add bucket_policy_document_template

terraform-modules · Feb 28, 2022 · 9dad744 · 9dad744
1 parent c5d84ef
commit 9dad744
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -62,3 +62,9 @@ Provides standard and t26 S3 bucket construction.
     - name_include_account
     - name_include_region_compact
     - name_enforce_region_compact
+
+* 2.4.3 -- 2022-02-28
+  - add variable bucket_policy_document_template to use the bucket arn within the policy within the module to avoid loops
+    - ${s3_bucket_arn} in the template to get replaced with the created s3 bucket ARN
+    - ${s3_bucket_id} in the template to get replaced with the created s3 bucket ID
+    - ${kms_key_arn} in the template to get replaced with the provided or created KMS Key ARN
diff --git a/common/resources.tf b/common/resources.tf
@@ -205,10 +205,11 @@ resource "aws_s3_bucket_object" "this_objects" {
 }
 
 data "aws_iam_policy_document" "bucket_policy_combined" {
-  source_policy_documents = [
+  source_policy_documents = compact([
     data.aws_iam_policy_document.this.json,
-    local.bucket_policy_document
-  ]
+    local.bucket_policy_document,
+    var.bucket_policy_document_template != null && var.bucket_policy_document_template != "" ? data.template_file.policy[0].rendered : ""
+  ])
 }
 
 #---
@@ -230,3 +231,14 @@ resource "null_resource" "name_too_long" {
     command = "echo 'The resultant name ${local.b_bucket_name} > 63, shortening to ${local.bucket_name}'"
   }
 }
+
+
+data "template_file" "policy" {
+  count    = var.bucket_policy_document_template != null && var.bucket_policy_document_template != "" ? 1 : 0
+  template = var.bucket_policy_document_template
+  vars = {
+    s3_bucket_arn = aws_s3_bucket.this.arn
+    s3_bucket_id  = aws_s3_bucket.this.id
+    kms_key_arn   = local.kms_key_arn
+  }
+}
diff --git a/common/variables.s3.tf b/common/variables.s3.tf
@@ -10,11 +10,17 @@ variable "bucket_folders" {
 }
 
 variable "bucket_policy_document" {
-  description = "IAM Policy document describing additiona policy to be attached to the bucket beyond the default"
+  description = "IAM Policy document describing additional policy to be attached to the bucket beyond the default"
   type        = string
   default     = ""
 }
 
+variable "bucket_policy_document_template" {
+  description = "IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with ${s3_bucket_arn} where you need it to be in a resource. This also supports ${s3_bucket_id} and ${kms_key_arn}"
+  type        = string
+  default     = null
+}
+
 variable "metadata_tags" {
   description = "AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here).  If data_safeguard labels are applied, they will be incorporated on any bucket objects created."
   type        = map(string)

diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.4.2"
+  _module_version = "2.4.3"
 }