From 69f0910bdb65d920fb4abbd0648bc7a30059df16 Mon Sep 17 00:00:00 2001 From: Chris Freeman Date: Tue, 31 May 2022 13:41:00 +0100 Subject: [PATCH 1/6] bucket_policy test --- main.tf | 41 +++++++++++++++++++++++++---------------- variables.tf | 6 ++++++ 2 files changed, 31 insertions(+), 16 deletions(-) diff --git a/main.tf b/main.tf index 690407f..e122080 100644 --- a/main.tf +++ b/main.tf @@ -294,14 +294,14 @@ resource "aws_s3_bucket_website_configuration" "this" { } -resource "aws_s3_bucket_policy" "s3_website_bucket" { - count = var.website_hosting && !var.enforce_tls ? 1 : 0 +resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = < Date: Tue, 31 May 2022 13:41:45 +0100 Subject: [PATCH 2/6] remove unused bucket policy --- main.tf | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/main.tf b/main.tf index e122080..a2439ae 100644 --- a/main.tf +++ b/main.tf @@ -338,21 +338,6 @@ POLICY } -resource "aws_s3_bucket_policy" "enforce_tls_bucket_policy" { - count = s ? 1 : 0 - bucket = aws_s3_bucket.this.id - - policy = < Date: Tue, 31 May 2022 13:53:40 +0100 Subject: [PATCH 3/6] bucket policy resource --- main.tf | 75 +++++++++++++++++++++++++++++---------------------------- 1 file changed, 38 insertions(+), 37 deletions(-) diff --git a/main.tf b/main.tf index a2439ae..0e058c3 100644 --- a/main.tf +++ b/main.tf @@ -294,48 +294,49 @@ resource "aws_s3_bucket_website_configuration" "this" { } -resource "aws_s3_bucket_policy" "this" { - bucket = aws_s3_bucket.this.id - policy = < Date: Tue, 31 May 2022 17:00:08 +0100 Subject: [PATCH 4/6] bucket_policy dependson --- main.tf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 0e058c3..67e5a23 100644 --- a/main.tf +++ b/main.tf @@ -580,9 +580,7 @@ resource "aws_s3_bucket_public_access_block" "s3_bucket" { depends_on = [ aws_s3_bucket.this, - aws_s3_bucket_policy.s3_website_bucket, - aws_s3_bucket_policy.s3_website_bucket, - aws_s3_bucket_policy.enforce_tls_bucket_policy, + aws_s3_bucket_policy.this, aws_iam_policy.s3_bucket_with_kms_iam_policy_1, aws_iam_policy.s3_bucket_with_kms_iam_policy_2, aws_iam_policy.s3_bucket_with_kms_and_whitelist_iam_policy_1, From 030878e8de9ee5d25f4739932ae3f3fa7f8785aa Mon Sep 17 00:00:00 2001 From: Chris Freeman Date: Tue, 31 May 2022 17:03:56 +0100 Subject: [PATCH 5/6] dynamic block --- main.tf | 60 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 32 insertions(+), 28 deletions(-) diff --git a/main.tf b/main.tf index 67e5a23..19baa16 100644 --- a/main.tf +++ b/main.tf @@ -298,38 +298,42 @@ resource "aws_s3_bucket_website_configuration" "this" { data "aws_iam_policy_document" "bucket_policy" { dynamic "statement" { for_each = var.website_hosting && !var.enforce_tls ? [1] : [] - sid = "PublicReadGetObject" - effect = "Allow" - actions = [ - "s3:GetObject" - ] - - resources = [ - "arn:aws:s3:::${var.name}/*" - ] + content { + sid = "PublicReadGetObject" + effect = "Allow" + actions = [ + "s3:GetObject" + ] + + resources = [ + "arn:aws:s3:::${var.name}/*" + ] + } } dynamic "statement" { for_each = !var.website_hosting && var.enforce_tls ? [1] : [] - sid = "AllowSSLRequestsOnly" - effect = "Deny" - actions = [ - "s3:*" - ] - - resources = [ - "arn:aws:s3:::${var.name}", - "arn:aws:s3:::${var.name}/*" - ] - - condition { - test = "Bool" - variable = "aws:SecureTransport" - - values = false - } - principals { - type = "*" + content { + sid = "AllowSSLRequestsOnly" + effect = "Deny" + actions = [ + "s3:*" + ] + + resources = [ + "arn:aws:s3:::${var.name}", + "arn:aws:s3:::${var.name}/*" + ] + + condition { + test = "Bool" + variable = "aws:SecureTransport" + + values = false + } + principals { + type = "*" + } } } } From 9cf1098f3e3f46c77eebd3df51272e12793c998c Mon Sep 17 00:00:00 2001 From: Chris Freeman Date: Tue, 31 May 2022 17:06:08 +0100 Subject: [PATCH 6/6] docs --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9a94d5c..3e92bd0 100644 --- a/README.md +++ b/README.md @@ -153,14 +153,14 @@ Please note the following: | [aws_s3_bucket_cors_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource | | [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | | [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | -| [aws_s3_bucket_policy.enforce_tls_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | -| [aws_s3_bucket_policy.s3_website_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.aes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_server_side_encryption_configuration.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [aws_s3_bucket_website_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.kms_key_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.kms_key_policy_document_whitelist](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.kms_key_with_whitelist_ip_and_vpc_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -189,6 +189,7 @@ Please note the following: | [acl](#input\_acl) | The access control list assigned to this bucket | `string` | `"private"` | no | | [block\_public\_access](#input\_block\_public\_access) | Blocks all public access to the bucket | `bool` | `false` | no | | [bucket\_iam\_user](#input\_bucket\_iam\_user) | The name of the iam user assigned to the created s3 bucket | `any` | n/a | yes | +| [bucket\_policy](#input\_bucket\_policy) | Custom Bucket Policy | `string` | `""` | no | | [cmk\_enable\_key\_rotation](#input\_cmk\_enable\_key\_rotation) | Enables CMK key rotation | `bool` | `true` | no | | [cors\_allowed\_headers](#input\_cors\_allowed\_headers) | Specifies which headers are allowed. | `list` | 
[
  "Authorization"
]
| no | | [cors\_allowed\_methods](#input\_cors\_allowed\_methods) | Specifies which methods are allowed. Can be GET, PUT, POST, DELETE or HEAD. | `list` | 
[
  "GET"
]
| no |