Feature/perschema customers (#179)

* option to override customer accounts per schema * fix * update changelog * update readme Co-authored-by: Raj Poluri <[email protected]>
ExpediaGroup · Nov 10, 2020 · 92e7287 · 92e7287
1 parent 793b07d
commit 92e7287
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.7.0] - 2020-11-09
+### Added
+- Support to override customer accounts per managed schema.
+
 ## [6.6.1] - 2020-11-06
 ### Added
 - Add managed_database_host output.

diff --git a/README.md b/README.md
@@ -55,6 +55,7 @@ module "apiary" {
         encryption   = "aws:kms" //supported values for encryption are AES256,aws:kms
         admin_roles = "role1_arn,role2_arn" //kms key management will be restricted to these roles.
         client_roles = "role3_arn,role4_arn" //s3 bucket read/write and kms key usage will be restricted to these roles.
+        customer_accounts = "account_id1,account_id2" //this will override module level apiary_customer_accounts
     }
   ]
   apiary_customer_accounts = ["aws_account_no_1", "aws_account_no_2"]

diff --git a/VARIABLES.md b/VARIABLES.md
@@ -119,6 +119,7 @@ apiary_managed_schemas = [
    encryption   = "aws:kms" //supported values for encryption are AES256,aws:kms
    admin_roles = "role1_arn,role2_arn" //kms key management will be restricted to these roles.
    client_roles = "role3_arn,role4_arn" //s3 bucket read/write and kms key usage will be restricted to these roles.
+   customer_accounts = "account_id1,account_id2" //this will override module level apiary_customer_accounts
   }
 ]
 ```

diff --git a/common.tf b/common.tf
@@ -18,6 +18,7 @@ locals {
         encryption : lookup(schema, "encryption", "AES256"),
         resource_suffix : replace(schema["schema_name"], "_", "-"),
         data_bucket : "${local.apiary_bucket_prefix}-${replace(schema["schema_name"], "_", "-")}"
+        customer_accounts : lookup(schema, "customer_accounts", join(",", var.apiary_customer_accounts))
       },
     schema)
   ]

diff --git a/s3.tf b/s3.tf
@@ -17,7 +17,7 @@ data "template_file" "bucket_policy" {
   vars = {
     #if apiary_shared_schemas is empty or contains current schema, allow customer accounts to access this bucket.
     customer_principal = "${length(var.apiary_shared_schemas) == 0 || contains(var.apiary_shared_schemas, each.key) ?
-    join("\",\"", formatlist("arn:aws:iam::%s:root", var.apiary_customer_accounts)) : ""}"
+    join("\",\"", formatlist("arn:aws:iam::%s:root", split(",", each.value["customer_accounts"]))) : ""}"
 
     bucket_name       = each.value["data_bucket"]
     encryption        = each.value["encryption"]