feat: Allow buckets to be individually customized (#13)

athtran · web-flow · commit 85851e0310cd · 2021-03-08T15:07:41.000-08:00
* feat: Allow buckets to be individually customized

TOOLS-2606

* Move acl, block_public_acls, block_public_policy, restrict_public_buckets, ignore_public_acls into s3_bucket_config
diff --git a/iam_roles.tf b/iam_roles.tf
@@ -19,14 +19,14 @@ data "aws_iam_policy_document" "s3_bucket_access_role" {
 
 data "aws_iam_policy_document" "s3_bucket_access" {
   statement {
-    resources = [for s in var.s3_bucket_names : "arn:aws:s3:::${s}"]
+    resources = [for s in keys(var.s3_bucket_config) : "arn:aws:s3:::${s}"]
     effect    = "Allow"
     actions   = ["s3:*"]
     sid       = "terraform0"
   }
 
   statement {
-    resources = [for s in var.s3_bucket_names : "arn:aws:s3:::${s}/*"]
+    resources = [for s in keys(var.s3_bucket_config) : "arn:aws:s3:::${s}/*"]
     effect    = "Allow"
     actions   = ["s3:*"]
     sid       = "terraform1"
diff --git a/s3_bucket.tf b/s3_bucket.tf
@@ -1,13 +1,13 @@
 # Give an s3 bucket to each bucket name passed to the module
 resource "aws_s3_bucket" "s3_buckets" {
-  for_each = var.s3_bucket_names
+  for_each = var.s3_bucket_config
 
-  bucket = each.value
-  acl    = var.acl
+  bucket = each.key
+  acl    = lookup(each.value, "acl", "private")
   tags   = var.tags
 
   dynamic "lifecycle_rule" {
-    for_each = var.lifecycle_rule_inputs == null ? [] : var.lifecycle_rule_inputs
+    for_each = lookup(each.value, "lifecycle_rule_inputs", [])
 
     content {
       enabled                                = lifecycle_rule.value.enabled
@@ -24,7 +24,7 @@ resource "aws_s3_bucket" "s3_buckets" {
   }
 
   dynamic "cors_rule" {
-    for_each = var.cors_rule_inputs == null ? [] : var.cors_rule_inputs
+    for_each = lookup(each.value, "cors_rule_inputs", [])
 
     content {
       allowed_headers = cors_rule.value.allowed_headers
@@ -38,14 +38,14 @@ resource "aws_s3_bucket" "s3_buckets" {
 
 # Make sure no object could ever be public
 resource "aws_s3_bucket_public_access_block" "s3_buckets" {
-  for_each = var.s3_bucket_names
+  for_each = var.s3_bucket_config
 
-  bucket = each.value
+  bucket = each.key
 
-  block_public_acls       = var.block_public_acls
-  block_public_policy     = var.block_public_policy
-  restrict_public_buckets = var.restrict_public_buckets
-  ignore_public_acls      = var.ignore_public_acls
+  block_public_acls       = lookup(each.value, "block_public_acls", true)
+  block_public_policy     = lookup(each.value, "block_public_policy", true)
+  restrict_public_buckets = lookup(each.value, "restrict_public_buckets", true)
+  ignore_public_acls      = lookup(each.value, "ignore_public_acls", true)
 
   depends_on = [aws_s3_bucket.s3_buckets]
 }
diff --git a/vars.tf b/vars.tf
@@ -4,9 +4,29 @@ variable "aws_region" {
   default     = "us-east-2"
 }
 
-variable "s3_bucket_names" {
-  type        = set(string)
-  description = "one or many of your s3 bucket name(s)"
+variable "s3_bucket_config" {
+  type = map(object({
+    acl                     = string
+    block_public_acls       = bool
+    block_public_policy     = bool
+    restrict_public_buckets = bool
+    ignore_public_acls      = bool
+    cors_rule_inputs = list(object({
+      allowed_headers = list(string)
+      allowed_methods = list(string)
+      allowed_origins = list(string)
+      expose_headers  = list(string)
+      max_age_seconds = number
+    }))
+    lifecycle_rule_inputs = list(object({
+      enabled                                = string
+      abort_incomplete_multipart_upload_days = string
+      expiration_inputs = list(object({
+        days = number
+      }))
+    }))
+  }))
+  default = null
 }
 
 variable "remote_principals_arns" {
@@ -23,56 +43,4 @@ variable "tags" {
 variable "role_name" {
   type        = string
   description = "name to give your role that will be able to be assume by remote principal(s)"
-}
-
-variable "acl" {
-  type        = string
-  default     = "private"
-  description = "The canned ACL to apply."
-}
-
-variable "block_public_acls" {
-  type        = string
-  default     = true
-  description = "PUT Object calls will fail if the request includes an object ACL."
-}
-
-variable "block_public_policy" {
-  type        = string
-  default     = true
-  description = "Reject calls to PUT Bucket policy if the specified bucket policy allows public access."
-}
-
-variable "restrict_public_buckets" {
-  type        = string
-  default     = true
-  description = "Ignore public ACLs on this bucket and any objects that it contains."
-}
-
-variable "ignore_public_acls" {
-  type        = string
-  default     = true
-  description = "Only the bucket owner and AWS Services can access this buckets if it has a public policy."
-}
-
-variable "lifecycle_rule_inputs" {
-  type = list(object({
-    enabled                                = string
-    abort_incomplete_multipart_upload_days = string
-    expiration_inputs = list(object({
-      days = number
-    }))
-  }))
-  default = null
-}
-
-variable "cors_rule_inputs" {
-  type = list(object({
-    allowed_headers = list(string)
-    allowed_methods = list(string)
-    allowed_origins = list(string)
-    expose_headers  = list(string)
-    max_age_seconds = number
-  }))
-  default = null
 }
