Add optional deny global write access bucket policy section (#270)

* Add optional deny global write access bucket policy section * docs * typo * test * test bool to string * variables.tf
ExpediaGroup · Aug 21, 2024 · a2c89c5 · a2c89c5
1 parent f52f432
commit a2c89c5
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [7.3.0] - 2024-08-20
+### Added
+- If apiary_managed_schemas has `deny_global_write_access` enabled, only `producer_roles` will be able to write in the specified schema.
+
 ## [7.2.3] - 2024-08-14
 ### Fixed
 - Changed terraform cron job api from `kubernetes_cron_job` to `kubernetes_cron_job_v1` to compatible with eks v1.25 and later.

diff --git a/VARIABLES.md b/VARIABLES.md
@@ -335,3 +335,20 @@ common_producer_iamroles = [
   ...
 ]
 ```
+
+### Deny global writes to bucket - `deny_global_write_access` and `producer_roles`
+
+Write access is granted by default for roles within the same AWS account. If you would like to protect the bucket so only certain roles can write you can use `deny_global_write_access` and `producer_roles`.
+
+If you would like to protect all buckets you can set the default variable `deny_global_write_access` to `true`. However, enabling only one bucket looks like this:
+
+```
+apiary_managed_schemas = [
+  {
+   schema_name = "sandbox"
+   ...
+   deny_global_write_access = true,
+   producer_roles = "arn:aws:iam::000000000:role/role-1,arn:aws:iam::000000000:role/role-2"
+  }
+]
+```
diff --git a/s3.tf b/s3.tf
@@ -26,6 +26,8 @@ locals {
       governance_iamroles           = join("\",\"", var.apiary_governance_iamroles)
       consumer_prefix_roles         = lookup(var.apiary_consumer_prefix_iamroles, schema["schema_name"], {})
       common_producer_iamroles      = join("\",\"", var.apiary_common_producer_iamroles)
+      deny_global_write_access      = lookup(schema, "deny_global_write_access", var.deny_global_write_access)
+      producer_roles                = lookup(schema, "producer_roles", var.producer_roles)
     })
   }
 }

diff --git a/templates/apiary-bucket-policy.json b/templates/apiary-bucket-policy.json
@@ -85,6 +85,23 @@
 %{endif}
 %{endfor ~}
 %{endif}
+%{if deny_global_write_access == "true" && producer_roles != "" }
+        {
+            "Sid": "Deny write permissions to everything except the specified roles",
+            "Effect": "Deny",
+            "Principal": "*",
+            "Action": [
+                "s3:Put*",
+                "s3:Delete*"
+            ],
+            "Resource": "arn:aws:s3:::${bucket_name}/*",
+            "Condition": {
+              "StringNotLike": {
+                "aws:PrincipalArn": [ "${producer_roles}" ]
+              }
+            }
+        },
+%{endif}
 %{if deny_iamroles != ""}
         {
             "Sid": "Local role deny permissions",

diff --git a/variables.tf b/variables.tf
@@ -811,3 +811,15 @@ variable "tcp_keepalive_probes" {
   type        = number
   default     = 2
 }
+
+variable "deny_global_write_access" {
+  description = "Deny all write permissions from the S3 bucket except producer_roles. See VARIABLES.md for more information."
+  type        = bool
+  default     = false
+}
+
+variable "producer_roles" {
+  description = "Comma separated list of roles that are able to write into the bucket. See VARIABLES.md for more information."
+  type        = string
+  default     = ""
+}