From b90b15277d8dc0f97c21898915109c54c697d0fd Mon Sep 17 00:00:00 2001
From: Joeri Malmberg <joeri.malmberg@blackbird.cloud>
Date: Wed, 28 Dec 2022 12:26:20 +0100
Subject: [PATCH] Updated default bucket actions, added the options to specify
 more statements on the kms key policy, updated linting configuration.

---
 .tflint.hcl  |  2 +-
 README.md    |  4 +++-
 data.tf      | 22 +---------------------
 kms.tf       | 18 ++++++++++++++++++
 variables.tf | 16 +++++++++++++++-
 5 files changed, 38 insertions(+), 24 deletions(-)

diff --git a/.tflint.hcl b/.tflint.hcl
index 1c611c9..5fb3e69 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -4,7 +4,7 @@ config {
 
 plugin "aws" {
   enabled = true
-  version = "0.14.0"
+  version = "0.20.0"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 
diff --git a/README.md b/README.md
index 695cc71..85aae77 100644
--- a/README.md
+++ b/README.md
@@ -41,15 +41,17 @@
 | <a name="input_acl"></a> [acl](#input\_acl) | Bucket ACL | `string` | `"private"` | no |
 | <a name="input_attach_elb_log_delivery_policy"></a> [attach\_elb\_log\_delivery\_policy](#input\_attach\_elb\_log\_delivery\_policy) | Attach ELB log delivery policy | `bool` | `false` | no |
 | <a name="input_attach_lb_log_delivery_policy"></a> [attach\_lb\_log\_delivery\_policy](#input\_attach\_lb\_log\_delivery\_policy) | Attach LB log delivery policy | `bool` | `false` | no |
-| <a name="input_bucket_actions"></a> [bucket\_actions](#input\_bucket\_actions) | List of bucket actions that the principals are allowed to execute. | `list(string)` | `[]` | no |
+| <a name="input_bucket_actions"></a> [bucket\_actions](#input\_bucket\_actions) | List of bucket actions that the principals are allowed to execute. | `list(string)` | <pre>[<br>  "s3:ListBucket"<br>]</pre> | no |
 | <a name="input_bucket_prefix"></a> [bucket\_prefix](#input\_bucket\_prefix) | Instead of a bucket name we use a bucket-prefix, also used for KMS key alias prefix. | `string` | n/a | yes |
 | <a name="input_encrypt_with_aws_managed_keys"></a> [encrypt\_with\_aws\_managed\_keys](#input\_encrypt\_with\_aws\_managed\_keys) | Encrypt the data with a KMS key | `bool` | `false` | no |
 | <a name="input_iam_principals"></a> [iam\_principals](#input\_iam\_principals) | List of IAM principals that can access the bucket. | `list(string)` | `[]` | no |
 | <a name="input_kms_actions"></a> [kms\_actions](#input\_kms\_actions) | List of KMS key actions that the principals are allowed to execute. | `list(string)` | <pre>[<br>  "kms:GenerateDataKey*"<br>]</pre> | no |
+| <a name="input_kms_key_policy_statements"></a> [kms\_key\_policy\_statements](#input\_kms\_key\_policy\_statements) | (Optional) Additional KMS key policy statements to add. | <pre>list(object({<br>    sid : string<br>    effect : string<br>    actions : list(string)<br>    principals : list(object({<br>      type : string<br>      identifiers : list(string)<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_lifecycle_rule"></a> [lifecycle\_rule](#input\_lifecycle\_rule) | List of maps containing configuration of object lifecycle management. | `any` | <pre>[<br>  {<br>    "enabled": true,<br>    "id": "lifecycle-rule-1",<br>    "noncurrent_version_expiration": {<br>      "days": 90<br>    },<br>    "transition": [<br>      {<br>        "days": 30,<br>        "storage_class": "ONEZONE_IA"<br>      },<br>      {<br>        "days": 60,<br>        "storage_class": "GLACIER"<br>      }<br>    ]<br>  }<br>]</pre> | no |
 | <a name="input_logging"></a> [logging](#input\_logging) | Map containing access bucket logging configuration. | `map(string)` | `{}` | no |
 | <a name="input_object_actions"></a> [object\_actions](#input\_object\_actions) | List of object actions that the principals are allowed to execute. | `list(string)` | <pre>[<br>  "s3:PutObject"<br>]</pre> | no |
 | <a name="input_purpose"></a> [purpose](#input\_purpose) | Purpose for the bucket and KMS key, used in the description fields. | `string` | n/a | yes |
+| <a name="input_replication_configuration"></a> [replication\_configuration](#input\_replication\_configuration) | Map containing cross-region replication configuration. | `any` | `{}` | no |
 | <a name="input_service_principals"></a> [service\_principals](#input\_service\_principals) | List of service principals that can access the bucket. | `list(string)` | `[]` | no |
 | <a name="input_versioning"></a> [versioning](#input\_versioning) | Object versioning | `bool` | `true` | no |
 
