Adds concept of additional bucket policies (#17)

* Add concept of additional bucket policies * Make linter happy maybe * Update README * Fix conditional Co-Authored-By: Andriy Knysh <[email protected]> * Fix description Co-Authored-By: Andriy Knysh <[email protected]> * Update README * Conditionally create the aggregate policy as well * Line up some white space, terraform fmt * Revert aggregated_policy count conditional as not-supported Co-authored-by: Andriy Knysh <[email protected]>
cloudposse · Feb 28, 2020 · cc05728 · cc05728
1 parent b3798be
commit cc05728
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -85,6 +85,7 @@ Available targets:
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply. We recommend `private` to avoid exposing sensitive information | string | `private` | no |
+| additional_bucket_policies | Set this to a list of strings containing valid JSON policy statements if you want to add arbitrary additions to the bucket policy | list | `<list>` | no |
 | allow_encrypted_uploads_only | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | string | `false` | no |
 | allowed_bucket_actions | List of actions the user is permitted to perform on the S3 bucket | list | `<list>` | no |
 | attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -3,6 +3,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply. We recommend `private` to avoid exposing sensitive information | string | `private` | no |
+| additional_bucket_policies | Set this to a list of strings containing valid JSON policy statements if you want to add arbitrary additions to the bucket policy | list | `<list>` | no |
 | allow_encrypted_uploads_only | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | string | `false` | no |
 | allowed_bucket_actions | List of actions the user is permitted to perform on the S3 bucket | list | `<list>` | no |
 | attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |

diff --git a/main.tf b/main.tf
@@ -87,9 +87,14 @@ data "aws_iam_policy_document" "bucket_policy" {
   }
 }
 
+module "aggregated_policy" {
+  source           = "git::https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator.git?ref=tags/0.1.2"
+  source_documents = "${flatten(list(data.aws_iam_policy_document.bucket_policy.*.json, var.additional_bucket_policies))}"
+}
+
 resource "aws_s3_bucket_policy" "default" {
-  count  = "${var.enabled == "true" && var.allow_encrypted_uploads_only == "true" ? 1 : 0}"
-  bucket = "${join("", aws_s3_bucket.default.*.id)}"
+  count = "${var.enabled == "true" && (var.allow_encrypted_uploads_only == "true" || length(var.additional_bucket_policies) > 0) ? 1 : 0}"
 
-  policy = "${join("", data.aws_iam_policy_document.bucket_policy.*.json)}"
+  bucket = "${join("", aws_s3_bucket.default.*.id)}"
+  policy = "${module.aggregated_policy.result_document}"
 }
diff --git a/variables.tf b/variables.tf
@@ -96,3 +96,9 @@ variable "allow_encrypted_uploads_only" {
   default     = "false"
   description = "Set to `true` to prevent uploads of unencrypted objects to S3 bucket"
 }
+
+variable "additional_bucket_policies" {
+  type        = "list"
+  default     = []
+  description = "Set this to a list of strings containing valid JSON policy statements if you want to add arbitrary additions to the bucket policy"
+}