Adds concept of additional bucket policies (#17)

* Add concept of additional bucket policies

* Make linter happy maybe

* Update README

* Fix conditional

Co-Authored-By: Andriy Knysh <[email protected]>

* Fix description

Co-Authored-By: Andriy Knysh <[email protected]>

* Update README

* Conditionally create the aggregate policy as well

* Line up some white space, terraform fmt

* Revert aggregated_policy count conditional as not-supported

Co-authored-by: Andriy Knysh <[email protected]>

Author: asiegman

README.md

@@ -85,6 +85,7 @@ Available targets:
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply. We recommend `private` to avoid exposing sensitive information | string | `private` | no |
+| additional_bucket_policies | Set this to a list of strings containing valid JSON policy statements if you want to add arbitrary additions to the bucket policy | list | `<list>` | no |
 | allow_encrypted_uploads_only | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | string | `false` | no |
 | allowed_bucket_actions | List of actions the user is permitted to perform on the S3 bucket | list | `<list>` | no |
 | attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |

docs/terraform.md

@@ -3,6 +3,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply. We recommend `private` to avoid exposing sensitive information | string | `private` | no |
+| additional_bucket_policies | Set this to a list of strings containing valid JSON policy statements if you want to add arbitrary additions to the bucket policy | list | `<list>` | no |
 | allow_encrypted_uploads_only | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | string | `false` | no |
 | allowed_bucket_actions | List of actions the user is permitted to perform on the S3 bucket | list | `<list>` | no |
 | attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |

main.tf

@@ -87,9 +87,14 @@ data "aws_iam_policy_document" "bucket_policy" {
   }
 }
 
+module "aggregated_policy" {
+  source           = "git::https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator.git?ref=tags/0.1.2"
+  source_documents = "${flatten(list(data.aws_iam_policy_document.bucket_policy.*.json, var.additional_bucket_policies))}"
+}
+
 resource "aws_s3_bucket_policy" "default" {
-  count  = "${var.enabled == "true" && var.allow_encrypted_uploads_only == "true" ? 1 : 0}"
-  bucket = "${join("", aws_s3_bucket.default.*.id)}"
+  count = "${var.enabled == "true" && (var.allow_encrypted_uploads_only == "true" || length(var.additional_bucket_policies) > 0) ? 1 : 0}"
 
-  policy = "${join("", data.aws_iam_policy_document.bucket_policy.*.json)}"
+  bucket = "${join("", aws_s3_bucket.default.*.id)}"
+  policy = "${module.aggregated_policy.result_document}"
 }

variables.tf

@@ -96,3 +96,9 @@ variable "allow_encrypted_uploads_only" {
   default     = "false"
   description = "Set to `true` to prevent uploads of unencrypted objects to S3 bucket"
 }
+
+variable "additional_bucket_policies" {
+  type        = "list"
+  default     = []
+  description = "Set this to a list of strings containing valid JSON policy statements if you want to add arbitrary additions to the bucket policy"
+}