From 3095c530cafe12d4423b1a277ead49b851778bbe Mon Sep 17 00:00:00 2001 From: James Maddox Date: Mon, 28 Oct 2024 12:42:27 -0400 Subject: [PATCH] Updated dynamic statements to be conditional based on if app account numbers are present in list or not --- kms.tf | 23 +++++++++++------------ s3-accesslog.tf | 2 +- s3-cloudtrail.tf | 4 ++-- s3-elb-accesslog.tf | 2 +- 4 files changed, 15 insertions(+), 16 deletions(-) diff --git a/kms.tf b/kms.tf index 8ecb8ce..fac7884 100644 --- a/kms.tf +++ b/kms.tf @@ -75,7 +75,7 @@ data "aws_iam_policy_document" "ebs_key" { } dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { effect = "Allow" actions = [ @@ -96,7 +96,7 @@ data "aws_iam_policy_document" "ebs_key" { } } dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { effect = "Allow" actions = [ @@ -138,7 +138,7 @@ data "aws_iam_policy_document" "s3_key" { # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { effect = "Allow" actions = ["kms:*"] @@ -211,7 +211,7 @@ data "aws_iam_policy_document" "s3_key" { } dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { effect = "Allow" actions = ["kms:GenerateDataKey*"] @@ -254,7 +254,7 @@ data "aws_iam_policy_document" "sns_key" { } } dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { effect = "Allow" actions = [ @@ -291,7 +291,7 @@ data "aws_iam_policy_document" "secrets_manager_key" { # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { effect = "Allow" actions = ["kms:*"] @@ -364,7 +364,7 @@ data "aws_iam_policy_document" "cloudwatch_key" { # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { effect = "Allow" actions = ["kms:*"] @@ -437,7 +437,7 @@ data "aws_iam_policy_document" "cloudwatch_key" { } dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { effect = "Allow" actions = ["kms:GenerateDataKey*"] @@ -470,7 +470,7 @@ data "aws_iam_policy_document" "config_key" { # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { effect = "Allow" actions = ["kms:*"] @@ -483,7 +483,7 @@ data "aws_iam_policy_document" "config_key" { } dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { effect = "Allow" actions = ["kms:*"] @@ -504,5 +504,4 @@ data "aws_iam_policy_document" "config_key" { identifiers = ["arn:${data.aws_partition.current.partition}:iam::${var.account_number}:root"] } } -} - +} \ No newline at end of file diff --git a/s3-accesslog.tf b/s3-accesslog.tf index 00baef7..d8915f3 100644 --- a/s3-accesslog.tf +++ b/s3-accesslog.tf @@ -54,7 +54,7 @@ data "aws_iam_policy_document" "s3_accesslogs_bucket_policy" { resources = ["arn:${data.aws_partition.current.partition}:s3:::${var.resource_prefix}-${var.aws_region}-s3-accesslogs/*"] } dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { actions = ["s3:PutObject"] effect = "Allow" diff --git a/s3-cloudtrail.tf b/s3-cloudtrail.tf index 44dc0d1..2acd4bf 100644 --- a/s3-cloudtrail.tf +++ b/s3-cloudtrail.tf @@ -71,7 +71,7 @@ data "aws_iam_policy_document" "log_bucket_policy" { } dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { #sid = "AgencyAWSCloudTrailWrite" actions = ["s3:PutObject"] @@ -90,7 +90,7 @@ data "aws_iam_policy_document" "log_bucket_policy" { } dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { #sid = "AgencyAWSCloudTrailAclCheck" actions = ["s3:GetBucketAcl"] diff --git a/s3-elb-accesslog.tf b/s3-elb-accesslog.tf index cbec1db..1f0edec 100644 --- a/s3-elb-accesslog.tf +++ b/s3-elb-accesslog.tf @@ -66,7 +66,7 @@ data "aws_iam_policy_document" "elb_accesslogs_bucket_policy" { } dynamic "statement" { - for_each = var.application_account_numbers + for_each = { for idx, account in var.application_account_numbers : idx => account if account != "" } content { actions = ["s3:PutObject"] effect = "Allow"