Merge pull request #4 from lorengordon/feat/external-policy

plus3it · May 2, 2024 · 991b0be · 991b0be
2 parents 55bcbeb + 0624483
commit 991b0be
Show file tree

Hide file tree

Showing 8 changed files with 94 additions and 7 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.0.1
+current_version = 1.1.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### [1.1.0](https://github.com/plus3it/terraform-aws-tardigrade-s3-backend/releasestag/1.1.0)
+
+**Released**:  2024.05.02
+
+**Summary**:
+
+*   Allows user to pass the bucket policy as a variable
+
 ### [1.0.1](https://github.com/plus3it/terraform-aws-tardigrade-s3-backend/releasestag/1.0.1)
 
 **Released**:  2023.01.25

diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ No requirements.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_backend_config"></a> [backend\_config](#input\_backend\_config) | Object of S3 backend config | <pre>object({<br>    bucket        = string<br>    force_destroy = optional(bool, true)<br>    versioning    = optional(string, "Enabled")<br>    public_access_block = optional(object({<br>      block_public_acls       = optional(bool, true)<br>      block_public_policy     = optional(bool, true)<br>      ignore_public_acls      = optional(bool, true)<br>      restrict_public_buckets = optional(bool, true)<br>    }), {})<br>    server_side_encryption_configuration = optional(object({<br>      bucket_key_enabled = optional(bool, true)<br>      sse_algorithm      = optional(string, "aws:kms")<br>      kms_master_key_id  = optional(string)<br>    }), {})<br>    dynamodb_table = object({<br>      name                        = string<br>      deletion_protection_enabled = optional(bool, true)<br>      billing_mode                = optional(string, "PAY_PER_REQUEST")<br>    })<br>  })</pre> | n/a | yes |
+| <a name="input_backend_config"></a> [backend\_config](#input\_backend\_config) | Object of S3 backend config | <pre>object({<br>    bucket        = string<br>    force_destroy = optional(bool, true)<br>    versioning    = optional(string, "Enabled")<br>    policy = optional(object({<br>      json = string<br>    }))<br>    public_access_block = optional(object({<br>      block_public_acls       = optional(bool, true)<br>      block_public_policy     = optional(bool, true)<br>      ignore_public_acls      = optional(bool, true)<br>      restrict_public_buckets = optional(bool, true)<br>    }), {})<br>    server_side_encryption_configuration = optional(object({<br>      bucket_key_enabled = optional(bool, true)<br>      sse_algorithm      = optional(string, "aws:kms")<br>      kms_master_key_id  = optional(string)<br>    }), {})<br>    dynamodb_table = object({<br>      name                        = string<br>      deletion_protection_enabled = optional(bool, true)<br>      billing_mode                = optional(string, "PAY_PER_REQUEST")<br>    })<br>  })</pre> | n/a | yes |
 
 ## Outputs
 

diff --git a/main.tf b/main.tf
@@ -6,7 +6,9 @@ module "state_bucket" {
 
   public_access_block = var.backend_config.public_access_block
 
-  policy = {
+  server_side_encryption_configuration = var.backend_config.server_side_encryption_configuration
+
+  policy = var.backend_config.policy != null ? var.backend_config.policy : {
     json = jsonencode({
       "Version" : "2012-10-17",
       "Statement" : [
@@ -51,10 +53,6 @@ module "state_bucket" {
       ]
     })
   }
-
-
-  server_side_encryption_configuration = var.backend_config.server_side_encryption_configuration
-
 }
 
 resource "aws_dynamodb_table" "this" {

diff --git a/tests/.gitkeep b/tests/.gitkeep
diff --git a/tests/create_all/main.tf → tests/test_defaults/main.tf b/tests/create_all/main.tf → tests/test_defaults/main.tf
diff --git a/tests/test_external_policy/main.tf b/tests/test_external_policy/main.tf
@@ -0,0 +1,78 @@
+module "state_bucket" {
+  source = "../../"
+
+  backend_config = {
+    bucket = local.bucket_name
+    policy = local.policy
+
+    dynamodb_table = {
+      name = local.ddb_name
+
+      deletion_protection_enabled = false
+    }
+  }
+}
+
+resource "random_string" "this" {
+  length  = 8
+  upper   = false
+  special = false
+  numeric = false
+}
+
+locals {
+  id = random_string.this.result
+
+  bucket_name = "test-bucket-for-backend-${local.id}"
+  ddb_name    = "test-ddb-for-backend-${local.id}"
+
+  policy = {
+    json = jsonencode({
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Sid" : "MustBeEncryptedInTransit",
+          "Effect" : "Deny",
+          "Principal" : "*",
+          "Action" : "s3:*",
+          "Resource" : [
+            "arn:${data.aws_partition.current.partition}:s3:::${local.bucket_name}",
+            "arn:${data.aws_partition.current.partition}:s3:::${local.bucket_name}/*"
+          ],
+          "Condition" : {
+            "Bool" : {
+              "aws:SecureTransport" : "false"
+            }
+          }
+        },
+        {
+          "Sid" : "RootAccess",
+          "Effect" : "Allow",
+          "Principal" : {
+            "AWS" : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+          },
+          "Action" : "s3:*",
+          "Resource" : [
+            "arn:${data.aws_partition.current.partition}:s3:::${local.bucket_name}",
+            "arn:${data.aws_partition.current.partition}:s3:::${local.bucket_name}/*"
+          ]
+        },
+        {
+          "Sid" : "DenyS3DeleteObject",
+          "Action" : [
+            "s3:DeleteObject"
+          ],
+          "Effect" : "Deny",
+          "Resource" : [
+            "arn:${data.aws_partition.current.partition}:s3:::${local.bucket_name}/*"
+          ],
+          "Principal" : "*"
+        }
+      ]
+    })
+  }
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_partition" "current" {}
diff --git a/variables.tf b/variables.tf
@@ -4,6 +4,9 @@ variable "backend_config" {
     bucket        = string
     force_destroy = optional(bool, true)
     versioning    = optional(string, "Enabled")
+    policy = optional(object({
+      json = string
+    }))
     public_access_block = optional(object({
       block_public_acls       = optional(bool, true)
       block_public_policy     = optional(bool, true)