in the standard storage tier before moving to the glacier tier                        | No       |
 | `logs_glacier_transition_days`      | `60`           | Number of days after which to move the data to the glacier storage tier                                         | No       |
 | `logs_expiration_days`              | `90`           | Number of days after which to expunge the objects                                                               | No       |
-| `replication_source_principal_arn`  | `[]`           | List of principal ARNs to grant replication access from different aws account.                                  | No       |
-| `deployment_arns`                   | `[]`           | List of ARNs to grant `deployment_actions` permissions on this bucket                                           | No       |
+| `replication_source_principal_arns` | `[]`           | List of principal ARNs to grant replication access from different AWS accounts                                  | No       |
+| `deployment_arns`                   | `{}`           | Map of deployment ARNs to S3 prefixes to grant `deployment_actions` permissions                                 | No       |
 | `deployment_actions`                | read/write/ls  | List of actions to permit deployment ARNs to perform                                                            | No       |
 
 

diff --git a/main.tf b/main.tf
@@ -10,7 +10,7 @@ module "logs" {
 }
 
 module "default_label" {
-  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.2.1"
+  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.2.2"
   namespace  = "${var.namespace}"
   stage      = "${var.stage}"
   name       = "${var.name}"
@@ -64,7 +64,6 @@ resource "aws_s3_bucket" "default" {
       days = "${var.noncurrent_version_expiration_days}"
     }
   }
-
 }
 
 # AWS only supports a single bucket policy on a bucket. You can combine multiple Statements into a single policy, but not attach multiple policies.
@@ -86,16 +85,20 @@ data "aws_iam_policy_document" "default" {
     }
   }]
 
+  # Support replication ARNs
   statement = ["${flatten(data.aws_iam_policy_document.replication.*.statement)}"]
+
+  # Support deployment ARNs
+  statement = ["${flatten(data.aws_iam_policy_document.deployment.*.statement)}"]
 }
 
 data "aws_iam_policy_document" "replication" {
-  count = "${signum(length(var.replication_source_principal_arn))}"
+  count = "${signum(length(var.replication_source_principal_arns))}"
 
   statement {
     principals {
-      type = "AWS"
-      identifiers = ["${var.replication_source_principal_arn}"]
+      type        = "AWS"
+      identifiers = ["${var.replication_source_principal_arns}"]
     }
 
     actions = [
@@ -110,18 +113,23 @@ data "aws_iam_policy_document" "replication" {
       "${aws_s3_bucket.default.arn}/*",
     ]
   }
+}
+
+data "aws_iam_policy_document" "deployment" {
+  count = "${length(keys(var.deployment_arns))}"
 
-  # Support deployment ARNs
   statement {
+    sid     = "AllowDeployment"
     actions = ["${var.deployment_actions}"]
 
-    resources = ["${aws_s3_bucket.default.arn}",
-      "${aws_s3_bucket.default.arn}/*",
+    resources = [
+      "${aws_s3_bucket.default.arn}",
+      "${aws_s3_bucket.default.arn}/${lookup(var.deployment_arns, element(keys(var.deployment_arns), count.index))}",
     ]
 
     principals {
       type        = "AWS"
-      identifiers = ["${var.deployment_arns}"]
+      identifiers = ["${element(keys(var.deployment_arns), count.index)}"]
     }
   }
 }

diff --git a/variables.tf b/variables.tf
@@ -101,13 +101,6 @@ variable "region" {
   default = ""
 }
 
-variable "replication_source_principal_arn" {
-  type        = "list"
-  default     = []
-  description = "(Optional) List of principal ARNs to grant replication access from different aws account."
-}
-
-
 variable "versioning_enabled" {
   default = ""
 }
@@ -116,14 +109,20 @@ variable "force_destroy" {
   default = ""
 }
 
-variable "deployment_arns" {
-  description = "(Optional) List of ARNs to grant `deployment_actions` permissions on this bucket"
+variable "replication_source_principal_arns" {
   type        = "list"
   default     = []
+  description = "(Optional) List of principal ARNs to grant replication access from different AWS accounts"
+}
+
+variable "deployment_arns" {
+  type        = "map"
+  default     = {}
+  description = "(Optional) Map of deployment ARNs to S3 prefixes to grant `deployment_actions` permissions"
 }
 
 variable "deployment_actions" {
-  description = "List of actions to permit deployment ARNs to perform"
   type        = "list"
   default     = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:AbortMultipartUpload"]
+  description = "List of actions to permit deployment ARNs to perform"
 }