add support for granting additional roles access to bucket (#10)

turnerlabs · Jul 30, 2020 · 7a2ef5a · 7a2ef5a
1 parent 534c0d7
commit 7a2ef5a
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 8 deletions.
diff --git a/LICENSE b/LICENSE
@@ -1,4 +1,4 @@
-Copyright 2017 Turner
+Copyright 2017-2020 Turner/WarnerMedia, a division of AT&T
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

diff --git a/main.tf b/main.tf
@@ -4,10 +4,16 @@
  * Useful for creating a common bucket naming convention and attaching a bucket policy using the specified role.
  */
 
-# the role that will be used to access the tf remote state
+# the primary role that will be used to access the tf remote state
 variable "role" {
 }
 
+# additional roles that should be granted access to the tfstate
+variable "additional_roles" {
+  type = list
+  default = []
+}
+
 # the application that will be using this remote state
 variable "application" {
 }
@@ -63,6 +69,11 @@ data "aws_iam_role" "role" {
   name = var.role
 }
 
+data "aws_iam_role" "additional_roles" {
+  for_each = toset(var.additional_roles)
+  name = each.key
+}
+
 # grant the role access to the bucket
 resource "aws_s3_bucket_policy" "bucket_policy" {
   bucket = aws_s3_bucket.bucket.id
@@ -74,7 +85,12 @@ resource "aws_s3_bucket_policy" "bucket_policy" {
     {
       "Effect": "Allow",
       "Principal":{
-        "AWS": "${data.aws_iam_role.role.arn}"
+        "AWS": [
+               %{ for r in data.aws_iam_role.additional_roles }
+                  "${r.arn}",
+               %{ endfor }
+               "${data.aws_iam_role.role.arn}"
+               ]
       },
       "Action": [ "s3:*" ],
       "Resource": [

diff --git a/readme.md b/readme.md
@@ -10,10 +10,11 @@ Useful for creating a common bucket naming convention and attaching a bucket pol
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | application | the application that will be using this remote state | string | - | yes |
-| multipart_days |  | string | `3` | no |
-| multipart_delete | incomplete multipart upload deletion | string | `true` | no |
-| role | the role that will be used to access the tf remote state | string | - | yes |
-| tags | tags | map | - | yes |
+| multipart\_days |  | string | `3` | no |
+| multipart\_delete | incomplete multipart upload deletion | string | `true` | no |
+| role | the primary role that will be used to access the tf remote state | string | - | yes |
+| additional\_roles | additional roles that will be granted access to the remote state | list of strings | \[] | no |
+| tags | tags to apply the created S3 bucket | map | - | yes |
 
 ## Outputs
 
@@ -33,7 +34,7 @@ provider "aws" {
 }
 
 module "tf_remote_state" {
-  source = "github.com/turnerlabs/terraform-remote-state?ref=v3.0.0"
+  source = "github.com/turnerlabs/terraform-remote-state?ref=v3.1.0"
 
   role          = "aws-ent-prod-devops"
   application   = "my-test-app"