feat: add source_ip_allow_list_s3_objects

README.md

@@ -316,7 +316,8 @@ Available targets:
 | <a name="input_s3_replication_rules"></a> [s3\_replication\_rules](#input\_s3\_replication\_rules) | Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | <pre>list(object({<br/>    id       = optional(string)<br/>    priority = optional(number)<br/>    prefix   = optional(string)<br/>    status   = optional(string, "Enabled")<br/>    # delete_marker_replication { status } had been flattened for convenience<br/>    delete_marker_replication_status = optional(string, "Disabled")<br/>    # Add the configuration as it appears in the resource, for consistency<br/>    # this nested version takes precedence if both are provided.<br/>    delete_marker_replication = optional(object({<br/>      status = string<br/>    }))<br/><br/>    # destination_bucket is specified here rather than inside the destination object because before optional<br/>    # attributes, it made it easier to work with the Terraform type system and create a list of consistent type.<br/>    # It is preserved for backward compatibility, but the nested version takes priority if both are provided.<br/>    destination_bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/><br/>    destination = object({<br/>      bucket        = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/>      storage_class = optional(string, "STANDARD")<br/>      # replica_kms_key_id at this level is for backward compatibility, and is overridden by the one in `encryption_configuration`<br/>      replica_kms_key_id = optional(string, "")<br/>      encryption_configuration = optional(object({<br/>        replica_kms_key_id = string<br/>      }))<br/>      access_control_translation = optional(object({<br/>        owner = string<br/>      }))<br/>      # account_id is for backward compatibility, overridden by account<br/>      account_id = optional(string)<br/>      account    = optional(string)<br/>      # For convenience, specifying either metrics or replication_time enables both<br/>      metrics = optional(object({<br/>        event_threshold = optional(object({<br/>          minutes = optional(number, 15) # Currently 15 is the only valid number<br/>        }), { minutes = 15 })<br/>        status = optional(string, "Enabled")<br/>      }), { status = "Disabled" })<br/>      # To preserve backward compatibility, Replication Time Control (RTC) is automatically enabled<br/>      # when metrics are enabled. To enable metrics without RTC, you must explicitly configure<br/>      # replication_time.status = "Disabled".<br/>      replication_time = optional(object({<br/>        time = optional(object({<br/>          minutes = optional(number, 15) # Currently 15 is the only valid number<br/>        }), { minutes = 15 })<br/>        status = optional(string)<br/>      }))<br/>    })<br/><br/>    source_selection_criteria = optional(object({<br/>      replica_modifications = optional(object({<br/>        status = string # Either Enabled or Disabled<br/>      }))<br/>      sse_kms_encrypted_objects = optional(object({<br/>        status = optional(string)<br/>      }))<br/>    }))<br/>    # filter.prefix overrides top level prefix<br/>    filter = optional(object({<br/>      prefix = optional(string)<br/>      tags   = optional(map(string), {})<br/>    }))<br/>  }))</pre> | `null` | no |
 | <a name="input_s3_replication_source_roles"></a> [s3\_replication\_source\_roles](#input\_s3\_replication\_source\_roles) | Cross-account IAM Role ARNs that will be allowed to perform S3 replication to this bucket (for replication within the same AWS account, it's not necessary to adjust the bucket policy). | `list(string)` | `[]` | no |
 | <a name="input_s3_request_payment_configuration"></a> [s3\_request\_payment\_configuration](#input\_s3\_request\_payment\_configuration) | S3 request payment configuration | <pre>object({<br/>    enabled               = bool<br/>    expected_bucket_owner = optional(string)<br/>    payer                 = string<br/>  })</pre> | <pre>{<br/>  "enabled": false,<br/>  "payer": "BucketOwner"<br/>}</pre> | no |
-| <a name="input_source_ip_allow_list"></a> [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket | `list(string)` | `[]` | no |
+| <a name="input_source_ip_allow_list"></a> [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket. Add a CICD IP or VPN IP here or the bucket is a risk of getting locked out. To only deny s3 object access by IP, see `var.source_ip_allow_list_s3_objects`. | `list(string)` | `[]` | no |
+| <a name="input_source_ip_allow_list_s3_objects"></a> [source\_ip\_allow\_list\_s3\_objects](#input\_source\_ip\_allow\_list\_s3\_objects) | List of IP addresses to allow to perform all s3 object actions to the bucket | `list(string)` | `[]` | no |
 | <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON) that are merged together into the exported document.<br/>Statements defined in source\_policy\_documents must have unique SIDs.<br/>Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no |
 | <a name="input_sse_algorithm"></a> [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no |
 | <a name="input_ssm_base_path"></a> [ssm\_base\_path](#input\_ssm\_base\_path) | The base path for SSM parameters where created IAM user's access key is stored | `string` | `"/s3_user/"` | no |

