Skip to content
Jump to bottom

fix s3 bucket permission #24

Merged
merged 1 commit into from
Nov 4, 2020
+25 −19
Merged

fix s3 bucket permission #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,6 @@
- update tags
- add outputs
- add version

* v1.2 -- 20201104
- fix s3 bucket permission to not output statement with deny if no IP and VPCE provided
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ No requirements.

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| \_module\_version | Module version number | `string` | `"1.1"` | no |
| \_module\_version | Module version number | `string` | `"1.2"` | no |
| access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes |
| access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no |
Expand Down
37 changes: 20 additions & 17 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,27 +127,30 @@ data "aws_iam_policy_document" "this" {
values = ["false"]
}
}
statement {
sid = "RemoteAccessBucketRestrictions"
effect = "Deny"
actions = ["s3:*"]
principals {
type = "AWS"
identifiers = ["*"]
}
resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"]
dynamic "condition" {
for_each = local.s3_bucket_conditions
iterator = c
content {
test = c.value.test
variable = c.value.variable
values = c.value.values
dynamic "statement" {
for_each = length(local.s3_bucket_conditions) > 0 ? toset(["1"]) : toset([])
iterator = s
content {
sid = "RemoteAccessBucketRestrictions"
effect = "Deny"
actions = ["s3:*"]
principals {
type = "AWS"
identifiers = ["*"]
}
resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"]
dynamic "condition" {
for_each = local.s3_bucket_conditions
iterator = c
content {
test = c.value.test
variable = c.value.variable
values = c.value.values
}
}
}
}
}

#---
# apply policy to bucket and public access block policy to bucket
#---
Expand Down
2 changes: 1 addition & 1 deletion version.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
variable "_module_version" {
description = "Module version number"
type = string
default = "1.1"
default = "1.2"
}