Allow multiple path_prefixes and update documentation

abeluck · abeluck · commit 52e56253a48b · 2023-08-11T07:59:44.000Z
diff --git a/README.yaml b/README.yaml
@@ -79,9 +79,15 @@ usage: |-
     dns_alias_enabled = true
     parent_zone_name  = "cloudposse.com"
 
-    deployment_principal_arns = {
-      "arn:aws:iam::123456789012:role/principal1" = ["prefix1/", "prefix2/"]
-      "arn:aws:iam::123456789012:role/principal2" = [""]
+    deployment_principals = {
+      "principal1": {
+        "arn": "arn:aws:iam::123456789012:role/principal1"
+        "path_prefixes": ["prefix1/", "prefix2/"]
+      },
+      "principal2": {
+        "arn": "arn:aws:iam::123456789012:role/principal2"
+        "path_prefixes": [""]
+      }
     }
   }
   ```
diff --git a/deprecated.tf b/deprecated.tf
@@ -18,5 +18,4 @@ locals {
 
   # New variables, but declare them here for consistency
   cloudfront_access_log_create_bucket = var.cloudfront_access_log_create_bucket
-}
-
+}
diff --git a/variables.tf b/variables.tf
@@ -481,18 +481,19 @@ variable "versioning_enabled" {
 }
 
 variable "deployment_principals" {
-  type        = map(object({ path_prefix = string, arn = string }))
+  type        = map(object({ path_prefix = list(string), arn = string }))
   default     = {}
   description = <<-EOT
-    (Optional) Map of IAM Principal ARNs to lists of S3 path prefixes to grant `deployment_actions` permissions.
+    (Optional) Map of objects that define the IAM Principal's to grant `deployment_actions` permissions. Each object in the map should have an IAM Principal ARN and a list of S3 path
+    prefixes to scope that principal's actions in the bucket.
     Resource list will include the bucket itself along with all the prefixes. Prefixes should not begin with '/'.
     EOT
 }
 
 variable "deployment_actions" {
   type        = list(string)
   default     = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:AbortMultipartUpload"]
-  description = "List of actions to permit `deployment_principal_arns` to perform on bucket and bucket prefixes (see `deployment_principal_arns`)"
+  description = "List of actions to permit `deployment_principals` to perform on bucket and bucket prefixes (see `deployment_principals`)"
 }
 
 variable "cloudfront_origin_access_identity_iam_arn" {
