Feature/s3 inventory customer accounts (#192)

* variable to grant access to s3 inventory s3 bucket * update changelog Co-authored-by: Raj Poluri <[email protected]>
ExpediaGroup · Jun 17, 2021 · 68da907 · 68da907
1 parent a1426b6
commit 68da907
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.8.1] - 2021-06-17
+### Added
+- Add support for cross account access to s3 inventory.
+
 ## [6.8.0] - 2021-05-10
 ### Added
 - Add support for Apiary-specific RDS parameter groups.

diff --git a/VARIABLES.md b/VARIABLES.md
@@ -66,6 +66,7 @@
 | ranger_policy_manager_url | Ranger admin URL to synchronize policies. | string | `` | no |
 | rds_max_allowed_packet | RDS/MySQL setting for parameter 'max_allowed_packet' in bytes. | number | `134217728` | no |
 | s3_enable_inventory | Enable S3 inventory configuration. | bool | `false` | no |
+| s3_inventory_customer_accounts | AWS account IDs allowed to access s3 inventory database. | list | - | no |
 | s3_inventory_format | Output format for S3 inventory results. Can be Parquet, ORC, CSV | string | `ORC` | no |
 | s3_inventory_update_schedule | Cron schedule to update S3 inventory tables (if enabled). Defaults to every 12 hours. | string | `0 */12 * * *` | no |
 | s3_lifecycle_policy_transition_period | Number of days for transition to a different storage class using lifecycle policy. | string  | `30` | no |

diff --git a/s3-other.tf b/s3-other.tf
@@ -29,6 +29,26 @@ resource "aws_s3_bucket" "apiary_inventory_bucket" {
           }
        }
     },
+%{if length(var.s3_inventory_customer_accounts) > 0}
+    {
+        "Sid": "S3 inventory customer account permissions",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": [ "${join("\",\"", formatlist("arn:aws:iam::%s:root", var.s3_inventory_customer_accounts))}" ]
+        },
+        "Action": [
+            "s3:GetBucketLocation",
+            "s3:GetObject",
+            "s3:GetObjectAcl",
+            "s3:GetBucketAcl",
+            "s3:ListBucket"
+        ],
+        "Resource": [
+            "arn:aws:s3:::${local.s3_inventory_bucket}",
+            "arn:aws:s3:::${local.s3_inventory_bucket}/*"
+        ]
+    },
+%{endif}
     {
       "Sid": "DenyUnSecureCommunications",
       "Effect": "Deny",

diff --git a/variables.tf b/variables.tf
@@ -349,6 +349,12 @@ variable "s3_inventory_format" {
   default     = "ORC"
 }
 
+variable "s3_inventory_customer_accounts" {
+  description = "AWS account IDs allowed to access s3 inventory database."
+  type        = list(string)
+  default     = []
+}
+
 variable "ranger_policy_manager_url" {
   description = "Ranger admin URL to synchronize policies."
   type        = string