Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices.
MIT License
1.14k
stars
371
forks
source link
Allow `aws_s3_bucket_policy` to be optionally applied or take on additional external policies #327
Is your feature request related to a problem? Please describe.
Currently if an external user wishes to add additional bucket policies to the audit + access log buckets under this module, the only way is to set var.use_external_audit_log_bucket to true, which then disables most of the conveniences and requires the user to copy out the changes from this module to the external site.
This is because resource aws_s3_bucket_policy doesn't allow multiple parts applied at different times and sources, and only the last applied one takes full precedence.
Describe the solution you'd like
Allow variables to include flags to disable creating "aws_s3_bucket_policy" "audit_log"and/orresource "aws_s3_bucket_policy" "access_log_policy". And provide their respective policies asoutput` for external caller to use instead.
Describe alternatives you've considered
Allow optional additional policy JSON to be passed in for resource "aws_s3_bucket_policy" "audit_log" and/or resource "aws_s3_bucket_policy" "access_log_policy" to be incorporated.
The alternative is good that the module always get to ensure the baseline bucket policy is enforced, though bad being the external caller has lesser flexibility to finally create resource "aws_s3_bucket_policy" at the most appropriate juncture.
Is your feature request related to a problem? Please describe.
Currently if an external user wishes to add additional bucket policies to the audit + access log buckets under this module, the only way is to set
var.use_external_audit_log_bucket
totrue
, which then disables most of the conveniences and requires the user to copy out the changes from this module to the external site.This is because resource
aws_s3_bucket_policy
doesn't allow multiple parts applied at different times and sources, and only the last applied one takes full precedence.Describe the solution you'd like
Allow variables to include flags to disable creating "aws_s3_bucket_policy" "audit_log"
and/or
resource "aws_s3_bucket_policy" "access_log_policy". And provide their respective policies as
output` for external caller to use instead.Describe alternatives you've considered
Allow optional additional policy JSON to be passed in for
resource "aws_s3_bucket_policy" "audit_log"
and/orresource "aws_s3_bucket_policy" "access_log_policy"
to be incorporated.The alternative is good that the module always get to ensure the baseline bucket policy is enforced, though bad being the external caller has lesser flexibility to finally create
resource "aws_s3_bucket_policy"
at the most appropriate juncture.Additional context
Nil