Merge pull request #36 from terraform-modules/add-bucket-policy-template

add variable bucket_policy_document_template to use the bucket arn within the policy within the module to avoid loops
terraform-modules · Feb 28, 2022 · 918df06 · 918df06
2 parents c5d84ef + 4ea0451
commit 918df06
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -62,3 +62,9 @@ Provides standard and t26 S3 bucket construction.
     - name_include_account
     - name_include_region_compact
     - name_enforce_region_compact
+
+* 2.4.3 -- 2022-02-28
+  - add variable bucket_policy_document_template to use the bucket arn within the policy within the module to avoid loops
+    - ${s3_bucket_arn} in the template to get replaced with the created s3 bucket ARN
+    - ${s3_bucket_id} in the template to get replaced with the created s3 bucket ID
+    - ${kms_key_arn} in the template to get replaced with the provided or created KMS Key ARN
diff --git a/common/resources.tf b/common/resources.tf
@@ -205,10 +205,11 @@ resource "aws_s3_bucket_object" "this_objects" {
 }
 
 data "aws_iam_policy_document" "bucket_policy_combined" {
-  source_policy_documents = [
+  source_policy_documents = compact([
     data.aws_iam_policy_document.this.json,
-    local.bucket_policy_document
-  ]
+    local.bucket_policy_document,
+    var.bucket_policy_document_template != null && var.bucket_policy_document_template != "" ? data.template_file.policy[0].rendered : ""
+  ])
 }
 
 #---
@@ -230,3 +231,14 @@ resource "null_resource" "name_too_long" {
     command = "echo 'The resultant name ${local.b_bucket_name} > 63, shortening to ${local.bucket_name}'"
   }
 }
+
+
+data "template_file" "policy" {
+  count    = var.bucket_policy_document_template != null && var.bucket_policy_document_template != "" ? 1 : 0
+  template = var.bucket_policy_document_template
+  vars = {
+    s3_bucket_arn = aws_s3_bucket.this.arn
+    s3_bucket_id  = aws_s3_bucket.this.id
+    kms_key_arn   = local.kms_key_arn
+  }
+}
diff --git a/common/variables.s3.tf b/common/variables.s3.tf
@@ -10,11 +10,17 @@ variable "bucket_folders" {
 }
 
 variable "bucket_policy_document" {
-  description = "IAM Policy document describing additiona policy to be attached to the bucket beyond the default"
+  description = "IAM Policy document describing additional policy to be attached to the bucket beyond the default"
   type        = string
   default     = ""
 }
 
+variable "bucket_policy_document_template" {
+  description = "IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with $${s3_bucket_arn} where you need it to be in a resource. This also supports $${s3_bucket_id} and $${kms_key_arn}"
+  type        = string
+  default     = null
+}
+
 variable "metadata_tags" {
   description = "AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here).  If data_safeguard labels are applied, they will be incorporated on any bucket objects created."
   type        = map(string)

diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.4.2"
+  _module_version = "2.4.3"
 }
diff --git a/standard/README.md b/standard/README.md
@@ -19,6 +19,7 @@ module "my-bucket" {
   ## optional
   # kms_policy_document = data.aws_iam_policy_document.my-policy.json
   # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+  # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
   # name_include_account   = true
   # name_include_region    = true
   # name_include_region_compact = true
@@ -124,6 +125,7 @@ No requirements.
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 | <a name="provider_null"></a> [null](#provider\_null) | n/a |
+| <a name="provider_template"></a> [template](#provider\_template) | n/a |
 
 ## Modules
 
@@ -151,6 +153,7 @@ No modules.
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [template_file.policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 
 ## Inputs
 
@@ -164,7 +167,8 @@ No modules.
 | <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | AWS Bucket Name.  Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
 | <a name="input_bucket_owner"></a> [bucket\_owner](#input\_bucket\_owner) | One of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced. See S3 Documentation for more information (default: BucketOwnerPreferred, requires bucket-owner-full-control option when uploading | `string` | `"BucketOwnerPreferred"` | no |
-| <a name="input_bucket_policy_document"></a> [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additiona policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| <a name="input_bucket_policy_document"></a> [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additional policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| <a name="input_bucket_policy_document_template"></a> [bucket\_policy\_document\_template](#input\_bucket\_policy\_document\_template) | IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with ${s3\_bucket\_arn} where you need it to be in a resource. This also supports ${s3\_bucket\_id} and ${kms\_key\_arn} | `string` | `null` | no |
 | <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
 | <a name="input_enable_title26"></a> [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |

diff --git a/standard/main.tf b/standard/main.tf
@@ -20,6 +20,7 @@
 *   ## optional
 *   # kms_policy_document = data.aws_iam_policy_document.my-policy.json
 *   # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+*   # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
 *   # name_include_account   = true
 *   # name_include_region    = true
 *   # name_include_region_compact = true

diff --git a/title26/README.md b/title26/README.md
@@ -20,6 +20,7 @@ module "mybucket" {
   ## optional
   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
   # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
+  # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
   # name_include_account   = true
   # name_include_region    = true
   # name_include_region_compact = true
@@ -121,6 +122,7 @@ No requirements.
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 | <a name="provider_null"></a> [null](#provider\_null) | n/a |
+| <a name="provider_template"></a> [template](#provider\_template) | n/a |
 
 ## Modules
 
@@ -148,6 +150,7 @@ No modules.
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [template_file.policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 
 ## Inputs
 
@@ -161,7 +164,8 @@ No modules.
 | <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | AWS Bucket Name.  Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
 | <a name="input_bucket_owner"></a> [bucket\_owner](#input\_bucket\_owner) | One of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced. See S3 Documentation for more information (default: BucketOwnerPreferred, requires bucket-owner-full-control option when uploading | `string` | `"BucketOwnerPreferred"` | no |
-| <a name="input_bucket_policy_document"></a> [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additiona policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| <a name="input_bucket_policy_document"></a> [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additional policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| <a name="input_bucket_policy_document_template"></a> [bucket\_policy\_document\_template](#input\_bucket\_policy\_document\_template) | IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with ${s3\_bucket\_arn} where you need it to be in a resource. This also supports ${s3\_bucket\_id} and ${kms\_key\_arn} | `string` | `null` | no |
 | <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | <pre>[<br>  "title26"<br>]</pre> | no |
 | <a name="input_enable_title26"></a> [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |

diff --git a/title26/main.tf b/title26/main.tf
@@ -21,6 +21,7 @@
 *   ## optional
 *   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
 *   # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
+*   # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
 *   # name_include_account   = true
 *   # name_include_region    = true
 *   # name_include_region_compact = true