diff --git a/standard/README.md b/standard/README.md
index d9df85e..0d9689c 100644
--- a/standard/README.md
+++ b/standard/README.md
@@ -19,6 +19,7 @@ module "my-bucket" {
## optional
# kms_policy_document = data.aws_iam_policy_document.my-policy.json
# bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+ # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
# name_include_account = true
# name_include_region = true
# name_include_region_compact = true
@@ -124,6 +125,7 @@ No requirements.
|------|---------|
| [aws](#provider\_aws) | n/a |
| [null](#provider\_null) | n/a |
+| [template](#provider\_template) | n/a |
## Modules
@@ -151,6 +153,7 @@ No modules.
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [template_file.policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
## Inputs
@@ -164,7 +167,8 @@ No modules.
| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
| [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
| [bucket\_owner](#input\_bucket\_owner) | One of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced. See S3 Documentation for more information (default: BucketOwnerPreferred, requires bucket-owner-full-control option when uploading | `string` | `"BucketOwnerPreferred"` | no |
-| [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additiona policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additional policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| [bucket\_policy\_document\_template](#input\_bucket\_policy\_document\_template) | IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with ${s3\_bucket\_arn} where you need it to be in a resource. This also supports ${s3\_bucket\_id} and ${kms\_key\_arn} | `string` | `null` | no |
| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
diff --git a/standard/main.tf b/standard/main.tf
index aa99d04..e88605b 100644
--- a/standard/main.tf
+++ b/standard/main.tf
@@ -20,6 +20,7 @@
* ## optional
* # kms_policy_document = data.aws_iam_policy_document.my-policy.json
* # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+* # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
* # name_include_account = true
* # name_include_region = true
* # name_include_region_compact = true
diff --git a/title26/README.md b/title26/README.md
index b14b132..cf21f26 100644
--- a/title26/README.md
+++ b/title26/README.md
@@ -20,6 +20,7 @@ module "mybucket" {
## optional
# kms_policy_document = data.aws_iam_policy_document.mypolicy.json
# bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
+ # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
# name_include_account = true
# name_include_region = true
# name_include_region_compact = true
@@ -121,6 +122,7 @@ No requirements.
|------|---------|
| [aws](#provider\_aws) | n/a |
| [null](#provider\_null) | n/a |
+| [template](#provider\_template) | n/a |
## Modules
@@ -148,6 +150,7 @@ No modules.
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [template_file.policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
## Inputs
@@ -161,7 +164,8 @@ No modules.
| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
| [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
| [bucket\_owner](#input\_bucket\_owner) | One of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced. See S3 Documentation for more information (default: BucketOwnerPreferred, requires bucket-owner-full-control option when uploading | `string` | `"BucketOwnerPreferred"` | no |
-| [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additiona policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additional policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| [bucket\_policy\_document\_template](#input\_bucket\_policy\_document\_template) | IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with ${s3\_bucket\_arn} where you need it to be in a resource. This also supports ${s3\_bucket\_id} and ${kms\_key\_arn} | `string` | `null` | no |
| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | [
"title26"
]
| no |
| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no |
| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
diff --git a/title26/main.tf b/title26/main.tf
index 2840f7c..8fe244e 100644
--- a/title26/main.tf
+++ b/title26/main.tf
@@ -21,6 +21,7 @@
* ## optional
* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
* # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
+* # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
* # name_include_account = true
* # name_include_region = true
* # name_include_region_compact = true