Merge pull request #81 from ministryofjustice/feature/one-pass-custom…

…-bucket-policy allow custom policies to be defined in one pass
ministryofjustice · Feb 28, 2023 · 981bf39 · 981bf39
2 parents eb66d89 + 768f5d7
commit 981bf39
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 3 deletions.
diff --git a/.github/workflows/go-terratest.yml b/.github/workflows/go-terratest.yml
@@ -16,12 +16,12 @@ jobs:
           go-version: 1.18
       - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
         with:
-          terraform_version: 1.0.1
+          terraform_version: "~1"
           terraform_wrapper: false
       - name: Download Go Modules
         working-directory: test
         run: go mod download
       - name: Run Go Tests
         working-directory: test
         run: go test -v
-        
+
diff --git a/README.md b/README.md
@@ -113,6 +113,7 @@ No modules.
 | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_versioning.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.bucket_policy_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
@@ -123,6 +124,7 @@ No modules.
 | <a name="input_acl"></a> [acl](#input\_acl) | Canned ACL to use on the bucket | `string` | `"private"` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Please use bucket\_prefix instead of bucket\_name to ensure a globally unique name. | `string` | `null` | no |
 | <a name="input_bucket_policy"></a> [bucket\_policy](#input\_bucket\_policy) | JSON for the bucket policy | `list(string)` | <pre>[<br>  "{}"<br>]</pre> | no |
+| <a name="input_bucket_policy_v2"></a> [bucket\_policy\_v2](#input\_bucket\_policy\_v2) | Alternative to bucket\_policy.  Define policies directly without needing to know the bucket ARN | <pre>list(object({<br>    effect  = string<br>    actions = list(string)<br>    principals = optional(object({<br>      type        = string<br>      identifiers = list(string)<br>    }))<br>    conditions = optional(list(object({<br>      test     = string<br>      variable = string<br>      values   = list(string)<br>    })), [])<br>  }))</pre> | `[]` | no |
 | <a name="input_bucket_prefix"></a> [bucket\_prefix](#input\_bucket\_prefix) | Bucket prefix, which will include a randomised suffix to ensure globally unique names | `string` | `null` | no |
 | <a name="input_custom_kms_key"></a> [custom\_kms\_key](#input\_custom\_kms\_key) | KMS key ARN to use | `string` | `""` | no |
 | <a name="input_custom_replication_kms_key"></a> [custom\_replication\_kms\_key](#input\_custom\_replication\_kms\_key) | KMS key ARN to use for replication to eu-west-2 | `string` | `""` | no |

diff --git a/main.tf b/main.tf
@@ -160,8 +160,37 @@ resource "aws_s3_bucket_versioning" "default" {
   }
 }
 
+data "aws_iam_policy_document" "bucket_policy_v2" {
+  dynamic "statement" {
+    for_each = var.bucket_policy_v2
+    content {
+      effect  = statement.value.effect
+      actions = statement.value.actions
+      resources = [
+        aws_s3_bucket.default.arn,
+        "${aws_s3_bucket.default.arn}/*"
+      ]
+      dynamic "principals" {
+        for_each = statement.value.principals != null ? [statement.value.principals] : []
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
+      dynamic "condition" {
+        for_each = statement.value.conditions
+        content {
+          test     = condition.value.test
+          variable = condition.value.variable
+          values   = condition.value.values
+        }
+      }
+    }
+  }
+}
+
 data "aws_iam_policy_document" "default" {
-  override_policy_documents = var.bucket_policy
+  override_policy_documents = concat(var.bucket_policy, [data.aws_iam_policy_document.bucket_policy_v2.json])
 
   statement {
     effect  = "Deny"

diff --git a/variables.tf b/variables.tf
@@ -28,6 +28,24 @@ variable "bucket_policy" {
   default     = ["{}"]
 }
 
+variable "bucket_policy_v2" {
+  type = list(object({
+    effect  = string
+    actions = list(string)
+    principals = optional(object({
+      type        = string
+      identifiers = list(string)
+    }))
+    conditions = optional(list(object({
+      test     = string
+      variable = string
+      values   = list(string)
+    })), [])
+  }))
+  description = "Alternative to bucket_policy.  Define policies directly without needing to know the bucket ARN"
+  default     = []
+}
+
 variable "bucket_prefix" {
   type        = string
   description = "Bucket prefix, which will include a randomised suffix to ensure globally unique names"