|
|
@@ -1,6 +1,8 @@
|
|
|
locals {
|
|
|
# Technically, we don't need these in ARN format, but it makes updates slightly clearer
|
|
|
- accounts = [ for a in var.account_list: "arn:${var.aws_partition}:iam::${a}:root" ]
|
|
|
+ xdr_accounts = [ for a in var.account_list: "arn:${var.aws_partition}:iam::${a}:root" ]
|
|
|
+ extra_accounts = [ for a in var.extra_accounts: "arn:${var.aws_partition}:iam::${a}:root" ]
|
|
|
+ accounts = concat(local.xdr_accounts, local.extra_accounts)
|
|
|
}
|
|
|
|
|
|
resource "aws_s3_bucket" "bucket" {
|
|
|
@@ -49,30 +51,30 @@ resource "aws_s3_bucket_public_access_block" "public_access_block" {
|
|
|
restrict_public_buckets = true
|
|
|
}
|
|
|
|
|
|
-resource "aws_s3_bucket_policy" "policy" {
|
|
|
- bucket = aws_s3_bucket.bucket.id
|
|
|
+data "aws_iam_policy_document" "s3" {
|
|
|
+ statement {
|
|
|
+ sid = "AccountAllow"
|
|
|
+ effect = "Allow"
|
|
|
+
|
|
|
+ resources = [
|
|
|
+ "${aws_s3_bucket.bucket.arn}",
|
|
|
+ "${aws_s3_bucket.bucket.arn}/*",
|
|
|
+ ]
|
|
|
|
|
|
- policy = <<POLICY
|
|
|
-{
|
|
|
- "Version": "2012-10-17",
|
|
|
- "Id": "AllowAllAccounts",
|
|
|
- "Statement": [
|
|
|
- {
|
|
|
- "Sid": "AccountAllow",
|
|
|
- "Effect": "Allow",
|
|
|
- "Principal": {
|
|
|
- "AWS": ${jsonencode(local.accounts)}
|
|
|
- },
|
|
|
- "Action": [
|
|
|
- "s3:GetObject",
|
|
|
- "s3:ListBucket"
|
|
|
- ],
|
|
|
- "Resource": [
|
|
|
- "${aws_s3_bucket.bucket.arn}",
|
|
|
- "${aws_s3_bucket.bucket.arn}/*"
|
|
|
- ]
|
|
|
+ actions = [
|
|
|
+ "s3:GetObject",
|
|
|
+ "s3:ListBucket",
|
|
|
+ ]
|
|
|
+
|
|
|
+ principals {
|
|
|
+ type = "AWS"
|
|
|
+ identifiers = local.accounts
|
|
|
}
|
|
|
- ]
|
|
|
+ }
|
|
|
}
|
|
|
-POLICY
|
|
|
+
|
|
|
+resource "aws_s3_bucket_policy" "policy" {
|
|
|
+ bucket = aws_s3_bucket.bucket.id
|
|
|
+
|
|
|
+ policy = data.aws_iam_policy_document.s3.json
|
|
|
}
|
Fred Damstra [afs macbook]