search

cloudposse / terraform-aws-tfstate-backend

Terraform module that provision an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.
https://cloudposse.com/accelerate
Apache License 2.0
408 stars 177 forks source link

Custom bucket policy statements #158

Closed feraudet closed 9 months ago

feraudet commented 9 months ago

what

Add the ability to include custom bucket policy statements

why

Sometime we need to allow someone else to access to tfstates. Ex: Allow the entire orgs to access to some states

Gowiem commented 9 months ago

@feraudet thanks for the contribution, but I believe this is possible via the source_policy_documents variable. Please check that out, try it out within your own project, and then report back and reopen if needed. If there is a need here, we're happy to look into it, but I believe this is already accounted for. Thanks!

feraudet commented 9 months ago

Hello, As far as I understand source_policy_documents only allow to override existing policies, not to add policies.

If you have a look on https://github.com/cloudposse/terraform-aws-tfstate-backend/blob/main/main.tf#L60 it use override_policy_documents from data.aws_iam_policy_document.aggregated_policy than only allow to override existing statements

feraudet commented 9 months ago

I think your'e right, according to the documentation, using blank Sid allow to add policies

Gowiem commented 9 months ago

@feraudet yeah and it is confusing due to the terminology, so it makes sense to not get it at first. Try it out and let me know how it goes!