Adds s3_bucket_writer_role module

New module supporting a role with read-write access to a given s3
bucket.  Also a little bit of supporting plumbing (outputs) in the
salt_master and globally_accessible_bucket modules.

Should be tagged v1.23.9 if I did my math right

base/globally_accessible_bucket/outputs.tf

@@ -1,3 +1,7 @@
 #output "TODO" {
 #  value = TODO
 #}
+
+output arn {
+    value = aws_s3_bucket.bucket.arn
+}

base/s3_bucket_writer_role/README.md

@@ -0,0 +1,9 @@
+This role is created separate from account standards even though it is required in all accounts. The role must be created after the salt master instance or the trust policy can't be applied.
+
+PREREQUISITES:
+
+Order gets very important in this module, unfortunately. The following sequence is required:
+* The salt-master instances must be created in C2 test and C2 prod (in govcloud).
+* This module must be run in commercial C2 prod (The user is created, which is trusted by all others)
+* This module must be run in commercial C2 test (The user is created, which is trusted by the rest of test)
+* Then the module can be run in all the other accounts

base/s3_bucket_writer_role/main.tf

@@ -0,0 +1,82 @@
+resource "aws_iam_role" "this" {
+  name = var.name
+  path  = "/service/"
+  force_detach_policies = true # causes "DeleteConflict" if not present
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": ${jsonencode(var.trusted_arns)}
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+  role = aws_iam_role.this.name
+  policy_arn = aws_iam_policy.this.arn
+}
+
+resource "aws_iam_policy" "this" {
+  name  = var.name
+  path  = "/service/"
+  description = var.description
+  policy = data.aws_iam_policy_document.policy.json
+}
+
+data "aws_iam_policy_document" "policy" {
+  statement {
+    sid       = "ReadTheBucket"
+    effect    = "Allow"
+    resources = [
+      var.bucket
+    ]
+
+    actions = [
+      "s3:ListBucket",
+      "s3:GetBucketLocation",
+      "s3:ListBucketMultipartUploads",
+      "s3:ListBucketVersions",
+    ]
+  }
+
+  statement {
+    sid       = "ModifyBucketObjects"
+    effect    = "Allow"
+    resources = [
+      "${var.bucket}/*"
+    ]
+
+    actions = [
+      "s3:GetObject",
+      "s3:DeleteObject",
+      "s3:AbortMultipartUpload",
+      "s3:ListMultipartUploadParts",
+    ]
+  }
+
+  statement {
+    sid       = "RequireWritesToGiveBucketOwnerControl"
+    effect    = "Allow"
+    resources = [
+      "${var.bucket}/*"
+    ]
+
+    actions   = [
+      "s3:PutObject"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+}

base/s3_bucket_writer_role/vars.tf

@@ -0,0 +1,15 @@
+variable "tags" {
+  description = "Tags to add to the resource (in addition to global standard tags)"
+  type        = map
+  default     = { }
+}
+variable "standard_tags" { type = map }
+variable "environment" { type = string }
+variable "aws_partition" { type = string }
+variable "aws_partition_alias" { type = string }
+variable "aws_account_id" { type = string }
+
+variable "name" { type = string }
+variable "trusted_arns" { type = list(string) }
+variable "description" { type = string }
+variable "bucket" { type = string }

base/s3_bucket_writer_role/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = "~> 0.13"
+}

base/salt_master/outputs.tf

@@ -9,3 +9,7 @@ output instance_public_ip {
 output instance_private_ip {
   value = aws_instance.instance.private_ip
 }
+
+output role_arn {
+  value = aws_iam_role.salt_master_instance_role.arn
+}