init commit

Author: Taylor McClure

README.md

@@ -0,0 +1,19 @@
+# terraform-s3-rbac
+
+## Purpose
+
+Terraform module to allow users to easily create buckets in their own account that gives another account's principal(s) full read/write access to their buckets.
+
+## Usage
+
+```terraform
+module "s3_rbac" {
+  source = "https://github.com:scribd/terraform-s3-rbac.git"
+
+  role_name              = "remote_s3_rbac"
+  s3_bucket_names        = ["somename-00", "somename-01", "somename-nn"]
+  remote_principals_arns = ["arn:aws:iam::1234567890:user/someuser", "arn:aws:iam::1234567890:role/somerole"]
+  
+  tags = {"key": "value"}
+}
+```

iam_roles.tf

@@ -0,0 +1,45 @@
+resource "aws_iam_role" "s3_rbac" {
+  name               = var.role_name
+  assume_role_policy = data.aws_iam_policy_document.s3_bucket_access_role.json
+
+  tags = var.tags
+}
+
+data "aws_iam_policy_document" "s3_bucket_access_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    sid     = "terraform0"
+    principals {
+      type        = "AWS"
+      identifiers = [for a in var.remote_principals_arns : "${a}"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "s3_bucket_access" {
+  statement {
+    resources = [for s in var.s3_bucket_names : "arn:aws:s3:::${s}"]
+    effect    = "Allow"
+    actions   = ["s3:*"]
+    sid       = "terraform0"
+  }
+
+  statement {
+    resources = [for s in var.s3_bucket_names : "arn:aws:s3:::${s}/*"]
+    effect    = "Allow"
+    actions   = ["s3:*"]
+    sid       = "terraform1"
+  }
+}
+
+resource "aws_iam_policy" "s3_bucket_access" {
+  name   = "s3_bucket_access"
+  path   = "/"
+  policy = data.aws_iam_policy_document.s3_bucket_access.json
+}
+
+resource "aws_iam_role_policy_attachment" "s3_bucket_access" {
+  role       = aws_iam_role.s3_rbac.name
+  policy_arn = aws_iam_policy.s3_bucket_access.arn
+}

outputs.tf

@@ -0,0 +1,9 @@
+output "iam_role_arn" {
+  description = "IAM role arn created to be assumed by remote principal(s)"
+  value       = aws_iam_role.s3_rbac.arn
+}
+
+output "s3_bucket_arns" {
+  description = "Your S3 bucket ARNS"
+  value       = [for v in aws_s3_bucket.s3_buckets : v.arn]
+}

provider.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = var.aws_region
+}

s3_bucket.tf

@@ -0,0 +1,22 @@
+# Give an s3 bucket to each bucket name passed to the module
+resource "aws_s3_bucket" "s3_buckets" {
+  for_each = var.s3_bucket_names
+
+  bucket = each.value
+  acl    = "private"
+  tags   = var.tags
+}
+
+# Make sure no object could ever be public
+resource "aws_s3_bucket_public_access_block" "s3_buckets" {
+  for_each = var.s3_bucket_names
+
+  bucket = each.value
+
+  block_public_acls       = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+  ignore_public_acls      = true
+
+  depends_on = [aws_s3_bucket.s3_buckets]
+}

vars.tf

@@ -0,0 +1,26 @@
+variable "aws_region" {
+  description = "AWS Region"
+  type        = string
+  default     = "us-east-2"
+}
+
+variable "s3_bucket_names" {
+  type        = set(string)
+  description = "one or many of your s3 bucket name(s)"
+}
+
+variable "remote_principals_arns" {
+  type        = list(string)
+  description = "one or many arns for your remote principals"
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = { "terraform" : "true" }
+  description = "custom tags you want to provide for the resources created here"
+}
+
+variable "role_name" {
+  type        = string
+  description = "name to give your role that will be able to be assume by remote principal(s)"
+}