bucket_policy test

README.md

@@ -153,14 +153,14 @@ Please note the following:
 | [aws_s3_bucket_cors_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
-| [aws_s3_bucket_policy.enforce_tls_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_policy.s3_website_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.aes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_website_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_key_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_key_policy_document_whitelist](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_key_with_whitelist_ip_and_vpc_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -189,6 +189,7 @@ Please note the following:
 | <a name="input_acl"></a> [acl](#input\_acl) | The access control list assigned to this bucket | `string` | `"private"` | no |
 | <a name="input_block_public_access"></a> [block\_public\_access](#input\_block\_public\_access) | Blocks all public access to the bucket | `bool` | `false` | no |
 | <a name="input_bucket_iam_user"></a> [bucket\_iam\_user](#input\_bucket\_iam\_user) | The name of the iam user assigned to the created s3 bucket | `any` | n/a | yes |
+| <a name="input_bucket_policy"></a> [bucket\_policy](#input\_bucket\_policy) | Custom Bucket Policy | `string` | `""` | no |
 | <a name="input_cmk_enable_key_rotation"></a> [cmk\_enable\_key\_rotation](#input\_cmk\_enable\_key\_rotation) | Enables CMK key rotation | `bool` | `true` | no |
 | <a name="input_cors_allowed_headers"></a> [cors\_allowed\_headers](#input\_cors\_allowed\_headers) | Specifies which headers are allowed. | `list` | <pre>[<br>  "Authorization"<br>]</pre> | no |
 | <a name="input_cors_allowed_methods"></a> [cors\_allowed\_methods](#input\_cors\_allowed\_methods) | Specifies which methods are allowed. Can be GET, PUT, POST, DELETE or HEAD. | `list` | <pre>[<br>  "GET"<br>]</pre> | no |

main.tf

@@ -294,54 +294,53 @@ resource "aws_s3_bucket_website_configuration" "this" {
 }
 
 
-resource "aws_s3_bucket_policy" "s3_website_bucket" {
-  count  = var.website_hosting && !var.enforce_tls ? 1 : 0
-  bucket = aws_s3_bucket.this.id
 
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "PublicReadGetObject",
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": "s3:GetObject",
-      "Resource": "arn:aws:s3:::${var.name}/*"
+data "aws_iam_policy_document" "bucket_policy" {
+  dynamic "statement" {
+    for_each = var.website_hosting && !var.enforce_tls ? [1] : []
+    content {
+      sid    = "PublicReadGetObject"
+      effect = "Allow"
+      actions = [
+        "s3:GetObject"
+      ]
+
+      resources = [
+        "arn:aws:s3:::${var.name}/*"
+      ]
     }
-  ]
-}
-POLICY
-
-}
+  }
 
-resource "aws_s3_bucket_policy" "enforce_tls_bucket_policy" {
-  count  = !var.website_hosting && var.enforce_tls ? 1 : 0
-  bucket = aws_s3_bucket.this.id
+  dynamic "statement" {
+    for_each = !var.website_hosting && var.enforce_tls ? [1] : []
+    content {
+      sid    = "AllowSSLRequestsOnly"
+      effect = "Deny"
+      actions = [
+        "s3:*"
+      ]
 
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "AllowSSLRequestsOnly",
-      "Action": "s3:*",
-      "Effect": "Deny",
-      "Resource": [
+      resources = [
         "arn:aws:s3:::${var.name}",
         "arn:aws:s3:::${var.name}/*"
-      ],
-      "Condition": {
-        "Bool": {
-          "aws:SecureTransport": "false"
-        }
-      },
-      "Principal": "*"
+      ]
+
+      condition {
+        test     = "Bool"
+        variable = "aws:SecureTransport"
+
+        values = false
+      }
+      principals {
+        type = "*"
+      }
     }
-  ]
+  }
 }
-POLICY
 
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = var.bucket_policy != "" ? var.bucket_policy : data.aws_iam_policy_document.bucket_policy.json
 }
 
 resource "aws_iam_user" "s3_bucket_iam_user" {
@@ -585,9 +584,7 @@ resource "aws_s3_bucket_public_access_block" "s3_bucket" {
 
   depends_on = [
     aws_s3_bucket.this,
-    aws_s3_bucket_policy.s3_website_bucket,
-    aws_s3_bucket_policy.s3_website_bucket,
-    aws_s3_bucket_policy.enforce_tls_bucket_policy,
+    aws_s3_bucket_policy.this,
     aws_iam_policy.s3_bucket_with_kms_iam_policy_1,
     aws_iam_policy.s3_bucket_with_kms_iam_policy_2,
     aws_iam_policy.s3_bucket_with_kms_and_whitelist_iam_policy_1,

variables.tf

@@ -28,6 +28,12 @@ variable "enforce_tls" {
   default     = true
 }
 
+variable "bucket_policy" {
+  description = "Custom Bucket Policy"
+  type        = string
+  default     = ""
+}
+
 variable "cmk_enable_key_rotation" {
   description = "Enables CMK key rotation"
   type        = bool