Updated dynamic statements to be conditional based on if app account …

…numbers are present in list or not
Coalfire-CF · Oct 28, 2024 · 3095c53 · 3095c53
1 parent ef25647
commit 3095c53
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 16 deletions.
diff --git a/kms.tf b/kms.tf
@@ -75,7 +75,7 @@ data "aws_iam_policy_document" "ebs_key" {
   }
 
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       effect = "Allow"
       actions = [
@@ -96,7 +96,7 @@ data "aws_iam_policy_document" "ebs_key" {
     }
   }
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       effect = "Allow"
       actions = [
@@ -138,7 +138,7 @@ data "aws_iam_policy_document" "s3_key" {
   # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
 
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       effect    = "Allow"
       actions   = ["kms:*"]
@@ -211,7 +211,7 @@ data "aws_iam_policy_document" "s3_key" {
   }
 
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       effect    = "Allow"
       actions   = ["kms:GenerateDataKey*"]
@@ -254,7 +254,7 @@ data "aws_iam_policy_document" "sns_key" {
     }
   }
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       effect = "Allow"
       actions = [
@@ -291,7 +291,7 @@ data "aws_iam_policy_document" "secrets_manager_key" {
   # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
 
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       effect    = "Allow"
       actions   = ["kms:*"]
@@ -364,7 +364,7 @@ data "aws_iam_policy_document" "cloudwatch_key" {
   # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
 
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       effect    = "Allow"
       actions   = ["kms:*"]
@@ -437,7 +437,7 @@ data "aws_iam_policy_document" "cloudwatch_key" {
   }
 
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       effect    = "Allow"
       actions   = ["kms:GenerateDataKey*"]
@@ -470,7 +470,7 @@ data "aws_iam_policy_document" "config_key" {
   # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
 
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       effect    = "Allow"
       actions   = ["kms:*"]
@@ -483,7 +483,7 @@ data "aws_iam_policy_document" "config_key" {
   }
 
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       effect    = "Allow"
       actions   = ["kms:*"]
@@ -504,5 +504,4 @@ data "aws_iam_policy_document" "config_key" {
       identifiers = ["arn:${data.aws_partition.current.partition}:iam::${var.account_number}:root"]
     }
   }
-}
-
+}
diff --git a/s3-accesslog.tf b/s3-accesslog.tf
@@ -54,7 +54,7 @@ data "aws_iam_policy_document" "s3_accesslogs_bucket_policy" {
     resources = ["arn:${data.aws_partition.current.partition}:s3:::${var.resource_prefix}-${var.aws_region}-s3-accesslogs/*"]
   }
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       actions = ["s3:PutObject"]
       effect  = "Allow"

diff --git a/s3-cloudtrail.tf b/s3-cloudtrail.tf
@@ -71,7 +71,7 @@ data "aws_iam_policy_document" "log_bucket_policy" {
   }
 
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       #sid = "AgencyAWSCloudTrailWrite"
       actions = ["s3:PutObject"]
@@ -90,7 +90,7 @@ data "aws_iam_policy_document" "log_bucket_policy" {
   }
 
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       #sid = "AgencyAWSCloudTrailAclCheck"
       actions = ["s3:GetBucketAcl"]

diff --git a/s3-elb-accesslog.tf b/s3-elb-accesslog.tf
@@ -66,7 +66,7 @@ data "aws_iam_policy_document" "elb_accesslogs_bucket_policy" {
   }
 
   dynamic "statement" {
-    for_each = var.application_account_numbers
+    for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" }
     content {
       actions = ["s3:PutObject"]
       effect  = "Allow"