0.5.0
Change format of deployment_arns to Map of ARNs to lists of S3 prefixes
what
- Changed format of
deployment_arnsto map of ARNs to lists of S3 prefixes
why
- To be able to grant an ARN the deployment actions permissions on more than one S3 path
test
given the following deployment_arns map
variable "deployment_arns" {
default = {
"arn:aws:s3:::principal3" = ["/prefix1", "/prefix2"]
"arn:aws:s3:::principal4" = [""]
}
}the generated policy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGetObject",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket1/*",
"Principal": "*"
},
{
"Sid": "AllowReplication",
"Effect": "Allow",
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:PutBucketVersioning",
"s3:GetBucketVersioning"
],
"Resource": [
"arn:aws:s3:::bucket1/*",
"arn:aws:s3:::bucket1"
],
"Principal": {
"AWS": [
"arn:aws:s3:::principal2",
"arn:aws:s3:::principal1"
]
}
},
{
"Sid": "AllowDeployment",
"Effect": "Allow",
"Action": [
"s3:PutObjectAcl",
"s3:PutObject",
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::bucket1/prefix2/*",
"arn:aws:s3:::bucket1/prefix2",
"arn:aws:s3:::bucket1/prefix1/*",
"arn:aws:s3:::bucket1/prefix1"
],
"Principal": {
"AWS": "arn:aws:s3:::principal3"
}
},
{
"Sid": "AllowDeployment",
"Effect": "Allow",
"Action": [
"s3:PutObjectAcl",
"s3:PutObject",
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::bucket1/*",
"arn:aws:s3:::bucket1"
],
"Principal": {
"AWS": "arn:aws:s3:::principal4"
}
}
]
}