Support Deployment ARNs (#11)

cloudposse · Sep 28, 2017 · df8734f · df8734f
1 parent 180538c
commit df8734f
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -68,6 +68,8 @@ module "website_with_cname" {
 | `logs_standard_transition_days`     | `30`           | Number of days to persist in the standard storage tier before moving to the glacier tier                        | No       |
 | `logs_glacier_transition_days`      | `60`           | Number of days after which to move the data to the glacier storage tier                                         | No       |
 | `logs_expiration_days`              | `90`           | Number of days after which to expunge the objects                                                               | No       |
+| `deployment_arns`                   | `[]`           | List of ARNs to grant `deployment_actions` permissions on this bucket                                           | No       |
+| `deployment_actions`                | read/write/ls  | List of actions to permit deployment ARNs to perform                                                            | No       |
 
 
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -65,12 +65,15 @@ resource "aws_s3_bucket" "default" {
   }
 }
 
+# AWS only supports a single bucket policy on a bucket. You can combine multiple Statements into a single policy, but not attach multiple policies.
+# https://github.com/hashicorp/terraform/issues/10543
 resource "aws_s3_bucket_policy" "default" {
   bucket = "${aws_s3_bucket.default.id}"
   policy = "${data.aws_iam_policy_document.default.json}"
 }
 
 data "aws_iam_policy_document" "default" {
+  # Allow public access to this bucket (website)
   statement {
     actions = ["s3:GetObject"]
 
@@ -81,6 +84,20 @@ data "aws_iam_policy_document" "default" {
       identifiers = ["*"]
     }
   }
+
+  # Support deployment ARNs
+  statement {
+    actions = ["${var.deployment_actions}"]
+
+    resources = ["${aws_s3_bucket.default.arn}",
+      "${aws_s3_bucket.default.arn}/*",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${var.deployment_arns}"]
+    }
+  }
 }
 
 module "dns" {

diff --git a/variables.tf b/variables.tf
@@ -5,7 +5,7 @@ variable "namespace" {}
 variable "stage" {}
 
 variable "tags" {
-  type = "map"
+  type    = "map"
   default = {}
 }
 
@@ -103,3 +103,15 @@ variable "versioning_enabled" {
 variable "force_destroy" {
   default = ""
 }
+
+variable "deployment_arns" {
+  description = "(Optional) List of ARNs to grant `deployment_actions` permissions on this bucket"
+  type        = "list"
+  default     = []
+}
+
+variable "deployment_actions" {
+  description = "List of actions to permit deployment ARNs to perform"
+  type        = "list"
+  default     = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:AbortMultipartUpload"]
+}