From bf31c4966ed57734f62ec25ca857e368372bb0bb Mon Sep 17 00:00:00 2001 From: Peter Lohmann Date: Mon, 16 Dec 2019 14:38:55 +0100 Subject: [PATCH 1/2] :wrench: Correct git file mode of outputs.tf --- outputs.tf | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 outputs.tf diff --git a/outputs.tf b/outputs.tf old mode 100755 new mode 100644 From 3cce33afed3df1f6a3315529cfc513b464a6ad6a Mon Sep 17 00:00:00 2001 From: Peter Lohmann Date: Mon, 16 Dec 2019 14:38:06 +0100 Subject: [PATCH 2/2] :star: cross account reads: Optionally limit to a read_prefix --- main.tf | 26 +++++++++++++++++--------- variables.tf | 6 ++++++ 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/main.tf b/main.tf index 0c0e19c..67847a5 100644 --- a/main.tf +++ b/main.tf @@ -63,15 +63,23 @@ data "aws_iam_policy_document" "bucket_policy_read" { count = local.enable_read_accounts ? 1 : 0 statement { - sid = "AllowCrossAccountRead" - resources = [ - local.bucket_arn, - "${local.bucket_arn}/*", - ] - actions = [ - "s3:Get*", - "s3:List*", - ] + sid = "AllowCrossAccountList" + resources = [local.bucket_arn] + actions = ["s3:List*"] + principals { + type = "AWS" + identifiers = var.read_accounts + } + condition { + test = "StringLike" + variable = "s3:prefix" + values = ["${var.read_prefix}*"] + } + } + statement { + sid = "AllowCrossAccountGet" + resources = ["${local.bucket_arn}/${var.read_prefix}*",] + actions = ["s3:Get*"] principals { type = "AWS" identifiers = var.read_accounts diff --git a/variables.tf b/variables.tf index e68ed5e..4e457de 100644 --- a/variables.tf +++ b/variables.tf @@ -30,6 +30,12 @@ variable "read_accounts" { default = [] } +variable "read_prefix" { + description = "Prefix of object keys to restrict cross-account reads to" + type = string + default = "" +} + variable "write_accounts" { description = "List of other AWS accounts which should get write access to the bucket" type = list(string)