diff --git a/README.md b/README.md
index 2359d03..2a0caed 100644
--- a/README.md
+++ b/README.md
@@ -450,7 +450,7 @@ This project creates and manages resources within an AWS account for infrastruct
| [aws\_region](#input\_aws\_region) | AWS region in which to launch resources | `string` | n/a | yes |
| [custom\_cloudformation\_stacks](#input\_custom\_cloudformation\_stacks) | Map of CloudFormation stacks to deploy
{
stack-name = {
s3\_template\_store\_key: The filename of a CloudFormation template that is stored within the S3 bucket, created by the `enable_cloudformatian_s3_template_store`
template\_body: (Optional - use of s3\_template\_store\_key is preferred) The CloudFormation template body
parameters: The CloudFormation template parameters ({ parameter-name = parameter-value, ... })
on\_failure: What to do on failure, either 'DO\_NOTHING', 'ROLLBACK' or 'DELETE'
capabilities: A list of capabilities. Valid values: `CAPABILITY_NAMED_IAM`, `CAPABILITY_IAM`, `CAPABILITY_AUTO_EXPAND`
}
} |
map(object({| n/a | yes | | [custom\_route53\_hosted\_zones](#input\_custom\_route53\_hosted\_zones) | Map of Route53 Hosted Zone configurations to create
s3_template_store_key = optional(string, null)
template_body = optional(string, null)
parameters = optional(map(string), null)
on_failure = optional(string, null)
capabilities = optional(list(string), null)
}))
map(object({| n/a | yes | -| [custom\_s3\_buckets](#input\_custom\_s3\_buckets) | Map of S3 buckets to create, and conditionally serve via CloudFront. The S3 configuration will follow AWS best practices (eg. Private, ACLS disabled, SSE, Versioning, Logging). The bucket must be emptied before attempting deletion/destruction."
ns_records = optional(map(object({
values = list(string)
ttl = optional(number, 300)
})), null)
a_records = optional(map(object({
values = list(string)
ttl = optional(number, 300)
})), null)
alias_records = optional(map(object({
value = string
zone_id = string
})), null)
cname_records = optional(map(object({
values = list(string)
ttl = optional(number, 300)
})), null)
mx_records = optional(map(object({
values = list(string)
ttl = optional(number, 300)
})), null)
txt_records = optional(map(object({
values = list(string)
ttl = optional(number, 300)
})), null)
}))
map(object({| n/a | yes | +| [custom\_s3\_buckets](#input\_custom\_s3\_buckets) | Map of S3 buckets to create, and conditionally serve via CloudFront. The S3 configuration will follow AWS best practices (eg. Private, ACLS disabled, SSE, Versioning, Logging). The bucket must be emptied before attempting deletion/destruction."
create_dedicated_kms_key = optional(bool, null)
transition_to_ia_days = optional(number, null)
transition_to_glacier_days = optional(number, null)
cloudfront_dedicated_distribution = optional(bool, null)
cloudfront_s3_root = optional(string, null)
cloudfront_infrastructure_ecs_cluster_service = optional(string, null)
cloudfront_infrastructure_ecs_cluster_service_path = optional(string, null)
}))
map(object({| n/a | yes | | [ecs\_cluster\_efs\_directories](#input\_ecs\_cluster\_efs\_directories) | ECS cluster EFS directories to create | `list(string)` | n/a | yes | | [ecs\_cluster\_efs\_infrequent\_access\_transition](#input\_ecs\_cluster\_efs\_infrequent\_access\_transition) | ECS cluser EFS IA transiton in days. Set to 0 to disable IA transition. | `number` | n/a | yes | | [ecs\_cluster\_efs\_performance\_mode](#input\_ecs\_cluster\_efs\_performance\_mode) | ECS cluser EFS performance mode | `string` | n/a | yes | diff --git a/s3-custom-buckets-kms.tf b/s3-custom-buckets-kms.tf index f27b6f7..f3dd4bc 100644 --- a/s3-custom-buckets-kms.tf +++ b/s3-custom-buckets-kms.tf @@ -24,7 +24,7 @@ resource "aws_kms_key" "custom_s3_buckets" { each.value["cloudfront_infrastructure_ecs_cluster_service"] != null ? [aws_cloudfront_distribution.infrastructure_ecs_cluster_service_cloudfront[each.value["cloudfront_infrastructure_ecs_cluster_service"]].arn] : [] ))) } - )} + )}${length(each.value["custom_kms_key_policy_statements"]) != 