From 2d303e912c5fb6e08f567b8e8894bae5ac667c2d Mon Sep 17 00:00:00 2001 From: David Lundgren Date: Thu, 2 Jul 2020 17:23:07 -0500 Subject: [PATCH] Allow to set AWS ARN for S3 bucket policies (#22) * Allow to set AWS ARN for S3 bucket policies * terraform-aws-s3-log-storage doesn't need arn_format * Updated README.md * Updated README.md Co-authored-by: actions-bot <58130806+actions-bot@users.noreply.github.com> Co-authored-by: PePe Amengual --- README.md | 1 + docs/terraform.md | 1 + main.tf | 4 ++-- variables.tf | 6 ++++++ 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c3bc1c0..b342e23 100644 --- a/README.md +++ b/README.md @@ -145,6 +145,7 @@ Available targets: | abort\_incomplete\_multipart\_upload\_days | Maximum time (in days) that you want to allow multipart uploads to remain in progress | `number` | `5` | no | | access\_log\_bucket\_name | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no | | acl | The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services | `string` | `"log-delivery-write"` | no | +| arn\_format | ARN format to be used. May be changed to support deployment in GovCloud/China regions. | `string` | `"arn:aws"` | no | | attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | | block\_public\_acls | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no | | block\_public\_policy | Set to `false` to disable the blocking of new public policies on the bucket | `bool` | `true` | no | diff --git a/docs/terraform.md b/docs/terraform.md index e43f68a..1281bc1 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -20,6 +20,7 @@ | abort\_incomplete\_multipart\_upload\_days | Maximum time (in days) that you want to allow multipart uploads to remain in progress | `number` | `5` | no | | access\_log\_bucket\_name | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no | | acl | The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services | `string` | `"log-delivery-write"` | no | +| arn\_format | ARN format to be used. May be changed to support deployment in GovCloud/China regions. | `string` | `"arn:aws"` | no | | attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | | block\_public\_acls | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no | | block\_public\_policy | Set to `false` to disable the blocking of new public policies on the bucket | `bool` | `true` | no | diff --git a/main.tf b/main.tf index 1897177..61add61 100644 --- a/main.tf +++ b/main.tf @@ -26,7 +26,7 @@ data "aws_iam_policy_document" "default" { ] resources = [ - "arn:aws:s3:::${module.label.id}", + "${var.arn_format}:s3:::${module.label.id}", ] } @@ -43,7 +43,7 @@ data "aws_iam_policy_document" "default" { ] resources = [ - "arn:aws:s3:::${module.label.id}/*", + "${var.arn_format}:s3:::${module.label.id}/*", ] condition { diff --git a/variables.tf b/variables.tf index cb0bf9c..6682086 100644 --- a/variables.tf +++ b/variables.tf @@ -76,6 +76,12 @@ variable "region" { default = "" } +variable "arn_format" { + type = string + default = "arn:aws" + description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions." +} + variable "force_destroy" { type = bool description = "(Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable"