From 232ec9ff690b85add624c0db0a304226fd230759 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 4 Nov 2021 08:56:40 -0400 Subject: [PATCH] v2.2.2: update docs to include sample policy --- CHANGELOG.md | 10 ++++++- common/version.tf | 2 +- examples/policy/sample-policy.tf | 42 +++++++++++++++++++++++++++ standard/README.md | 47 ++++++++++++++++++++++++++++-- standard/main.tf | 50 ++++++++++++++++++++++++++++++-- title26/README.md | 47 ++++++++++++++++++++++++++++-- title26/main.tf | 47 ++++++++++++++++++++++++++++-- 7 files changed, 235 insertions(+), 10 deletions(-) create mode 100644 examples/policy/sample-policy.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 4141374..081e9eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,6 @@ -# aws-t26-s3 +# aws-s3 + +Provides standard and t26 S3 bucket construction. ## Versions @@ -34,3 +36,9 @@ * v2.2.0 -- 20210520 - add bucket_policy_document to be used for additional bucket policy merged with the default + +* v2.2.1 -- 20210528 + - fix key_id for encryption to be the arn of the key (despite the name) + +* v2.2.2 -- 20211104 + - update documenation to include sample policy and policy document diff --git a/common/version.tf b/common/version.tf index 0f38ccb..548c682 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "2.2.1" + _module_version = "2.2.2" } diff --git a/examples/policy/sample-policy.tf b/examples/policy/sample-policy.tf new file mode 100644 index 0000000..94e7858 --- /dev/null +++ b/examples/policy/sample-policy.tf @@ -0,0 +1,42 @@ +data "aws_iam_policy_document" "policy" { + statement { + sid = "ListBuckets" + actions = [ + "s3:ListAllMyBuckets", + "s3:GetBucketLocation" + ] + resources = ["*"] + } + statement { + sid = "S3WriteAccess" + effect = "Allow" + actions = [ + "s3:ListBucket", + "s3:PutObject*", + "s3:GetObject*", + "s3:GetObjectAcl", + "s3:DeleteObject" + ] + resources = [ + module.mybucket.s3_bucket_arn, + format("%v/*", mybucket.s3_bucket_arn), + ] + } + statement { + sid = "S3AccessEncryptionKey" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey", + "kms:Encrypt", + "kms:Decrypt" + ] + resources = [module.mybucket.kms_key_id] + } +} + +resource "aws_iam_policy" "policy" { + name = "mypolicy-s3-access" + description = "Policy for S3 access" + policy = data.aws_iam_policy_document.policy.json +} diff --git a/standard/README.md b/standard/README.md index 4b37647..c6739b3 100644 --- a/standard/README.md +++ b/standard/README.md @@ -20,9 +20,52 @@ module "mybucket" { # kms_policy_document = data.aws_iam_policy_document.mypolicy.json # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json } +``` + +Sample policy for write access to the bucket and use of KMS key + +```hcl +data "aws_iam_policy_document" "policy" { + statement { + sid = "ListBuckets" + actions = [ + "s3:ListAllMyBuckets", + "s3:GetBucketLocation" + ] + resources = ["*"] + } + statement { + sid = "S3WriteAccess" + effect = "Allow" + actions = [ + "s3:ListBucket", + "s3:PutObject*", + "s3:GetObject*", + "s3:GetObjectAcl", + "s3:DeleteObject" + ] + resources = [ + module.mybucket.s3_bucket_arn, + format("%v/*", mybucket.s3_bucket_arn), + ] + } + statement { + sid = "S3AccessEncryptionKey" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey", + "kms:Encrypt", + "kms:Decrypt" + ] + resources = [module.mybucket.kms_key_id] + } +} -data "aws_iam_policy_document" "mypolicy" { - statement { } +resource "aws_iam_policy" "policy" { + name = "mypolicy-s3-access" + description = "Policy for S3 access" + policy = data.aws_iam_policy_document.policy.json } ``` diff --git a/standard/main.tf b/standard/main.tf index 4b86fde..d21c81b 100644 --- a/standard/main.tf +++ b/standard/main.tf @@ -21,9 +21,52 @@ * # kms_policy_document = data.aws_iam_policy_document.mypolicy.json * # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json * } +* ``` +* +* Sample policy for write access to the bucket and use of KMS key * -* data "aws_iam_policy_document" "mypolicy" { -* statement { } +* ```hcl +* data "aws_iam_policy_document" "policy" { +* statement { +* sid = "ListBuckets" +* actions = [ +* "s3:ListAllMyBuckets", +* "s3:GetBucketLocation" +* ] +* resources = ["*"] +* } +* statement { +* sid = "S3WriteAccess" +* effect = "Allow" +* actions = [ +* "s3:ListBucket", +* "s3:PutObject*", +* "s3:GetObject*", +* "s3:GetObjectAcl", +* "s3:DeleteObject" +* ] +* resources = [ +* module.mybucket.s3_bucket_arn, +* format("%v/*", mybucket.s3_bucket_arn), +* ] +* } +* statement { +* sid = "S3AccessEncryptionKey" +* effect = "Allow" +* actions = [ +* "kms:ReEncrypt*", +* "kms:GenerateDataKey", +* "kms:Encrypt", +* "kms:Decrypt" +* ] +* resources = [module.mybucket.kms_key_id] +* } +* } +* +* resource "aws_iam_policy" "policy" { +* name = "mypolicy-s3-access" +* description = "Policy for S3 access" +* policy = data.aws_iam_policy_document.policy.json * } * ``` * @@ -46,3 +89,6 @@ locals { enable_title26 = var.enable_title26 ? true : false versioning = false } + + + diff --git a/title26/README.md b/title26/README.md index bed0d07..77674e4 100644 --- a/title26/README.md +++ b/title26/README.md @@ -21,9 +21,52 @@ module "mybucket" { # kms_policy_document = data.aws_iam_policy_document.mypolicy.json # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json } +``` + +Sample policy for write access to the bucket and use of KMS key + +```hcl +data "aws_iam_policy_document" "policy" { + statement { + sid = "ListBuckets" + actions = [ + "s3:ListAllMyBuckets", + "s3:GetBucketLocation" + ] + resources = ["*"] + } + statement { + sid = "S3WriteAccess" + effect = "Allow" + actions = [ + "s3:ListBucket", + "s3:PutObject*", + "s3:GetObject*", + "s3:GetObjectAcl", + "s3:DeleteObject" + ] + resources = [ + module.mybucket.s3_bucket_arn, + format("%v/*", mybucket.s3_bucket_arn), + ] + } + statement { + sid = "S3AccessEncryptionKey" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey", + "kms:Encrypt", + "kms:Decrypt" + ] + resources = [module.mybucket.kms_key_id] + } +} -data "aws_iam_policy_document" "mypolicy" { - statement { } +resource "aws_iam_policy" "policy" { + name = "mypolicy-s3-access" + description = "Policy for S3 access" + policy = data.aws_iam_policy_document.policy.json } ``` diff --git a/title26/main.tf b/title26/main.tf index 7f229b1..c734d51 100644 --- a/title26/main.tf +++ b/title26/main.tf @@ -22,9 +22,52 @@ * # kms_policy_document = data.aws_iam_policy_document.mypolicy.json * # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json * } +* ``` +* +* Sample policy for write access to the bucket and use of KMS key * -* data "aws_iam_policy_document" "mypolicy" { -* statement { } +* ```hcl +* data "aws_iam_policy_document" "policy" { +* statement { +* sid = "ListBuckets" +* actions = [ +* "s3:ListAllMyBuckets", +* "s3:GetBucketLocation" +* ] +* resources = ["*"] +* } +* statement { +* sid = "S3WriteAccess" +* effect = "Allow" +* actions = [ +* "s3:ListBucket", +* "s3:PutObject*", +* "s3:GetObject*", +* "s3:GetObjectAcl", +* "s3:DeleteObject" +* ] +* resources = [ +* module.mybucket.s3_bucket_arn, +* format("%v/*", mybucket.s3_bucket_arn), +* ] +* } +* statement { +* sid = "S3AccessEncryptionKey" +* effect = "Allow" +* actions = [ +* "kms:ReEncrypt*", +* "kms:GenerateDataKey", +* "kms:Encrypt", +* "kms:Decrypt" +* ] +* resources = [module.mybucket.kms_key_id] +* } +* } +* +* resource "aws_iam_policy" "policy" { +* name = "mypolicy-s3-access" +* description = "Policy for S3 access" +* policy = data.aws_iam_policy_document.policy.json * } * ``` *