Added conditional IAM Roles to S3 bucket policies. (#227)

* Added conditional IAM Roles to S3 bucket policies. * typos * Review code from feedback * changelog * Update variables.tf --------- Co-authored-by: Abhimanyu Gupta <[email protected]>
ExpediaGroup · May 10, 2023 · 73bf23d · 73bf23d
1 parent eb6f2c6
commit 73bf23d
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 14 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.17.0] - 2023-05-10
+### Added
+- New block in every S3 bucket policy called `conditional_consumer_iamroles`. It allows S3 read access to certain IAM Roles based on an `apiary_customer_condition`.
+
 ## [6.16.0] - 2023-02-10
 ### Changed
 - Update RDS default version from `aurora5.6` to `aurora-mysql5.7`

diff --git a/s3.tf b/s3.tf
@@ -12,18 +12,19 @@ locals {
   bucket_policy_map = {
     for schema in local.schemas_info : schema["schema_name"] => templatefile("${path.module}/templates/apiary-bucket-policy.json", {
       #if apiary_shared_schemas is empty or contains current schema, allow customer accounts to access this bucket.
-      customer_principal    = (length(var.apiary_shared_schemas) == 0 || contains(var.apiary_shared_schemas, schema["schema_name"])) && schema["customer_accounts"] != "" ? join("\",\"", formatlist("arn:aws:iam::%s:root", split(",", schema["customer_accounts"]))) : ""
-      customer_condition    = var.apiary_customer_condition
-      bucket_name           = schema["data_bucket"]
-      encryption            = schema["encryption"]
-      kms_key_arn           = schema["encryption"] == "aws:kms" ? aws_kms_key.apiary_kms[schema["schema_name"]].arn : ""
-      consumer_iamroles     = join("\",\"", var.apiary_consumer_iamroles)
-      producer_iamroles     = replace(lookup(var.apiary_producer_iamroles, schema["schema_name"], ""), ",", "\",\"")
-      deny_iamroles         = join("\",\"", var.apiary_deny_iamroles)
-      deny_iamrole_actions  = join("\",\"", var.apiary_deny_iamrole_actions)
-      client_roles          = replace(lookup(schema, "client_roles", ""), ",", "\",\"")
-      governance_iamroles   = join("\",\"", var.apiary_governance_iamroles)
-      consumer_prefix_roles = lookup(var.apiary_consumer_prefix_iamroles, schema["schema_name"], {})
+      customer_principal            = (length(var.apiary_shared_schemas) == 0 || contains(var.apiary_shared_schemas, schema["schema_name"])) && schema["customer_accounts"] != "" ? join("\",\"", formatlist("arn:aws:iam::%s:root", split(",", schema["customer_accounts"]))) : ""
+      customer_condition            = var.apiary_customer_condition
+      bucket_name                   = schema["data_bucket"]
+      encryption                    = schema["encryption"]
+      kms_key_arn                   = schema["encryption"] == "aws:kms" ? aws_kms_key.apiary_kms[schema["schema_name"]].arn : ""
+      consumer_iamroles             = join("\",\"", var.apiary_consumer_iamroles)
+      conditional_consumer_iamroles = join("\",\"", var.apiary_conditional_consumer_iamroles)
+      producer_iamroles             = replace(lookup(var.apiary_producer_iamroles, schema["schema_name"], ""), ",", "\",\"")
+      deny_iamroles                 = join("\",\"", var.apiary_deny_iamroles)
+      deny_iamrole_actions          = join("\",\"", var.apiary_deny_iamrole_actions)
+      client_roles                  = replace(lookup(schema, "client_roles", ""), ",", "\",\"")
+      governance_iamroles           = join("\",\"", var.apiary_governance_iamroles)
+      consumer_prefix_roles         = lookup(var.apiary_consumer_prefix_iamroles, schema["schema_name"], {})
     })
   }
 }

diff --git a/templates/apiary-bucket-policy.json b/templates/apiary-bucket-policy.json
@@ -39,7 +39,11 @@
             "Sid": "Apiary customer account object permissions",
             "Effect": "Allow",
             "Principal": {
+%{if conditional_consumer_iamroles == ""}
                 "AWS": [ "${customer_principal}" ]
+%{else}
+                "AWS": [ "${customer_principal}", "${conditional_consumer_iamroles}" ]
+%{endif}
             },
             "Condition": {
               ${condition}
@@ -87,7 +91,7 @@
 %{endif}
 %{if consumer_iamroles != ""}
         {
-            "Sid": "Apiary consumer iamrole permissions",
+            "Sid": "Apiary consumer iamrole permissions with unrestricted access",
             "Effect": "Allow",
             "Principal": "*",
             "Action": [

diff --git a/variables.tf b/variables.tf
@@ -139,7 +139,7 @@ variable "apiary_customer_accounts" {
 }
 
 variable "apiary_customer_condition" {
-  description = "IAM policy condition applied to customer account s3 object access."
+  description = "IAM policy condition applied to customer account for s3 object access."
   type        = string
   default     = ""
 }
@@ -180,6 +180,12 @@ variable "apiary_consumer_iamroles" {
   default     = []
 }
 
+variable "apiary_conditional_consumer_iamroles" {
+  description = "AWS IAM roles allowed conditional read access based on apiary_customer_condition to managed Apiary S3 buckets."
+  type        = list(string)
+  default     = []
+}
+
 variable "apiary_consumer_prefix_iamroles" {
   description = "AWS IAM roles allowed unrestricted read access to certain prefixes in managed Apiary S3 buckets."
   type        = map(map(list(string)))