Feature/fix s3 tag conditions (#197)

* add support to split customer policy condition * fix * cleanup * update changelog Co-authored-by: Raj Poluri <[email protected]>
ExpediaGroup · Jul 14, 2021 · aba59e2 · aba59e2
1 parent cc0d392
commit aba59e2
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.9.3] - 2021-07-14
+### Added
+- Add support to split customer policy condition.
+
 ## [6.9.2] - 2021-07-08
 ### Added
 - Added disallow_incompatible_col_type_changes variable to disable hive validation when schema changes. This variable will help Apache Iceberg to make schema-evolution.

diff --git a/README.md b/README.md
@@ -59,8 +59,11 @@ module "apiary" {
     }
   ]
   apiary_customer_accounts = ["aws_account_no_1", "aws_account_no_2"]
+  # single policy with multiple conditions will use AND operator
+  # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html
+  # ; will create seperate policies for each condition, essentially to enable OR operator
   apiary_customer_condition = <<EOF
-    "ForAnyValue:StringEquals": {"s3:ExistingObjectTag/security": [ "public"] } ,
+    "ForAnyValue:StringEquals": {"s3:ExistingObjectTag/security": [ "public"] };
     "StringLike": {"s3:ExistingObjectTag/type": "image*" }
   EOF
   ingress_cidr             = ["10.0.0.0/8"]

diff --git a/templates/apiary-bucket-policy.json b/templates/apiary-bucket-policy.json
@@ -18,19 +18,32 @@
                 "arn:aws:s3:::${bucket_name}"
             ]
         },
-%{endif}
-%{if customer_principal != ""}
+%{if customer_condition == ""}
+        {
+            "Sid": "Apiary customer account object permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": [ "${customer_principal}" ]
+            },
+            "Action": [
+                "s3:GetObject",
+                "s3:GetObjectAcl"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${bucket_name}/*"
+            ]
+        },
+%{else}
+%{for condition in split(";",customer_condition)}
         {
             "Sid": "Apiary customer account object permissions",
             "Effect": "Allow",
             "Principal": {
                 "AWS": [ "${customer_principal}" ]
             },
-%{if customer_condition != ""}
             "Condition": {
-              ${customer_condition}
+              ${condition}
             },
-%{endif}
             "Action": [
                 "s3:GetObject",
                 "s3:GetObjectAcl"
@@ -39,6 +52,8 @@
                 "arn:aws:s3:::${bucket_name}/*"
             ]
         },
+%{endfor}
+%{endif}
 %{endif}
 %{if deny_iamroles != ""}
         {