terraform, s3 bucket policy

1
votes

i'm using this module https://github.com/turnerlabs/terraform-s3-user to create some s3 buckets and relative iam users.

this works fine:

module "my_bucket" {
  source = "github.com/turnerlabs/terraform-s3-user?ref=v2.1"

  bucket_name = "my-bucket"

  tag_team          = "developers"
  tag_contact-email = "xxxxx"
  tag_application   = "xxxxx"
  tag_environment   = "prod"
  tag_customer      = "xxxxx"
}

now i want to fix the default policy of the s3 bucket created by this module.

terrafom show show me this:

module.my_bucket.aws_s3_bucket_policy.bucket_policy:
  id = my-bucket
  bucket = my-bucket
  policy = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::____________:user/srv_my-bucket"
      },
      "Action": [ "s3:*" ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

how i should modify my .tf to have another policy?

2
amazon-s3terraform
Why are you using that module? It looks pretty useless for anyone other than the original user's intention and is pointless to open source. The bucket policy is a bad idea too. Instead the user/role should have the ability to access a completely private bucket via IAM permissions rather than this outdated and confusing way of approaching it.ydaetskcoR
it's easier to me to use that module instead of creating manually buckets, users, iam. i need a modified bucket policy to have all objects public: it's a directory of images. the iam user needs only to upload.George Livanoss

2 Answers

1
votes

I agree with @ydeatskcoR's opinion on your idea. But if you insist to do it via bucket policy, you can copy the module out to your repo directly, and adjust the resource aws_s3_bucket_policy for your environment. 

resource "aws_s3_bucket_policy" "bucket_policy" {
  bucket = "${aws_s3_bucket.bucket.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "${aws_iam_user.user.arn}"
      },
      "Action": [ "s3:*" ],
      "Resource": [
        "${aws_s3_bucket.bucket.arn}",
        "${aws_s3_bucket.bucket.arn}/*"
      ]
    }
  ]
}
EOF
}
0
votes

I like using IAM roles. If using kubernetes, for example, you could have an IAM role assigned to your pod.

Basic example below showing how to give read permissions to S3 buckets. Values hardcoded for simplicity, but best to use suitable variables.

resource "aws_iam_role_policy" "my-s3-read-policy" {
  name   = "inline-policy-name-that-will-show-on-aws"
  role   = "some-existing-iam-role-name"
  policy = data.aws_iam_policy_document.s3_read_permissions.json
}


data "aws_iam_policy_document" "s3_read_permissions" {
  statement {
    effect = "Allow"

    actions = [
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:ListBucket",
    ]

    resources = ["arn:aws:s3:::my-bucket-1",
                  "arn:aws:s3:::my-bucket-1/*",
                  "arn:aws:s3:::my-bucket-2",
                  "arn:aws:s3:::mybucket-2/*",
    ]
  }
}

You could do a targeted plan as follows:

terraform plan -target=aws_iam_role_policy.my-s3-read-policy

Which would output:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_role_policy.my-s3-read-policy will be created
  + resource "aws_iam_role_policy" "my-s3-read-policy" {
      + id     = (known after apply)
      + name   = "inline-policy-name-that-will-show-on-aws"
      + policy = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "s3:ListBucket",
                          + "s3:GetObjectAcl",
                          + "s3:GetObject",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::mybucket-2/*",
                          + "arn:aws:s3:::my-bucket-2",
                          + "arn:aws:s3:::my-bucket-1/*",
                          + "arn:aws:s3:::my-bucket-1",
                        ]
                      + Sid      = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + role   = "some-existing-iam-role-name"
    }

Plan: 1 to add, 0 to change, 0 to destroy.