cloudposse#210

README.md

@@ -308,6 +308,7 @@ Available targets:
 | <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | <pre>object({<br>    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.<br>    days  = number<br>    years = number<br>  })</pre> | `null` | no |
 | <a name="input_privileged_principal_actions"></a> [privileged\_principal\_actions](#input\_privileged\_principal\_actions) | List of actions to permit `privileged_principal_arns` to perform on bucket and bucket prefixes (see `privileged_principal_arns`) | `list(string)` | `[]` | no |
 | <a name="input_privileged_principal_arns"></a> [privileged\_principal\_arns](#input\_privileged\_principal\_arns) | List of maps. Each map has a key, an IAM Principal ARN, whose associated value is<br>a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,<br>in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'. | `list(map(list(string)))` | `[]` | no |
+| <a name="input_privileged_principal_arns_with_condition"></a> [privileged\_principal\_arns](#input\_privileged\_principal\_arns\_with\_condition) | List of maps. The first key of Each map, an IAM Principal ARN, whose associated value is <br>a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal, <br>in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'. <br> The second key of each map, the test of condition, whose associated value is a list of variable and values. | `list(map(list(string)))` | `[]` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_replication_rules"></a> [replication\_rules](#input\_replication\_rules) | DEPRECATED (use `s3_replication_rules`): Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | `list(any)` | `null` | no |
 | <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public | `bool` | `true` | no |

main.tf

@@ -469,6 +469,29 @@ data "aws_iam_policy_document" "bucket_policy" {
       }
     }
   }
+
+  dynamic "statement" {
+    for_each = var.privileged_principal_arns_with_condition
+
+    content {
+      sid     = "AllowPrivilegedPrincipal[${statement.key}]" # add indic
+      actions = var.privileged_principal_actions
+      resources = distinct(flatten([
+        "arn:${local.partition}:s3:::${local.bucket_id}",
+        formatlist("arn:${local.partition}:s3:::${local.bucket_id}/%s*", values(statement.value)[0]),
+      ]))
+      principals {
+        type        = "AWS"
+        identifiers = [keys(statement.value)[0]]
+      }
+      condition {
+        test     = keys(statement.value)[1]
+        variable = values(statement.value)[1][0]
+
+        values = slice(values(statement.value)[1], 1, length(values(statement.value)[1]))
+      }
+    }
+  }
 }
 
 data "aws_iam_policy_document" "aggregated_policy" {
@@ -484,6 +507,7 @@ resource "aws_s3_bucket_policy" "default" {
     var.allow_encrypted_uploads_only ||
     length(var.s3_replication_source_roles) > 0 ||
     length(var.privileged_principal_arns) > 0 ||
+    length(var.privileged_principal_arns_with_condition) > 0 ||
     length(var.source_policy_documents) > 0
   ) ? 1 : 0
 

variables.tf

@@ -404,6 +404,26 @@ variable "privileged_principal_arns" {
   nullable    = false
 }
 
+variable "privileged_principal_arns_with_condition" {
+  type    = list(map(list(string)))
+  default = []
+
+  description = <<-EOT
+    List of maps. The first key of Each map, an IAM Principal ARN, whose associated value is
+    a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,
+    in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'.
+    The second key of each map, the test of condition, whose associated value is a list of variable and values.
+    example:
+    default = [
+    {
+      ("*")        = [""],
+      StringEquals = ["aws:SourceVpce", "vpce-xxxxxxxxx", "vpce-xxxxxxxxx2"]
+    }
+    ]
+    EOT
+  nullable    = false
+}
+
 variable "privileged_principal_actions" {
   type        = list(string)
   default     = []