From 70dab578b81b21c9e5a0265e1f6c3832af5e6d52 Mon Sep 17 00:00:00 2001
From: Figo Huang <okstarthui@hotmail.com>
Date: Thu, 18 Jan 2024 18:17:39 +1100
Subject: [PATCH] #210

---
 README.md    |  1 +
 main.tf      | 24 ++++++++++++++++++++++++
 variables.tf | 20 ++++++++++++++++++++
 3 files changed, 45 insertions(+)

diff --git a/README.md b/README.md
index fc4f31ec..9092607b 100644
--- a/README.md
+++ b/README.md
@@ -308,6 +308,7 @@ Available targets:
 | <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | <pre>object({<br>    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.<br>    days  = number<br>    years = number<br>  })</pre> | `null` | no |
 | <a name="input_privileged_principal_actions"></a> [privileged\_principal\_actions](#input\_privileged\_principal\_actions) | List of actions to permit `privileged_principal_arns` to perform on bucket and bucket prefixes (see `privileged_principal_arns`) | `list(string)` | `[]` | no |
 | <a name="input_privileged_principal_arns"></a> [privileged\_principal\_arns](#input\_privileged\_principal\_arns) | List of maps. Each map has a key, an IAM Principal ARN, whose associated value is<br>a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,<br>in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'. | `list(map(list(string)))` | `[]` | no |
+| <a name="input_privileged_principal_arns_with_condition"></a> [privileged\_principal\_arns](#input\_privileged\_principal\_arns\_with\_condition) | List of maps. The first key of Each map, an IAM Principal ARN, whose associated value is <br>a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal, <br>in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'. <br> The second key of each map, the test of condition, whose associated value is a list of variable and values. | `list(map(list(string)))` | `[]` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_replication_rules"></a> [replication\_rules](#input\_replication\_rules) | DEPRECATED (use `s3_replication_rules`): Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | `list(any)` | `null` | no |
 | <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public | `bool` | `true` | no |
diff --git a/main.tf b/main.tf
index cc899c8f..1fba382c 100644
--- a/main.tf
+++ b/main.tf
@@ -469,6 +469,29 @@ data "aws_iam_policy_document" "bucket_policy" {
       }
     }
   }
+
+  dynamic "statement" {
+    for_each = var.privileged_principal_arns_with_condition
+
+    content {
+      sid     = "AllowPrivilegedPrincipal[${statement.key}]" # add indic
+      actions = var.privileged_principal_actions
+      resources = distinct(flatten([
+        "arn:${local.partition}:s3:::${local.bucket_id}",
+        formatlist("arn:${local.partition}:s3:::${local.bucket_id}/%s*", values(statement.value)[0]),
+      ]))
+      principals {
+        type        = "AWS"
+        identifiers = [keys(statement.value)[0]]
+      }
+      condition {
+        test     = keys(statement.value)[1]
+        variable = values(statement.value)[1][0]
+
+        values = slice(values(statement.value)[1], 1, length(values(statement.value)[1]))
+      }
+    }
+  }
 }
 
 data "aws_iam_policy_document" "aggregated_policy" {
@@ -484,6 +507,7 @@ resource "aws_s3_bucket_policy" "default" {
     var.allow_encrypted_uploads_only ||
     length(var.s3_replication_source_roles) > 0 ||
     length(var.privileged_principal_arns) > 0 ||
+    length(var.privileged_principal_arns_with_condition) > 0 ||
     length(var.source_policy_documents) > 0
   ) ? 1 : 0
 
diff --git a/variables.tf b/variables.tf
index f9511615..d19ee79c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -404,6 +404,26 @@ variable "privileged_principal_arns" {
   nullable    = false
 }
 
+variable "privileged_principal_arns_with_condition" {
+  type    = list(map(list(string)))
+  default = []
+
+  description = <<-EOT
+    List of maps. The first key of Each map, an IAM Principal ARN, whose associated value is
+    a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,
+    in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'.
+    The second key of each map, the test of condition, whose associated value is a list of variable and values.
+    example:
+    default = [
+    {
+      ("*")        = [""],
+      StringEquals = ["aws:SourceVpce", "vpce-xxxxxxxxx", "vpce-xxxxxxxxx2"]
+    }
+    ]
+    EOT
+  nullable    = false
+}
+
 variable "privileged_principal_actions" {
   type        = list(string)
   default     = []