add paren

Author: gilandose

modules/s3_bucket/main.tf

@@ -1,3 +1,44 @@
+
+data "aws_iam_policy_document" "segment_policy_doc" {
+  statement {
+    sid = "cross_account"
+
+    actions = [
+      "s3:GetBucketLocation",
+      "s3:ListBucket",
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:GetObjectAcl",
+      "s3:DeleteObject"
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = "arn:aws:iam::${var.data_account}:root"
+    }
+
+    resources = [
+      "arn:aws:s3:::${var.s3_bucket}",
+      "arn:aws:s3:::${var.s3_bucket}/*"
+    ]
+
+  }
+
+  statement {
+    sid = "AllowSegmentUser"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = "arn:aws:iam::107630771604:user/s3-copy"
+    }
+    actions =  ["S3:PutObject"]
+    resources = ["arn:aws:s3:::${var.s3_bucket}/*"]
+  }
+
+}
+
+
 module "s3_bucket" {
   source = "https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/archive/v1.9.0.zip//terraform-aws-s3-bucket-1.9.0"
 
@@ -10,21 +51,6 @@ module "s3_bucket" {
 
   tags = local.tags
 
-  policy = <<POLICY
-  {
-    "Version": "2008-10-17",
-    "Id": "Policy1425281770533",
-    "Statement": [
-      {
-        "Sid": "AllowSegmentUser",
-        "Effect": "Allow",
-        "Principal": {
-          "AWS": "arn:aws:iam::107630771604:user/s3-copy"
-        },
-        "Action": "s3:PutObject",
-        "Resource": "arn:aws:s3:::${var.s3_bucket}/*"
-      }
-    ]
-  }
-POLICY
+  policy = data.aws_iam_policy_document.segment_policy_doc.json
+  
 }

modules/s3_bucket/variables.tf

@@ -9,6 +9,11 @@ variable "tags" {
   default     = {}
 }
 
+variable "data_account" {
+  description = "aws account id for data account"
+  type = "string"
+} 
+
 locals {
   tags = "${merge(map("vendor", "segment"), var.tags)}"
 }