fix s3 bucket permission to not output statement with deny if no IP a…

…nd VPCE provided
terraform-modules · Nov 4, 2020 · af8c9c3 · af8c9c3
1 parent ffea9e0
commit af8c9c3
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 19 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,3 +9,6 @@
   - update tags
   - add outputs
   - add version
+
+* v1.2 -- 20201104
+  - fix s3 bucket permission to not output statement with deny if no IP and VPCE provided
diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ No requirements.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| \_module\_version | Module version number | `string` | `"1.1"` | no |
+| \_module\_version | Module version number | `string` | `"1.2"` | no |
 | access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes |
 | access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
 | allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no |

diff --git a/main.tf b/main.tf
@@ -127,27 +127,30 @@ data "aws_iam_policy_document" "this" {
       values   = ["false"]
     }
   }
-  statement {
-    sid     = "RemoteAccessBucketRestrictions"
-    effect  = "Deny"
-    actions = ["s3:*"]
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-    resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"]
-    dynamic "condition" {
-      for_each = local.s3_bucket_conditions
-      iterator = c
-      content {
-        test     = c.value.test
-        variable = c.value.variable
-        values   = c.value.values
+  dynamic "statement" {
+    for_each = length(local.s3_bucket_conditions) > 0 ? toset(["1"]) : toset([])
+    iterator = s
+    content {
+      sid     = "RemoteAccessBucketRestrictions"
+      effect  = "Deny"
+      actions = ["s3:*"]
+      principals {
+        type        = "AWS"
+        identifiers = ["*"]
+      }
+      resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"]
+      dynamic "condition" {
+        for_each = local.s3_bucket_conditions
+        iterator = c
+        content {
+          test     = c.value.test
+          variable = c.value.variable
+          values   = c.value.values
+        }
       }
     }
   }
 }
-
 #---
 # apply policy to bucket and public access block policy to bucket
 #---

diff --git a/version.tf b/version.tf
@@ -1,5 +1,5 @@
 variable "_module_version" {
   description = "Module version number"
   type        = string
-  default     = "1.1"
+  default     = "1.2"
 }