cjbischoff · June 3, 2019 16:27
diff --git a/s3.tf b/s3.tf
 variable "bucket_name" {}

 variable "name" {}

 variable "s3logs_bucket_name" {}

 variable "database_kms_key_arn" {}

 variable "read_only_roles" {
  type    = "list"
  default = []
 }

 resource "aws_s3_bucket" "main" {
  acl    = "private"
  bucket = "${var.bucket_name}"

  lifecycle_rule {
    abort_incomplete_multipart_upload_days = 14
    enabled                                = true
    id                                     = "MI-14day-expire"
    prefix                                 = ""

    expiration {
      days = 14
    }
  }

  logging {
    target_bucket = "${var.s3logs_bucket_name}"
    target_prefix = "${var.name}/${var.bucket_name}/"
  }

  tags {
    Name = "${var.name}"
  }

  versioning {
    enabled = true
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${var.database_kms_key_arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
 }

 resource "aws_s3_bucket_policy" "main" {
  bucket = "${aws_s3_bucket.main.id}"

  # Concat if/else trick on `data` from:
  # https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9#79f9
  policy = "${element(concat(data.aws_iam_policy_document.main_bucket_with_read.*.json,
    data.aws_iam_policy_document.main_bucket_without_read.*.json), 0)}"
 }

 # TODO: Consider refactoring this if we use tf version >= 0.12. `count` may have been added within fields in > 0.12.
 data aws_iam_policy_document "main_bucket_with_read" {
  count = "${length(var.read_only_roles) > 0 ? 1 : 0}"

  statement {
    sid = "DenyS3InsecureTransport"

    actions = ["s3:*"]

    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }

    effect = "Deny"

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    resources = ["${aws_s3_bucket.main.arn}/*"]
  }

  # Allow an external role to read from the S3.
  statement {
    sid = "AllowS3ReadOnlyRoles"

    actions = [
      "s3:GetObject",
    ]

    principals {
      type        = "AWS"
      identifiers = ["${var.read_only_roles}"]
    }

    resources = ["${aws_s3_bucket.main.arn}/*"]
  }
 }

 data aws_iam_policy_document "main_bucket_without_read" {
  count = "${length(var.read_only_roles) <= 0 ? 1 : 0}"

  statement {
    sid = "DenyS3InsecureTransport"

    actions = ["s3:*"]

    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }

    effect = "Deny"

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    resources = ["${aws_s3_bucket.main.arn}/*"]
  }
 }

 resource "aws_kms_grant" "external_decrypt_grant" {
  count             = "${length(var.read_only_roles)}"
  name              = "${var.name}-external-decrypt-grant-${count.index}"
  key_id            = "${var.database_kms_key_arn}"
  grantee_principal = "${element(var.read_only_roles, count.index)}"
  operations        = ["Decrypt"]
 }

 output "bucket_arn" {
  value = "${aws_s3_bucket.main.arn}"
 }
	variable "bucket_name" {}

	variable "name" {}

	variable "s3logs_bucket_name" {}

	variable "database_kms_key_arn" {}

	variable "read_only_roles" {
	type = "list"
	default = []
	}

	resource "aws_s3_bucket" "main" {
	acl = "private"
	bucket = "${var.bucket_name}"

	lifecycle_rule {
	abort_incomplete_multipart_upload_days = 14
	enabled = true
	id = "MI-14day-expire"
	prefix = ""

	expiration {
	days = 14
	}
	}

	logging {
	target_bucket = "${var.s3logs_bucket_name}"
	target_prefix = "${var.name}/${var.bucket_name}/"
	}

	tags {
	Name = "${var.name}"
	}

	versioning {
	enabled = true
	}

	server_side_encryption_configuration {
	rule {
	apply_server_side_encryption_by_default {
	kms_master_key_id = "${var.database_kms_key_arn}"
	sse_algorithm = "aws:kms"
	}
	}
	}
	}

	resource "aws_s3_bucket_policy" "main" {
	bucket = "${aws_s3_bucket.main.id}"

	# Concat if/else trick on `data` from:
	# https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9#79f9
	policy = "${element(concat(data.aws_iam_policy_document.main_bucket_with_read.*.json,
	data.aws_iam_policy_document.main_bucket_without_read.*.json), 0)}"
	}

	# TODO: Consider refactoring this if we use tf version >= 0.12. `count` may have been added within fields in > 0.12.
	data aws_iam_policy_document "main_bucket_with_read" {
	count = "${length(var.read_only_roles) > 0 ? 1 : 0}"

	statement {
	sid = "DenyS3InsecureTransport"

	actions = ["s3:*"]

	condition {
	test = "Bool"
	variable = "aws:SecureTransport"
	values = ["false"]
	}

	effect = "Deny"

	principals {
	type = "*"
	identifiers = ["*"]
	}

	resources = ["${aws_s3_bucket.main.arn}/*"]
	}

	# Allow an external role to read from the S3.
	statement {
	sid = "AllowS3ReadOnlyRoles"

	actions = [
	"s3:GetObject",
	]

	principals {
	type = "AWS"
	identifiers = ["${var.read_only_roles}"]
	}

	resources = ["${aws_s3_bucket.main.arn}/*"]
	}
	}

	data aws_iam_policy_document "main_bucket_without_read" {
	count = "${length(var.read_only_roles) <= 0 ? 1 : 0}"

	statement {
	sid = "DenyS3InsecureTransport"

	actions = ["s3:*"]

	condition {
	test = "Bool"
	variable = "aws:SecureTransport"
	values = ["false"]
	}

	effect = "Deny"

	principals {
	type = "*"
	identifiers = ["*"]
	}

	resources = ["${aws_s3_bucket.main.arn}/*"]
	}
	}

	resource "aws_kms_grant" "external_decrypt_grant" {
	count = "${length(var.read_only_roles)}"
	name = "${var.name}-external-decrypt-grant-${count.index}"
	key_id = "${var.database_kms_key_arn}"
	grantee_principal = "${element(var.read_only_roles, count.index)}"
	operations = ["Decrypt"]
	}

	output "bucket_arn" {
	value = "${aws_s3_bucket.main.arn}"
	}