-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathiam-role.tf
57 lines (47 loc) · 1.75 KB
/
iam-role.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
###
# S3 bucket replication
###
locals {
assume_role_policy = "${path.module}/iam-policies/service-assume-role-policy.json"
bucket_replication_policy = "${path.module}/iam-policies/bucket-replication-policy.json"
}
resource "aws_iam_policy" "bucket_replication_policy" {
count = var.replication_config != null ? (
var.replication_config.iam_role_arn != null ? 0 : 1
) : 0
name = "${aws_s3_bucket.bucket.id}-bucket-replication-policy"
description = "Minimum permissions required for ${aws_s3_bucket.bucket.id} S3 bucket replication"
policy = templatefile(
local.bucket_replication_policy,
{
source_bucket_arn = aws_s3_bucket.bucket.arn,
destination_bucket_arns = jsonencode(distinct([
for k, v in var.replication_config.rules :
"${v.destination_bucket_arn}/*"
]))
}
)
tags = merge(
local.common_tags,
var.additional_tags_all
)
}
resource "aws_iam_role" "bucket_replication_role" {
count = var.replication_config != null ? (
var.replication_config.iam_role_arn != null ? 0 : 1
) : 0
name = "${aws_s3_bucket.bucket.id}-bucket-replication-role"
description = "Used by the ${aws_s3_bucket.bucket.id} bucket for replication"
assume_role_policy = templatefile(local.assume_role_policy, { aws_service = jsonencode(["s3.amazonaws.com", "batchoperations.s3.amazonaws.com"]) })
tags = merge(
local.common_tags,
var.additional_tags_all
)
}
resource "aws_iam_role_policy_attachment" "bucket_replication_role_attached_policy" {
count = var.replication_config != null ? (
var.replication_config.iam_role_arn != null ? 0 : 1
) : 0
role = aws_iam_role.bucket_replication_role[0].name
policy_arn = aws_iam_policy.bucket_replication_policy[0].arn
}