Optional customer_principal and producer_iamroles in apiary managed bucket policies. (#159)

* optional customer account and producer iam roles

* fix sns policy

* update changelog

* Update CHANGELOG.md

Co-authored-by: Adrian Woodhead <awoodhead@expediagroup.com>

Co-authored-by: Raj Poluri <rpoluri@expediagroup.com>
Co-authored-by: Adrian Woodhead <awoodhead@expediagroup.com>

Author: 3 people

CHANGELOG.md

@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.2.1] - 2020-05-27
+### Changed
+- Optional `customer_principal` and `producer_iamroles` in Apiary managed bucket policies.
+
 ## [6.2.0] - 2020-05-11
 ### Added
 - Variable to deny IAM roles access to Apiary managed S3 buckets.

VARIABLES.md

@@ -5,7 +5,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | apiary_assume_roles | List of maps - each map describes an IAM role that can be assumed in this account to write data into the configured list of schemas. See section [`apiary_assume_roles`](#apiary_assume_roles) for more info. | list(map) | - | no |
-| apiary_customer_accounts | AWS account IDs for clients of this Metastore. | list | - | yes |
+| apiary_customer_accounts | AWS account IDs for clients of this Metastore. | list | - | no |
 | apiary_database_name | Database name to create in RDS for Apiary. | string | `apiary` | no |
 | apiary_deny_roles | AWS IAM roles denied access to Apiary managed S3 buckets. | list | - | yes |
 | apiary_domain_name | Apiary domain name for Route 53. | string | `` | no |

s3.tf

@@ -17,11 +17,10 @@ data "template_file" "bucket_policy" {
   vars = {
     #if apiary_shared_schemas is empty or contains current schema, allow customer accounts to access this bucket.
     customer_principal = "${length(var.apiary_shared_schemas) == 0 || contains(var.apiary_shared_schemas, each.key) ?
-      join("\",\"", formatlist("arn:aws:iam::%s:root", var.apiary_customer_accounts)) :
-    "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"}"
+    join("\",\"", formatlist("arn:aws:iam::%s:root", var.apiary_customer_accounts)) : ""}"
 
     bucket_name       = each.value["data_bucket"]
-    producer_iamroles = "${replace(lookup(var.apiary_producer_iamroles, each.key, "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"), ",", "\",\"")}"
+    producer_iamroles = replace(lookup(var.apiary_producer_iamroles, each.key, ""), ",", "\",\"")
     deny_iamroles     = join("\",\"", var.apiary_deny_iamroles)
   }
 }

sns.tf

@@ -12,13 +12,13 @@ resource "aws_sns_topic" "apiary_metadata_events" {
   count = var.enable_metadata_events ? 1 : 0
   name  = "${local.instance_alias}-metadata-events"
 
-  policy = <<POLICY
+  policy = length(var.apiary_customer_accounts) == 0 ? null : <<POLICY
 {
     "Version":"2012-10-17",
     "Statement":[{
         "Effect": "Allow",
         "Principal": {
-            "AWS": [ "${join("\",\"", formatlist("arn:aws:iam::%s:root",var.apiary_customer_accounts))}" ]
+            "AWS": [ "${join("\",\"", formatlist("arn:aws:iam::%s:root", var.apiary_customer_accounts))}" ]
         },
         "Action": [ "SNS:Subscribe", "SNS:Receive" ],
         "Resource": "arn:aws:sns:*:*:${local.instance_alias}-metadata-events"
@@ -31,7 +31,7 @@ resource "aws_sns_topic" "apiary_data_events" {
   for_each = var.enable_data_events ? {
     for schema in local.schemas_info : "${schema["schema_name"]}" => schema if lookup(schema, "enable_data_events_sqs", "0") == "0"
   } : {}
-  name  = "${local.instance_alias}-${each.value["resource_suffix"]}-data-events"
+  name = "${local.instance_alias}-${each.value["resource_suffix"]}-data-events"
 
   policy = <<POLICY
 {
@@ -51,7 +51,7 @@ POLICY
 
 resource "aws_sqs_queue" "apiary_data_event_queue" {
   count = local.create_sqs_data_event_queue ? 1 : 0
-  name = "${local.instance_alias}-data-event-queue"
+  name  = "${local.instance_alias}-data-event-queue"
 
   policy = <<POLICY
 {

templates/apiary_bucket_policy.json

@@ -2,6 +2,7 @@
     "Version": "2012-10-17",
     "Id": "MyPolicyID",
     "Statement": [
+%{if customer_principal != ""}
         {
             "Sid": "Apiary customer account permissions",
             "Effect": "Allow",
@@ -18,6 +19,7 @@
                 "arn:aws:s3:::${bucket_name}/*"
             ]
         },
+%{endif}
 %{if deny_iamroles != ""}
         {
             "Sid": "Local role deny permissions",
@@ -32,6 +34,7 @@
             }
         },
 %{endif}
+%{if producer_iamroles != ""}
         {
             "Sid": "Apiary producer iamrole permissions",
             "Effect": "Allow",
@@ -68,6 +71,7 @@
                 "StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
             }
         },
+%{endif}
         {
             "Sid": "DenyUnSecureCommunications",
             "Effect": "Deny",

variables.tf

@@ -92,7 +92,8 @@ variable "external_database_host" {
 
 variable "apiary_customer_accounts" {
   description = "AWS account IDs for clients of this Metastore."
-  type        = list(any)
+  type        = list(string)
+  default     = []
 }
 
 variable "apiary_deny_iamroles" {