One thing to make more clear: this module is a little confusing, but it's mostly advanced IAM features doing that. Here's another way of saying it:
I guess the other way to describe the difference here is that the s3-bucket-policy-full-access creates a policy which is attached to the S3 bucket and defines some list of IAM principals which can access the bucket. While the iam-full-access is creating policies (2, one requiring MFA and one not), that can be associated with IAM users/roles and used to provide access that way.
Requirements
[ ] rename the resources: s3-full-access to s3-bucket-policy-full-access and bucket-full-access to iam-policy-full-access.
[ ] There are 3 pairs of IAM data sources and resources, move each to their own module.
[ ] Update this module to use those new IAM modules.
[ ] Add a boolean variable for each of the 3 IAM policies the module creates (which enables/disables the policies from being created), passing those to the new IAM modules.
[ ] Review / update the module docs for clarity and to explain how this module works
See for reference - https://github.com/fpco/terraform-aws-foundation/blob/0d3d60f6989ad74149b5957150e83e915128ddd7/modules/s3-remote-state/main.tf
One thing to make more clear: this module is a little confusing, but it's mostly advanced IAM features doing that. Here's another way of saying it:
Requirements
s3-full-access
tos3-bucket-policy-full-access
andbucket-full-access
toiam-policy-full-access
.