Merge pull request #3 from asicsdigital/casper-SRE-70

Casper SRE-70
asicsdigital · Jan 31, 2020 · e69defc · e69defc
2 parents 018a2a8 + 9a14579
commit e69defc
Show file tree

Hide file tree

Showing 8 changed files with 149 additions and 25 deletions.
diff --git a/.terraform-version b/.terraform-version
@@ -1 +1 @@
-0.11.7
+0.12.17
diff --git a/iam-source.tf b/iam-source.tf
@@ -1,11 +1,73 @@
-data "aws_iam_policy_document" "user_policy" {
+data "aws_iam_user" "user" {
+  count     = var.create_user ? 0 : 1
+  user_name = var.user_name
+}
+
+resource "aws_iam_policy" "user_policy" {
+  name_prefix = "${var.user_name}-"
+  policy      = local.policy
+}
+
+resource "aws_iam_user" "user" {
+  count         = var.create_user ? 1 : 0
+  name          = var.user_name
+  force_destroy = var.force_destroy
+}
+
+resource "aws_iam_user_policy_attachment" "user_policy" {
+  user       = aws_iam_user.user[0].name
+  policy_arn = aws_iam_policy.user_policy.arn
+}
+
+resource "aws_iam_access_key" "key" {
+  user = aws_iam_user.user[0].name
+}
+
+data "aws_iam_policy_document" "user_policy_read" {
+  statement {
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to
+    # force an interpolation expression to be interpreted as a list by wrapping it
+    # in an extra set of list brackets. That form was supported for compatibility in
+    # v0.11, but is no longer supported in Terraform v0.12.
+    #
+    # If the expression in the following list itself returns a list, remove the
+    # brackets to avoid interpretation as a list of lists. If the expression
+    # returns a single list item then leave it as-is and remove this TODO comment.
+    resources = [
+      local.bucket_arn,
+    ]
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "s3:prefix"
+
+      values = [
+        "${var.prefix}*",
+      ]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "user_policy_read_write" {
   statement {
     actions = [
       "s3:PutObject",
     ]
 
+    # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to
+    # force an interpolation expression to be interpreted as a list by wrapping it
+    # in an extra set of list brackets. That form was supported for compatibility in
+    # v0.11, but is no longer supported in Terraform v0.12.
+    #
+    # If the expression in the following list itself returns a list, remove the
+    # brackets to avoid interpretation as a list of lists. If the expression
+    # returns a single list item then leave it as-is and remove this TODO comment.
     resources = [
-      "${local.object_arn}",
+      local.object_arn,
     ]
   }
 
@@ -14,8 +76,16 @@ data "aws_iam_policy_document" "user_policy" {
       "s3:ListBucket",
     ]
 
+    # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to
+    # force an interpolation expression to be interpreted as a list by wrapping it
+    # in an extra set of list brackets. That form was supported for compatibility in
+    # v0.11, but is no longer supported in Terraform v0.12.
+    #
+    # If the expression in the following list itself returns a list, remove the
+    # brackets to avoid interpretation as a list of lists. If the expression
+    # returns a single list item then leave it as-is and remove this TODO comment.
     resources = [
-      "${local.bucket_arn}",
+      local.bucket_arn,
     ]
 
     condition {
@@ -29,21 +99,51 @@ data "aws_iam_policy_document" "user_policy" {
   }
 }
 
-resource "aws_iam_policy" "user_policy" {
-  name_prefix = "${var.user_name}-"
-  policy      = "${data.aws_iam_policy_document.user_policy.json}"
-}
+data "aws_iam_policy_document" "user_policy_read_write_delete" {
+  statement {
+    actions = [
+      "s3:PutObject",
+      "s3:DeleteObject",
+    ]
 
-resource "aws_iam_user" "user" {
-  name          = "${var.user_name}"
-  force_destroy = "${var.force_destroy}"
-}
+    # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to
+    # force an interpolation expression to be interpreted as a list by wrapping it
+    # in an extra set of list brackets. That form was supported for compatibility in
+    # v0.11, but is no longer supported in Terraform v0.12.
+    #
+    # If the expression in the following list itself returns a list, remove the
+    # brackets to avoid interpretation as a list of lists. If the expression
+    # returns a single list item then leave it as-is and remove this TODO comment.
+    resources = [
+      local.object_arn,
+    ]
+  }
 
-resource "aws_iam_user_policy_attachment" "user_policy" {
-  user       = "${aws_iam_user.user.name}"
-  policy_arn = "${aws_iam_policy.user_policy.arn}"
-}
+  statement {
+    actions = [
+      "s3:ListBucket",
+    ]
 
-resource "aws_iam_access_key" "key" {
-  user     = "${aws_iam_user.user.name}"
+    # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to
+    # force an interpolation expression to be interpreted as a list by wrapping it
+    # in an extra set of list brackets. That form was supported for compatibility in
+    # v0.11, but is no longer supported in Terraform v0.12.
+    #
+    # If the expression in the following list itself returns a list, remove the
+    # brackets to avoid interpretation as a list of lists. If the expression
+    # returns a single list item then leave it as-is and remove this TODO comment.
+    resources = [
+      local.bucket_arn,
+    ]
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "s3:prefix"
+
+      values = [
+        "${var.prefix}*",
+      ]
+    }
+  }
 }
+
diff --git a/locals.tf b/locals.tf
@@ -1,4 +1,8 @@
 locals {
-  "bucket_arn"               = "arn:aws:s3:::${var.bucket_name}"
-  "object_arn"               = "arn:aws:s3:::${var.bucket_name}/${var.prefix}*"
+  bucket_arn    = "arn:aws:s3:::${var.bucket_name}"
+  object_arn    = "arn:aws:s3:::${var.bucket_name}/${var.prefix}*"
+  write_access  = var.write_access ? "_write" : ""
+  delete_access = var.delete_access ? "_delete" : ""
+  policy        = var.write_access ? var.delete_access ? data.aws_iam_policy_document.user_policy_read_write_delete.json : data.aws_iam_policy_document.user_policy_read_write.json : data.aws_iam_policy_document.user_policy_read.json
 }
+
diff --git a/main.tf b/main.tf
diff --git a/outputs.tf b/outputs.tf
@@ -1,8 +1,9 @@
 output "iam_user_access_key_id" {
-  value = "${aws_iam_access_key.key.id}"
+  value = aws_iam_access_key.key.id
 }
 
 output "iam_user_secret_access_key" {
-  value     = "${aws_iam_access_key.key.secret}"
+  value     = aws_iam_access_key.key.secret
   sensitive = true
 }
+
diff --git a/providers.tf b/providers.tf
diff --git a/variables.tf b/variables.tf
@@ -1,19 +1,34 @@
 variable "bucket_name" {
-  type        = "string"
+  type        = string
   description = "Name for s3 bucket"
 }
 
 variable "prefix" {
-  type        = "string"
+  type        = string
   description = "Prefix to grant access to, note this module does not add any trailing /"
 }
 
 variable "user_name" {
-  type        = "string"
+  type        = string
   description = "Short name for the IAM user to create"
 }
 
+variable "create_user" {
+  default     = true
+  description = "True if a user needs to be created.  False if the user already exists."
+}
+
 variable "force_destroy" {
   default     = true
   description = "Force_destroy the IAM user created by this module? (Default true)"
 }
+
+variable "write_access" {
+  default     = true
+  description = "Generated policy will have S3:PutObject permission"
+}
+
+variable "delete_access" {
+  default     = false
+  description = "Generated policy will have S3:DeleteObject permission"
+}
diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}