diff --git a/data.tf b/data.tf
index c2935cf..df143ed 100644
--- a/data.tf
+++ b/data.tf
@@ -1,25 +1,5 @@
 locals {
   account_id = data.aws_caller_identity.current.account_id
-  # iam_principals_bucket_actions = compact(flatten([
-  #   for principal in var.iam_principals : [
-  #     for action in var.bucket_actions : principal
-  #   ]
-  # ]))
-  # service_principals_bucket_actions = compact(flatten([
-  #   for principal in var.service_principals : [
-  #     for action in var.bucket_actions : principal
-  #   ]
-  # ]))
-  # iam_principals_object_actions = compact(flatten([
-  #   for principal in var.iam_principals : [
-  #     for action in var.object_actions : principal
-  #   ]
-  # ]))
-  # service_principals_object_actions = compact(flatten([
-  #   for principal in var.service_principals : [
-  #     for action in var.object_actions : principal
-  #   ]
-  # ]))
 }
 
 data "aws_caller_identity" "current" {}
@@ -39,7 +19,7 @@ data "aws_iam_policy_document" "elb_log_delivery" {
 
     principals {
       type        = "AWS"
-      identifiers = data.aws_elb_service_account.this.*.arn
+      identifiers = data.aws_elb_service_account.this[*].arn
     }
   }
 }
diff --git a/kms.tf b/kms.tf
index ac5f964..caf481d 100644
--- a/kms.tf
+++ b/kms.tf
@@ -8,6 +8,24 @@ data "aws_iam_policy_document" "kms" {
       identifiers = ["arn:aws:iam::${local.account_id}:root"]
     }
   }
+
+  dynamic "statement" {
+    for_each = { for statement in var.kms_key_policy_statements : statement.sid => statement }
+    content {
+      sid       = statement.value.sid
+      effect    = try(statement.value.effect, "Allow")
+      actions   = try(statement.value.actions, [])
+      resources = ["*"]
+      dynamic "principals" {
+        for_each = { for principal in try(statement.value.principals, []) : jsonencode(principal) => principal }
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
+    }
+  }
+
   dynamic "statement" {
     for_each = { for principal in var.service_principals : principal => principal }
     content {
diff --git a/variables.tf b/variables.tf
index f3be64c..4bbec27 100644
--- a/variables.tf
+++ b/variables.tf
@@ -23,7 +23,7 @@ variable "object_actions" {
 
 variable "bucket_actions" {
   type        = list(string)
-  default     = []
+  default     = ["s3:ListBucket"]
   description = "List of bucket actions that the principals are allowed to execute."
 }
 
@@ -102,3 +102,17 @@ variable "replication_configuration" {
   type        = any
   default     = {}
 }
+
+variable "kms_key_policy_statements" {
+  type = list(object({
+    sid : string
+    effect : string
+    actions : list(string)
+    principals : list(object({
+      type : string
+      identifiers : list(string)
+    }))
+  }))
+  default     = []
+  description = "(Optional) Additional KMS key policy statements to add."
+}