docs/terraform.md

@@ -108,7 +108,8 @@
 | <a name="input_s3_replication_rules"></a> [s3\_replication\_rules](#input\_s3\_replication\_rules) | Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | <pre>list(object({<br/>    id       = optional(string)<br/>    priority = optional(number)<br/>    prefix   = optional(string)<br/>    status   = optional(string, "Enabled")<br/>    # delete_marker_replication { status } had been flattened for convenience<br/>    delete_marker_replication_status = optional(string, "Disabled")<br/>    # Add the configuration as it appears in the resource, for consistency<br/>    # this nested version takes precedence if both are provided.<br/>    delete_marker_replication = optional(object({<br/>      status = string<br/>    }))<br/><br/>    # destination_bucket is specified here rather than inside the destination object because before optional<br/>    # attributes, it made it easier to work with the Terraform type system and create a list of consistent type.<br/>    # It is preserved for backward compatibility, but the nested version takes priority if both are provided.<br/>    destination_bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/><br/>    destination = object({<br/>      bucket        = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/>      storage_class = optional(string, "STANDARD")<br/>      # replica_kms_key_id at this level is for backward compatibility, and is overridden by the one in `encryption_configuration`<br/>      replica_kms_key_id = optional(string, "")<br/>      encryption_configuration = optional(object({<br/>        replica_kms_key_id = string<br/>      }))<br/>      access_control_translation = optional(object({<br/>        owner = string<br/>      }))<br/>      # account_id is for backward compatibility, overridden by account<br/>      account_id = optional(string)<br/>      account    = optional(string)<br/>      # For convenience, specifying either metrics or replication_time enables both<br/>      metrics = optional(object({<br/>        event_threshold = optional(object({<br/>          minutes = optional(number, 15) # Currently 15 is the only valid number<br/>        }), { minutes = 15 })<br/>        status = optional(string, "Enabled")<br/>      }), { status = "Disabled" })<br/>      # To preserve backward compatibility, Replication Time Control (RTC) is automatically enabled<br/>      # when metrics are enabled. To enable metrics without RTC, you must explicitly configure<br/>      # replication_time.status = "Disabled".<br/>      replication_time = optional(object({<br/>        time = optional(object({<br/>          minutes = optional(number, 15) # Currently 15 is the only valid number<br/>        }), { minutes = 15 })<br/>        status = optional(string)<br/>      }))<br/>    })<br/><br/>    source_selection_criteria = optional(object({<br/>      replica_modifications = optional(object({<br/>        status = string # Either Enabled or Disabled<br/>      }))<br/>      sse_kms_encrypted_objects = optional(object({<br/>        status = optional(string)<br/>      }))<br/>    }))<br/>    # filter.prefix overrides top level prefix<br/>    filter = optional(object({<br/>      prefix = optional(string)<br/>      tags   = optional(map(string), {})<br/>    }))<br/>  }))</pre> | `null` | no |
 | <a name="input_s3_replication_source_roles"></a> [s3\_replication\_source\_roles](#input\_s3\_replication\_source\_roles) | Cross-account IAM Role ARNs that will be allowed to perform S3 replication to this bucket (for replication within the same AWS account, it's not necessary to adjust the bucket policy). | `list(string)` | `[]` | no |
 | <a name="input_s3_request_payment_configuration"></a> [s3\_request\_payment\_configuration](#input\_s3\_request\_payment\_configuration) | S3 request payment configuration | <pre>object({<br/>    enabled               = bool<br/>    expected_bucket_owner = optional(string)<br/>    payer                 = string<br/>  })</pre> | <pre>{<br/>  "enabled": false,<br/>  "payer": "BucketOwner"<br/>}</pre> | no |
-| <a name="input_source_ip_allow_list"></a> [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket | `list(string)` | `[]` | no |
+| <a name="input_source_ip_allow_list"></a> [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket. Add a CICD IP or VPN IP here or the bucket is a risk of getting locked out. To only deny s3 object access by IP, see `var.source_ip_allow_list_s3_objects`. | `list(string)` | `[]` | no |
+| <a name="input_source_ip_allow_list_s3_objects"></a> [source\_ip\_allow\_list\_s3\_objects](#input\_source\_ip\_allow\_list\_s3\_objects) | List of IP addresses to allow to perform all s3 object actions to the bucket | `list(string)` | `[]` | no |
 | <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON) that are merged together into the exported document.<br/>Statements defined in source\_policy\_documents must have unique SIDs.<br/>Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no |
 | <a name="input_sse_algorithm"></a> [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no |
 | <a name="input_ssm_base_path"></a> [ssm\_base\_path](#input\_ssm\_base\_path) | The base path for SSM parameters where created IAM user's access key is stored | `string` | `"/s3_user/"` | no |

main.tf

@@ -520,9 +520,27 @@ data "aws_iam_policy_document" "bucket_policy" {
         values   = var.source_ip_allow_list
       }
     }
-
   }
 
+  dynamic "statement" { 
+    for_each = length(var.source_ip_allow_list_s3_objects) > 0 ? [1] : [] 
+
+    content { 
+      sid       = "AllowIPPrincipalsOnObjects" 
+      effect    = "Deny" 
+      actions   = ["s3:*"] 
+      resources = ["${local.bucket_arn}/*"] 
+      principals { 
+        identifiers = ["*"] 
+        type        = "*" 
+      } 
+      condition { 
+        test     = "NotIpAddress" 
+        variable = "aws:SourceIp" 
+        values   = var.source_ip_allow_list_s3_objects 
+      } 
+    } 
+  }
 }
 
 data "aws_iam_policy_document" "aggregated_policy" {

variables.tf

@@ -420,7 +420,14 @@ variable "privileged_principal_actions" {
 variable "source_ip_allow_list" {
   type        = list(string)
   default     = []
-  description = "List of IP addresses to allow to perform all actions to the bucket"
+  description = "List of IP addresses to allow to perform all actions to the bucket. Add a CICD IP or VPN IP here or the bucket is a risk of getting locked out. To only deny s3 object access by IP, see `var.source_ip_allow_list_s3_objects`."
+  nullable    = false
+}
+
+variable "source_ip_allow_list_s3_objects" {
+  type        = list(string)
+  default     = []
+  description = "List of IP addresses to allow to perform all s3 object actions to the bucket"
   nullable    = false
 }