Include required bucket policy in S3 module

Author: bogsi17

terraform/backup/destination-bootstrap/main.tf

@@ -17,33 +17,6 @@ module "terraform_state_bucket" {
   bucket_name = "mavisbackup-terraform-state"
 }
 
-resource "aws_s3_bucket_policy" "backend_bucket_block_http" {
-  bucket = module.terraform_state_bucket.bucket_id
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "block-backend-bucket-http-access"
-    Statement = [
-      {
-        Sid    = "HTTPSOnly"
-        Effect = "Deny"
-        Principal = {
-          "AWS" : "*"
-        }
-        Action = "s3:*"
-        Resource = [
-          module.terraform_state_bucket.arn,
-          "${module.terraform_state_bucket.arn}/*",
-        ]
-        Condition = {
-          Bool = {
-            "aws:SecureTransport" = "false"
-          }
-        }
-      },
-    ]
-  })
-}
-
 #### Dynamo DB table for terraform state locking
 resource "aws_dynamodb_table" "dynamodb_lock_table" {
   name         = "mavisbackup-terraform-state-lock"

terraform/backup/source/main.tf

@@ -42,46 +42,23 @@ module "s3_reports_bucket" {
   bucket_name              = "${local.project_name}-backup-reports"
   logging_target_bucket_id = data.aws_s3_bucket.mavis_logs.id
   logging_target_prefix    = "backup-reports/"
-}
-
-resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
-  bucket = module.s3_reports_bucket.bucket_id
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "backup-reports-bucket-policy"
-    Statement = [
-      {
-        Sid    = "HTTPSOnly"
-        Effect = "Deny"
-        Principal = {
-          "AWS" : "*"
-        }
-        Action = "s3:*"
-        Resource = [
-          module.s3_reports_bucket.arn,
-          "${module.s3_reports_bucket.arn}/*",
-        ]
-        Condition = {
-          Bool = {
-            "aws:SecureTransport" = "false"
-          }
-        }
-        }, {
-        Sid    = "AllowBackupReports"
-        Effect = "Allow"
-        Principal = {
-          "AWS" : "arn:aws:iam::${local.source_account_id}:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports"
-        }
-        Action   = "s3:PutObject"
-        Resource = ["${module.s3_reports_bucket.arn}/*"]
-        Condition = {
-          StringEquals = {
-            "s3:x-amz-acl" = "bucket-owner-full-control"
-          }
-        }
+  additional_policy_statements = [
+    {
+      sid    = "AllowBackupReports"
+      effect = "Allow"
+      principals = [{
+          type        = "AWS"
+          identifiers = ["arn:aws:iam::${local.source_account_id}:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports"]
+      }]
+      actions = ["s3:PutObject"]
+      resources = ["arn:aws:s3:::${local.project_name}-backup-reports/*"]
+      condition = {
+        test     = "StringEquals"
+        variable = "s3:x-amz-acl"
+        values   = ["bucket-owner-full-control"]
       }
-    ]
-  })
+    }
+  ]
 }
 
 # Now we can define the key itself
@@ -117,6 +94,9 @@ resource "aws_kms_key" "backup_notifications" {
 
 module "source" {
   source = "github.com/NHSDigital/terraform-aws-backup.git//modules/aws-backup-source?ref=v1.1.0"
+  # Use SSH to fetch sources locally
+  # source = "git@github.com:NHSDigital/terraform-aws-backup.git//modules/aws-backup-source?ref=v1.1.0"
+
 
   backup_copy_vault_account_id = local.destination_account_id
   backup_copy_vault_arn        = var.destination_vault_arn

terraform/modules/s3/main.tf

@@ -34,3 +34,58 @@ resource "aws_s3_bucket_public_access_block" "s3_bucket_access" {
   ignore_public_acls      = true
   restrict_public_buckets = true
 }
+
+data "aws_iam_policy_document" "block_http_access" {
+  statement {
+    sid = "HTTPSOnly"
+    effect = "Deny"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = ["s3:*"]
+    resources = [
+      aws_s3_bucket.this.arn,
+      "${aws_s3_bucket.this.arn}/*",
+    ]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "additional_policy" {
+    count = length(var.additional_policy_statements)
+    dynamic "statement" {
+        for_each = var.additional_policy_statements
+        content {
+          sid       = statement.value.sid
+          effect    = statement.value.effect
+          actions   = statement.value.actions
+          resources = statement.value.resources
+          dynamic "principals" {
+            for_each = statement.value.principals
+            content {
+              type = principals.value.type
+              identifiers = principals.value.identifiers
+            }
+          }
+          condition {
+            test     = statement.value.condition.test
+            variable = statement.value.condition.variable
+            values   = statement.value.condition.values
+          }
+        }
+    }
+}
+
+data "aws_iam_policy_document" "combined" {
+  source_policy_documents = concat([data.aws_iam_policy_document.block_http_access.json], length(data.aws_iam_policy_document.additional_policy) > 0 ? [data.aws_iam_policy_document.additional_policy[0].json] : [])
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = data.aws_iam_policy_document.combined.json
+}

terraform/modules/s3/variables.tf

@@ -18,3 +18,9 @@ variable "logging_target_prefix" {
   nullable    = false
 }
 
+variable "additional_policy_statements" {
+    description = "The JSON policy to apply to the bucket"
+    type        = list(any)
+    default = []
+}
+