diff --git a/README.md b/README.md
index 02fe0e0..8b36b25 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,8 @@ module "s3" {
### Migrate from existing buckets
+
+
The `user_policy` input is useful when migrating data from existing bucket(s). For commands like `s3 ls` or `s3 sync` to work across accounts, a policy granting access must be set in 2 places: the *source bucket* and the *destination user*
@@ -233,17 +235,12 @@ No modules.
| Name | Type |
|------|------|
-| [aws_iam_access_key.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_policy.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_user.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
-| [aws_iam_user_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
| [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_public_access_block.block_public_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [random_id.id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [aws_iam_policy_document.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [template_file.bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
-| [template_file.user_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
## Inputs
@@ -265,19 +262,16 @@ No modules.
| [logging\_enabled](#input\_logging\_enabled) | Set the logging for bucket | `bool` | `false` | no |
| [namespace](#input\_namespace) | Namespace name | `string` | n/a | yes |
| [team\_name](#input\_team\_name) | Team name | `string` | n/a | yes |
-| [user\_policy](#input\_user\_policy) | The IAM policy to assign to the generated user. If empty, the default policy is used | `string` | `""` | no |
| [versioning](#input\_versioning) | Enable object versioning for the bucket | `bool` | `false` | no |
## Outputs
| Name | Description |
|------|-------------|
-| [access\_key\_id](#output\_access\_key\_id) | Access key id for s3 account |
| [bucket\_arn](#output\_bucket\_arn) | S3 bucket ARN |
| [bucket\_domain\_name](#output\_bucket\_domain\_name) | Regional bucket domain name |
| [bucket\_name](#output\_bucket\_name) | S3 bucket name |
| [irsa\_policy\_arn](#output\_irsa\_policy\_arn) | IAM policy ARN for access to the S3 bucket |
-| [secret\_access\_key](#output\_secret\_access\_key) | Secret key for s3 account |
## Tags
diff --git a/examples/s3.tf b/examples/s3.tf
index 5ad0576..17fc2d0 100644
--- a/examples/s3.tf
+++ b/examples/s3.tf
@@ -184,9 +184,7 @@ resource "kubernetes_secret" "s3_bucket" {
}
data = {
- access_key_id = module.s3_bucket.access_key_id
- secret_access_key = module.s3_bucket.secret_access_key
- bucket_arn = module.s3_bucket.bucket_arn
- bucket_name = module.s3_bucket.bucket_name
+ bucket_arn = module.s3_bucket.bucket_arn
+ bucket_name = module.s3_bucket.bucket_name
}
}
diff --git a/main.tf b/main.tf
index dde5a5f..7019dec 100644
--- a/main.tf
+++ b/main.tf
@@ -37,15 +37,6 @@ data "template_file" "bucket_policy" {
}
}
-# TODO: the `template` provider has been deprecated, these need to be removed in a future release.
-data "template_file" "user_policy" {
- template = var.user_policy
-
- vars = {
- bucket_arn = "arn:aws:s3:::${local.bucket_name}"
- }
-}
-
#################
# Create bucket #
#################
@@ -166,67 +157,6 @@ resource "aws_s3_bucket_public_access_block" "block_public_access" {
restrict_public_buckets = true
}
-# Legacy long-lived credentials
-resource "aws_iam_user" "user" {
- name = "s3-bucket-user-${random_id.id.hex}"
- path = "/system/s3-bucket-user/"
-}
-
-resource "aws_iam_access_key" "user" {
- user = aws_iam_user.user.name
-}
-
-data "aws_iam_policy_document" "policy" {
- statement {
- actions = [
- "s3:GetBucketLocation",
- "s3:GetBucketPolicy",
- "s3:ListBucket",
- "s3:ListBucketMultipartUploads",
- "s3:ListBucketVersions",
- ]
-
- resources = [
- local.s3_bucket_arn,
- ]
- }
-
- statement {
- actions = [
- "s3:AbortMultipartUpload",
- "s3:DeleteObject",
- "s3:DeleteObjectTagging",
- "s3:DeleteObjectVersion",
- "s3:DeleteObjectVersionTagging",
- "s3:GetObject",
- "s3:GetObjectAcl",
- "s3:GetObjectTagging",
- "s3:GetObjectTorrent",
- "s3:GetObjectVersion",
- "s3:GetObjectVersionAcl",
- "s3:GetObjectVersionTagging",
- "s3:GetObjectVersionTorrent",
- "s3:ListMultipartUploadParts",
- "s3:PutObject",
- "s3:PutObjectAcl",
- "s3:PutObjectTagging",
- "s3:PutObjectVersionAcl",
- "s3:PutObjectVersionTagging",
- "s3:RestoreObject",
- ]
-
- resources = [
- "${local.s3_bucket_arn}/*",
- ]
- }
-}
-
-resource "aws_iam_user_policy" "policy" {
- name = "s3-bucket-read-write"
- policy = data.template_file.user_policy.rendered == "" ? data.aws_iam_policy_document.policy.json : data.template_file.user_policy.rendered
- user = aws_iam_user.user.name
-}
-
##############################
# Create IAM role for access #
##############################
diff --git a/outputs.tf b/outputs.tf
index e423368..200c562 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,15 +1,3 @@
-output "access_key_id" {
- description = "Access key id for s3 account"
- value = aws_iam_access_key.user.id
- sensitive = true
-}
-
-output "secret_access_key" {
- description = "Secret key for s3 account"
- value = aws_iam_access_key.user.secret
- sensitive = true
-}
-
output "bucket_arn" {
description = "S3 bucket ARN"
value = aws_s3_bucket.bucket.arn
diff --git a/variables.tf b/variables.tf
index 87fe759..ea5f4c9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -13,12 +13,6 @@ variable "bucket_policy" {
type = string
}
-variable "user_policy" {
- description = "The IAM policy to assign to the generated user. If empty, the default policy is used"
- default = ""
- type = string
-}
-
variable "versioning" {
description = "Enable object versioning for the bucket"
default = false