Reputation: 599
terraform, s3 bucket policy
i'm using this module https://github.com/turnerlabs/terraform-s3-user to create some s3 buckets and relative iam users.
this works fine:
module "my_bucket" {
source = "github.com/turnerlabs/terraform-s3-user?ref=v2.1"
bucket_name = "my-bucket"
tag_team = "developers"
tag_contact-email = "xxxxx"
tag_application = "xxxxx"
tag_environment = "prod"
tag_customer = "xxxxx"
}
now i want to fix the default policy of the s3 bucket created by this module.
terrafom show show me this:
module.my_bucket.aws_s3_bucket_policy.bucket_policy:
id = my-bucket
bucket = my-bucket
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::____________:user/srv_my-bucket"
},
"Action": [ "s3:*" ],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
how i should modify my .tf to have another policy?
Upvotes: 2
Views: 39958
Answers (2)
Reputation: 13237
I like using IAM roles. If using kubernetes, for example, you could have an IAM role assigned to your pod.
Basic example below showing how to give read permissions to S3 buckets. Values hardcoded for simplicity, but best to use suitable variables.
resource "aws_iam_role_policy" "my-s3-read-policy" {
name = "inline-policy-name-that-will-show-on-aws"
role = "some-existing-iam-role-name"
policy = data.aws_iam_policy_document.s3_read_permissions.json
}
data "aws_iam_policy_document" "s3_read_permissions" {
statement {
effect = "Allow"
actions = [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
]
resources = ["arn:aws:s3:::my-bucket-1",
"arn:aws:s3:::my-bucket-1/*",
"arn:aws:s3:::my-bucket-2",
"arn:aws:s3:::mybucket-2/*",
]
}
}
You could do a targeted plan as follows:
terraform plan -target=aws_iam_role_policy.my-s3-read-policy
Which would output:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_iam_role_policy.my-s3-read-policy will be created
+ resource "aws_iam_role_policy" "my-s3-read-policy" {
+ id = (known after apply)
+ name = "inline-policy-name-that-will-show-on-aws"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "s3:ListBucket",
+ "s3:GetObjectAcl",
+ "s3:GetObject",
]
+ Effect = "Allow"
+ Resource = [
+ "arn:aws:s3:::mybucket-2/*",
+ "arn:aws:s3:::my-bucket-2",
+ "arn:aws:s3:::my-bucket-1/*",
+ "arn:aws:s3:::my-bucket-1",
]
+ Sid = ""
},
]
+ Version = "2012-10-17"
}
)
+ role = "some-existing-iam-role-name"
}
Plan: 1 to add, 0 to change, 0 to destroy.
Upvotes: 7
Reputation: 45243
I agree with @ydeatskcoR's opinion on your idea. But if you insist to do it via bucket policy, you can copy the module out to your repo directly, and adjust the resource aws_s3_bucket_policy for your environment.
resource "aws_s3_bucket_policy" "bucket_policy" {
bucket = "${aws_s3_bucket.bucket.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "${aws_iam_user.user.arn}"
},
"Action": [ "s3:*" ],
"Resource": [
"${aws_s3_bucket.bucket.arn}",
"${aws_s3_bucket.bucket.arn}/*"
]
}
]
}
EOF
}
Upvotes: 6
Related Questions
- Why is terraform ignoring a manually created s3 bucket?
- Create S3 bucket and lambda policies with terraform
- Terraform - creating multiple buckets
- Build a S3 bucket policy with terraform dynamic blocks
- Terraform resource for AWS S3 Batch Operation
- Create s3 bucket policy for multiple existing s3 bucket using terraform
- Creating S3 policy with terraform
- How to avoid S3 bucket policy conflict
- Terraform use existing policy for s3 bucket
- Terraform aws_s3_bucket_policy syntax is unclear