diff --git a/CHANGELOG.md b/CHANGELOG.md
index c403655..45625e2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -62,3 +62,9 @@ Provides standard and t26 S3 bucket construction.
- name_include_account
- name_include_region_compact
- name_enforce_region_compact
+
+* 2.4.3 -- 2022-02-28
+ - add variable bucket_policy_document_template to use the bucket arn within the policy within the module to avoid loops
+ - ${s3_bucket_arn} in the template to get replaced with the created s3 bucket ARN
+ - ${s3_bucket_id} in the template to get replaced with the created s3 bucket ID
+ - ${kms_key_arn} in the template to get replaced with the provided or created KMS Key ARN
diff --git a/common/resources.tf b/common/resources.tf
index e13ce93..ceeafd6 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -205,10 +205,11 @@ resource "aws_s3_bucket_object" "this_objects" {
}
data "aws_iam_policy_document" "bucket_policy_combined" {
- source_policy_documents = [
+ source_policy_documents = compact([
data.aws_iam_policy_document.this.json,
- local.bucket_policy_document
- ]
+ local.bucket_policy_document,
+ var.bucket_policy_document_template != null && var.bucket_policy_document_template != "" ? data.template_file.policy[0].rendered : ""
+ ])
}
#---
@@ -230,3 +231,14 @@ resource "null_resource" "name_too_long" {
command = "echo 'The resultant name ${local.b_bucket_name} > 63, shortening to ${local.bucket_name}'"
}
}
+
+
+data "template_file" "policy" {
+ count = var.bucket_policy_document_template != null && var.bucket_policy_document_template != "" ? 1 : 0
+ template = var.bucket_policy_document_template
+ vars = {
+ s3_bucket_arn = aws_s3_bucket.this.arn
+ s3_bucket_id = aws_s3_bucket.this.id
+ kms_key_arn = local.kms_key_arn
+ }
+}
diff --git a/common/variables.s3.tf b/common/variables.s3.tf
index 6e243ad..90e548b 100644
--- a/common/variables.s3.tf
+++ b/common/variables.s3.tf
@@ -10,11 +10,17 @@ variable "bucket_folders" {
}
variable "bucket_policy_document" {
- description = "IAM Policy document describing additiona policy to be attached to the bucket beyond the default"
+ description = "IAM Policy document describing additional policy to be attached to the bucket beyond the default"
type = string
default = ""
}
+variable "bucket_policy_document_template" {
+ description = "IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with $${s3_bucket_arn} where you need it to be in a resource. This also supports $${s3_bucket_id} and $${kms_key_arn}"
+ type = string
+ default = null
+}
+
variable "metadata_tags" {
description = "AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data_safeguard labels are applied, they will be incorporated on any bucket objects created."
type = map(string)
diff --git a/common/version.tf b/common/version.tf
index 930d737..31e4b38 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.4.2"
+ _module_version = "2.4.3"
}
diff --git a/standard/README.md b/standard/README.md
index d9df85e..0d9689c 100644
--- a/standard/README.md
+++ b/standard/README.md
@@ -19,6 +19,7 @@ module "my-bucket" {
## optional
# kms_policy_document = data.aws_iam_policy_document.my-policy.json
# bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+ # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
# name_include_account = true
# name_include_region = true
# name_include_region_compact = true
@@ -124,6 +125,7 @@ No requirements.
|------|---------|
| [aws](#provider\_aws) | n/a |
| [null](#provider\_null) | n/a |
+| [template](#provider\_template) | n/a |
## Modules
@@ -151,6 +153,7 @@ No modules.
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [template_file.policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
## Inputs
@@ -164,7 +167,8 @@ No modules.
| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
| [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
| [bucket\_owner](#input\_bucket\_owner) | One of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced. See S3 Documentation for more information (default: BucketOwnerPreferred, requires bucket-owner-full-control option when uploading | `string` | `"BucketOwnerPreferred"` | no |
-| [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additiona policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additional policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| [bucket\_policy\_document\_template](#input\_bucket\_policy\_document\_template) | IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with ${s3\_bucket\_arn} where you need it to be in a resource. This also supports ${s3\_bucket\_id} and ${kms\_key\_arn} | `string` | `null` | no |
| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
diff --git a/standard/main.tf b/standard/main.tf
index aa99d04..e88605b 100644
--- a/standard/main.tf
+++ b/standard/main.tf
@@ -20,6 +20,7 @@
* ## optional
* # kms_policy_document = data.aws_iam_policy_document.my-policy.json
* # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+* # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
* # name_include_account = true
* # name_include_region = true
* # name_include_region_compact = true
diff --git a/title26/README.md b/title26/README.md
index b14b132..cf21f26 100644
--- a/title26/README.md
+++ b/title26/README.md
@@ -20,6 +20,7 @@ module "mybucket" {
## optional
# kms_policy_document = data.aws_iam_policy_document.mypolicy.json
# bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
+ # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
# name_include_account = true
# name_include_region = true
# name_include_region_compact = true
@@ -121,6 +122,7 @@ No requirements.
|------|---------|
| [aws](#provider\_aws) | n/a |
| [null](#provider\_null) | n/a |
+| [template](#provider\_template) | n/a |
## Modules
@@ -148,6 +150,7 @@ No modules.
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [template_file.policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
## Inputs
@@ -161,7 +164,8 @@ No modules.
| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
| [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
| [bucket\_owner](#input\_bucket\_owner) | One of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced. See S3 Documentation for more information (default: BucketOwnerPreferred, requires bucket-owner-full-control option when uploading | `string` | `"BucketOwnerPreferred"` | no |
-| [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additiona policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additional policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| [bucket\_policy\_document\_template](#input\_bucket\_policy\_document\_template) | IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with ${s3\_bucket\_arn} where you need it to be in a resource. This also supports ${s3\_bucket\_id} and ${kms\_key\_arn} | `string` | `null` | no |
| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | [
"title26"
]
| no |
| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no |
| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
diff --git a/title26/main.tf b/title26/main.tf
index 2840f7c..8fe244e 100644
--- a/title26/main.tf
+++ b/title26/main.tf
@@ -21,6 +21,7 @@
* ## optional
* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
* # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
+* # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
* # name_include_account = true
* # name_include_region = true
* # name_include_region_compact = true