0 ? ",${trim(jsonencode(each.value["custom_kms_key_policy_statements"]), "[]")}" : ""} ] EOT } diff --git a/s3-custom-buckets.tf b/s3-custom-buckets.tf index dcc8944..045c493 100644 --- a/s3-custom-buckets.tf +++ b/s3-custom-buckets.tf @@ -27,7 +27,7 @@ resource "aws_s3_bucket_policy" "custom" { [for k, v in local.custom_s3_buckets : aws_cloudfront_distribution.infrastructure_ecs_cluster_service_cloudfront[v["cloudfront_infrastructure_ecs_cluster_service"]].arn if v["cloudfront_infrastructure_ecs_cluster_service"] != null] ))) } - )} + )}${length(each.value["custom_bucket_policy_statements"]) != 0 ? ",${trim(jsonencode(each.value["custom_bucket_policy_statements"]), "[]")}" : ""} ] EOT } diff --git a/variables.tf b/variables.tf index f7613f5..ce9cf9c 100644 --- a/variables.tf +++ b/variables.tf @@ -846,23 +846,39 @@ variable "custom_s3_buckets" { { bucket-name = { create_dedicated_kms_key: Conditionally create a KMS key specifically for this bucket's server side encryption (rather than using the Infrastructure's KMS key). It's recommended to use this if the S3 bucket will be accessed from external AWS accounts. + custom_kms_key_policy_statements: Conditionally add a list of user-defined key policy statements transition_to_ia_days: Conditionally transition objects to 'Standard Infrequent Access' storage in N days transition_to_glacier_days: Conditionally transition objects to 'Glacier' storage in N days cloudfront_dedicated_distribution: Conditionally create a CloudFront distribution to serve objects from the S3 bucket. cloudfront_s3_root: Sets the S3 document root when being served from CloudFront. By default this will be '/'. If `cloudfront_infrastructure_ecs_cluster_service_path` has been set, this helps by modifying the request from `/sub-directory-path` to `/` by use of a CloudFront function. cloudfront_infrastructure_ecs_cluster_service: Conditionally create an Origin on a CloudFront distribution that is serving the given Infrastructure ECS Cluster Service name cloudfront_infrastructure_ecs_cluster_service_path: If `cloudfront_infrastructure_ecs_cluster_service`, set this to the path that objects will be served from. + custom_bucket_policy_statements: Conditionally add a list of user-defined bucket policy statements } } EOT type = map(object({ - create_dedicated_kms_key = optional(bool, null) + create_dedicated_kms_key = optional(bool, null) + custom_kms_key_policy_statements = optional(list(object({ + Effect = string, + Principal = map(any), + Action = string, + Resource = string, + Condition = optional(map(any), {}) + })), []) transition_to_ia_days = optional(number, null) transition_to_glacier_days = optional(number, null) cloudfront_dedicated_distribution = optional(bool, null) cloudfront_s3_root = optional(string, null) cloudfront_infrastructure_ecs_cluster_service = optional(string, null) cloudfront_infrastructure_ecs_cluster_service_path = optional(string, null) + custom_bucket_policy_statements = optional(list(object({ + Effect = string, + Principal = map(any), + Action = string, + Resource = string, + Condition = optional(map(any), {}) + })), []) })) }
create_dedicated_kms_key = optional(bool, null)
custom_kms_key_policy_statements = optional(list(object({
Effect = string,
Principal = map(any),
Action = string,
Resource = string,
Condition = optional(map(any), {})
})), [])
transition_to_ia_days = optional(number, null)
transition_to_glacier_days = optional(number, null)
cloudfront_dedicated_distribution = optional(bool, null)
cloudfront_s3_root = optional(string, null)
cloudfront_infrastructure_ecs_cluster_service = optional(string, null)
cloudfront_infrastructure_ecs_cluster_service_path = optional(string, null)
custom_bucket_policy_statements = optional(list(object({
Effect = string,
Principal = map(any),
Action = string,
Resource = string,
Condition = optional(map(any), {})
})), [])
}))