v2.2.2: update docs to include sample policy

terraform-modules · Nov 4, 2021 · 232ec9f · 232ec9f
1 parent c0b21a9
commit 232ec9f
Show file tree

Hide file tree

Showing 7 changed files with 235 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,6 @@
-# aws-t26-s3
+# aws-s3
+
+Provides standard and t26 S3 bucket construction.
 
 ## Versions
 
@@ -34,3 +36,9 @@
 
 * v2.2.0 -- 20210520
   - add bucket_policy_document to be used for additional bucket policy merged with the default
+
+* v2.2.1 -- 20210528
+  - fix key_id for encryption to be the arn of the key (despite the name)
+
+* v2.2.2 -- 20211104
+  - update documenation to include sample policy and policy document
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.2.1"
+  _module_version = "2.2.2"
 }
diff --git a/examples/policy/sample-policy.tf b/examples/policy/sample-policy.tf
@@ -0,0 +1,42 @@
+data "aws_iam_policy_document" "policy" {
+  statement {
+    sid = "ListBuckets"
+    actions = [
+      "s3:ListAllMyBuckets",
+      "s3:GetBucketLocation"
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "S3WriteAccess"
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:PutObject*",
+      "s3:GetObject*",
+      "s3:GetObjectAcl",
+      "s3:DeleteObject"
+    ]
+    resources = [
+      module.mybucket.s3_bucket_arn,
+      format("%v/*", mybucket.s3_bucket_arn),
+    ]
+  }
+  statement {
+    sid    = "S3AccessEncryptionKey"
+    effect = "Allow"
+    actions = [
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey",
+      "kms:Encrypt",
+      "kms:Decrypt"
+    ]
+    resources = [module.mybucket.kms_key_id]
+  }
+}
+
+resource "aws_iam_policy" "policy" {
+  name        = "mypolicy-s3-access"
+  description = "Policy for S3 access"
+  policy      = data.aws_iam_policy_document.policy.json
+}
diff --git a/standard/README.md b/standard/README.md
@@ -20,9 +20,52 @@ module "mybucket" {
   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
   # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
 }
+```
+
+Sample policy for write access to the bucket and use of KMS key
+
+```hcl
+data "aws_iam_policy_document" "policy" {
+  statement {
+    sid = "ListBuckets"
+    actions = [
+      "s3:ListAllMyBuckets",
+      "s3:GetBucketLocation"
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "S3WriteAccess"
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:PutObject*",
+      "s3:GetObject*",
+      "s3:GetObjectAcl",
+      "s3:DeleteObject"
+    ]
+    resources = [
+      module.mybucket.s3_bucket_arn,
+      format("%v/*", mybucket.s3_bucket_arn),
+    ]
+  }
+  statement {
+    sid    = "S3AccessEncryptionKey"
+    effect = "Allow"
+    actions = [
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey",
+      "kms:Encrypt",
+      "kms:Decrypt"
+    ]
+    resources = [module.mybucket.kms_key_id]
+  }
+}
 
