#210

README.md

@@ -298,6 +298,7 @@ Available targets:
 | <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | <pre>object({<br> mode = string # Valid values are GOVERNANCE and COMPLIANCE.<br> days = number<br> years = number<br> })</pre> | `null` | no |
 | <a name="input_privileged_principal_actions"></a> [privileged\_principal\_actions](#input\_privileged\_principal\_actions) | List of actions to permit `privileged_principal_arns` to perform on bucket and bucket prefixes (see `privileged_principal_arns`) | `list(string)` | `[]` | no |
 | <a name="input_privileged_principal_arns"></a> [privileged\_principal\_arns](#input\_privileged\_principal\_arns) | List of maps. Each map has a key, an IAM Principal ARN, whose associated value is<br>a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,<br>in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'. | `list(map(list(string)))` | `[]` | no |
+| <a name="input_privileged_principal_arns_with_condition"></a> [privileged\_principal\_arns\_with\_condition](#input\_privileged\_principal\_arns\_with\_condition) | List of maps. The first key of Each map, an IAM Principal ARN, whose associated value is<br>a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,<br>in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'.<br>The second key of each map, the test of condition, whose associated value is a list of variable and values.<br>example:<br>default = [<br>{<br> ("*") = [""],<br> StringEquals = ["aws:SourceVpce", "vpce-xxxxxxxxx", "vpce-xxxxxxxxx2"]<br>}<br>] | `list(map(list(string)))` | `[]` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_replication_rules"></a> [replication\_rules](#input\_replication\_rules) | DEPRECATED (use `s3_replication_rules`): Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | `list(any)` | `null` | no |
 | <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public | `bool` | `true` | no |

docs/terraform.md

@@ -90,6 +90,7 @@
 | <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | <pre>object({<br> mode = string # Valid values are GOVERNANCE and COMPLIANCE.<br> days = number<br> years = number<br> })</pre> | `null` | no |
 | <a name="input_privileged_principal_actions"></a> [privileged\_principal\_actions](#input\_privileged\_principal\_actions) | List of actions to permit `privileged_principal_arns` to perform on bucket and bucket prefixes (see `privileged_principal_arns`) | `list(string)` | `[]` | no |
 | <a name="input_privileged_principal_arns"></a> [privileged\_principal\_arns](#input\_privileged\_principal\_arns) | List of maps. Each map has a key, an IAM Principal ARN, whose associated value is<br>a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,<br>in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'. | `list(map(list(string)))` | `[]` | no |
+| <a name="input_privileged_principal_arns_with_condition"></a> [privileged\_principal\_arns\_with\_condition](#input\_privileged\_principal\_arns\_with\_condition) | List of maps. The first key of Each map, an IAM Principal ARN, whose associated value is<br>a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,<br>in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'.<br>The second key of each map, the test of condition, whose associated value is a list of variable and values.<br>example:<br>default = [<br>{<br> ("*") = [""],<br> StringEquals = ["aws:SourceVpce", "vpce-xxxxxxxxx", "vpce-xxxxxxxxx2"]<br>}<br>] | `list(map(list(string)))` | `[]` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_replication_rules"></a> [replication\_rules](#input\_replication\_rules) | DEPRECATED (use `s3_replication_rules`): Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | `list(any)` | `null` | no |
 | <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public | `bool` | `true` | no |

main.tf

@@ -469,6 +469,29 @@ data "aws_iam_policy_document" "bucket_policy" {
  }
  }
  }
+
+ dynamic "statement" {
+ for_each = var.privileged_principal_arns_with_condition
+
+ content {
+ sid = "AllowPrivilegedPrincipal[${statement.key}]" # add indic
+ actions = var.privileged_principal_actions
+ resources = distinct(flatten([
+ "arn:${local.partition}:s3:::${local.bucket_id}",
+ formatlist("arn:${local.partition}:s3:::${local.bucket_id}/%s*", values(statement.value)[0]),
+ ]))
+ principals {
+ type = "AWS"
+ identifiers = [keys(statement.value)[0]]
+ }
+ condition {
+ test = keys(statement.value)[1]
+ variable = values(statement.value)[1][0]
+
+ values = slice(values(statement.value)[1], 1, length(values(statement.value)[1]))
+ }
+ }
+ }
 }
 
 data "aws_iam_policy_document" "aggregated_policy" {
@@ -484,6 +507,7 @@ resource "aws_s3_bucket_policy" "default" {
  var.allow_encrypted_uploads_only ||
  length(var.s3_replication_source_roles) > 0 ||
  length(var.privileged_principal_arns) > 0 ||
+ length(var.privileged_principal_arns_with_condition) > 0 ||
  length(var.source_policy_documents) > 0
  ) ? 1 : 0
 

variables.tf

@@ -404,6 +404,26 @@ variable "privileged_principal_arns" {
  nullable = false
 }
 
+variable "privileged_principal_arns_with_condition" {
+ type = list(map(list(string)))
+ default = []
+
+ description = <<-EOT
+ List of maps. The first key of Each map, an IAM Principal ARN, whose associated value is
+ a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,
+ in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'.
+ The second key of each map, the test of condition, whose associated value is a list of variable and values.
+ example:
+ default = [
+ {
+ ("*") = [""],
+ StringEquals = ["aws:SourceVpce", "vpce-xxxxxxxxx", "vpce-xxxxxxxxx2"]
+ }
+ ]
+ EOT
+ nullable = false
+}
+
 variable "privileged_principal_actions" {
  type = list(string)
  default = []