-data "aws_iam_policy_document" "mypolicy" {
-  statement { }
+resource "aws_iam_policy" "policy" {
+  name        = "mypolicy-s3-access"
+  description = "Policy for S3 access"
+  policy      = data.aws_iam_policy_document.policy.json
 }
 ```
 

diff --git a/standard/main.tf b/standard/main.tf
@@ -21,9 +21,52 @@
 *   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
 *   # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
 * }
+* ```
+*
+* Sample policy for write access to the bucket and use of KMS key
 *
-* data "aws_iam_policy_document" "mypolicy" {
-*   statement { }
+* ```hcl
+* data "aws_iam_policy_document" "policy" {
+*   statement {
+*     sid = "ListBuckets"
+*     actions = [
+*       "s3:ListAllMyBuckets",
+*       "s3:GetBucketLocation"
+*     ]
+*     resources = ["*"]
+*   }
+*   statement {
+*     sid    = "S3WriteAccess"
+*     effect = "Allow"
+*     actions = [
+*       "s3:ListBucket",
+*       "s3:PutObject*",
+*       "s3:GetObject*",
+*       "s3:GetObjectAcl",
+*       "s3:DeleteObject"
+*     ]
+*     resources = [
+*       module.mybucket.s3_bucket_arn,
+*       format("%v/*", mybucket.s3_bucket_arn),
+*     ]
+*   }
+*   statement {
+*     sid    = "S3AccessEncryptionKey"
+*     effect = "Allow"
+*     actions = [
+*       "kms:ReEncrypt*",
+*       "kms:GenerateDataKey",
+*       "kms:Encrypt",
+*       "kms:Decrypt"
+*     ]
+*     resources = [module.mybucket.kms_key_id]
+*   }
+* }
+* 
+* resource "aws_iam_policy" "policy" {
+*   name        = "mypolicy-s3-access"
+*   description = "Policy for S3 access"
+*   policy      = data.aws_iam_policy_document.policy.json
 * }
 * ```
 * 
@@ -46,3 +89,6 @@ locals {
   enable_title26 = var.enable_title26 ? true : false
   versioning     = false
 }
+
+
+
diff --git a/title26/README.md b/title26/README.md
@@ -21,9 +21,52 @@ module "mybucket" {
   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
   # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
 }
+```
+
+Sample policy for write access to the bucket and use of KMS key
+
+```hcl
+data "aws_iam_policy_document" "policy" {
+  statement {
+    sid = "ListBuckets"
+    actions = [
+      "s3:ListAllMyBuckets",
+      "s3:GetBucketLocation"
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "S3WriteAccess"
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:PutObject*",
+      "s3:GetObject*",
+      "s3:GetObjectAcl",
+      "s3:DeleteObject"
+    ]
+    resources = [
+      module.mybucket.s3_bucket_arn,
+      format("%v/*", mybucket.s3_bucket_arn),
+    ]
+  }
+  statement {
+    sid    = "S3AccessEncryptionKey"
+    effect = "Allow"
+    actions = [
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey",
+      "kms:Encrypt",
+      "kms:Decrypt"
+    ]
+    resources = [module.mybucket.kms_key_id]
+  }
+}
 
-data "aws_iam_policy_document" "mypolicy" {
-  statement { }
+resource "aws_iam_policy" "policy" {
+  name        = "mypolicy-s3-access"
+  description = "Policy for S3 access"
+  policy      = data.aws_iam_policy_document.policy.json
 }
 ```
 

diff --git a/title26/main.tf b/title26/main.tf
@@ -22,9 +22,52 @@
 *   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
 *   # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
 * }
+* ```
+*
+* Sample policy for write access to the bucket and use of KMS key
 *
-* data "aws_iam_policy_document" "mypolicy" {
-*   statement { }
+* ```hcl
+* data "aws_iam_policy_document" "policy" {
+*   statement {
+*     sid = "ListBuckets"
+*     actions = [
+*       "s3:ListAllMyBuckets",
+*       "s3:GetBucketLocation"
+*     ]
+*     resources = ["*"]
+*   }
+*   statement {
+*     sid    = "S3WriteAccess"
+*     effect = "Allow"
+*     actions = [
+*       "s3:ListBucket",
+*       "s3:PutObject*",
+*       "s3:GetObject*",
+*       "s3:GetObjectAcl",
+*       "s3:DeleteObject"
+*     ]
+*     resources = [
+*       module.mybucket.s3_bucket_arn,
+*       format("%v/*", mybucket.s3_bucket_arn),
+*     ]
+*   }
+*   statement {
+*     sid    = "S3AccessEncryptionKey"
+*     effect = "Allow"
+*     actions = [
+*       "kms:ReEncrypt*",
+*       "kms:GenerateDataKey",
+*       "kms:Encrypt",
+*       "kms:Decrypt"
+*     ]
+*     resources = [module.mybucket.kms_key_id]
+*   }
+* }
+* 
+* resource "aws_iam_policy" "policy" {
+*   name        = "mypolicy-s3-access"
+*   description = "Policy for S3 access"
+*   policy      = data.aws_iam_policy_document.policy.json
 * }
 * ```
 *