Skip to content

Commit 3aeb54b

Browse files
committed
feat: add var.source_ip_allow_list_s3_objects
Signed-off-by: nitrocode <7775707+nitrocode@users.noreply.github.com>
1 parent 7abc181 commit 3aeb54b

File tree

3 files changed

+12
-3
lines changed

3 files changed

+12
-3
lines changed

README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -316,7 +316,8 @@ Available targets:
316316
| <a name="input_s3_replication_rules"></a> [s3\_replication\_rules](#input\_s3\_replication\_rules) | Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | <pre>list(object({<br/> id = optional(string)<br/> priority = optional(number)<br/> prefix = optional(string)<br/> status = optional(string, "Enabled")<br/> # delete_marker_replication { status } had been flattened for convenience<br/> delete_marker_replication_status = optional(string, "Disabled")<br/> # Add the configuration as it appears in the resource, for consistency<br/> # this nested version takes precedence if both are provided.<br/> delete_marker_replication = optional(object({<br/> status = string<br/> }))<br/><br/> # destination_bucket is specified here rather than inside the destination object because before optional<br/> # attributes, it made it easier to work with the Terraform type system and create a list of consistent type.<br/> # It is preserved for backward compatibility, but the nested version takes priority if both are provided.<br/> destination_bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/><br/> destination = object({<br/> bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/> storage_class = optional(string, "STANDARD")<br/> # replica_kms_key_id at this level is for backward compatibility, and is overridden by the one in `encryption_configuration`<br/> replica_kms_key_id = optional(string, "")<br/> encryption_configuration = optional(object({<br/> replica_kms_key_id = string<br/> }))<br/> access_control_translation = optional(object({<br/> owner = string<br/> }))<br/> # account_id is for backward compatibility, overridden by account<br/> account_id = optional(string)<br/> account = optional(string)<br/> # For convenience, specifying either metrics or replication_time enables both<br/> metrics = optional(object({<br/> event_threshold = optional(object({<br/> minutes = optional(number, 15) # Currently 15 is the only valid number<br/> }), { minutes = 15 })<br/> status = optional(string, "Enabled")<br/> }), { status = "Disabled" })<br/> # To preserve backward compatibility, Replication Time Control (RTC) is automatically enabled<br/> # when metrics are enabled. To enable metrics without RTC, you must explicitly configure<br/> # replication_time.status = "Disabled".<br/> replication_time = optional(object({<br/> time = optional(object({<br/> minutes = optional(number, 15) # Currently 15 is the only valid number<br/> }), { minutes = 15 })<br/> status = optional(string)<br/> }))<br/> })<br/><br/> source_selection_criteria = optional(object({<br/> replica_modifications = optional(object({<br/> status = string # Either Enabled or Disabled<br/> }))<br/> sse_kms_encrypted_objects = optional(object({<br/> status = optional(string)<br/> }))<br/> }))<br/> # filter.prefix overrides top level prefix<br/> filter = optional(object({<br/> prefix = optional(string)<br/> tags = optional(map(string), {})<br/> }))<br/> }))</pre> | `null` | no |
317317
| <a name="input_s3_replication_source_roles"></a> [s3\_replication\_source\_roles](#input\_s3\_replication\_source\_roles) | Cross-account IAM Role ARNs that will be allowed to perform S3 replication to this bucket (for replication within the same AWS account, it's not necessary to adjust the bucket policy). | `list(string)` | `[]` | no |
318318
| <a name="input_s3_request_payment_configuration"></a> [s3\_request\_payment\_configuration](#input\_s3\_request\_payment\_configuration) | S3 request payment configuration | <pre>object({<br/> enabled = bool<br/> expected_bucket_owner = optional(string)<br/> payer = string<br/> })</pre> | <pre>{<br/> "enabled": false,<br/> "payer": "BucketOwner"<br/>}</pre> | no |
319-
| <a name="input_source_ip_allow_list"></a> [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket | `list(string)` | `[]` | no |
319+
| <a name="input_source_ip_allow_list"></a> [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket. Add a CICD IP or VPN IP here or the bucket is a risk of getting locked out. To only deny s3 object access by IP, see `var.source_ip_allow_list_s3_objects`. | `list(string)` | `[]` | no |
320+
| <a name="input_source_ip_allow_list_s3_objects"></a> [source\_ip\_allow\_list\_s3\_objects](#input\_source\_ip\_allow\_list\_s3\_objects) | List of IP addresses to allow to perform all s3 object actions to the bucket | `list(string)` | `[]` | no |
320321
| <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON) that are merged together into the exported document.<br/>Statements defined in source\_policy\_documents must have unique SIDs.<br/>Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no |
321322
| <a name="input_sse_algorithm"></a> [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no |
322323
| <a name="input_ssm_base_path"></a> [ssm\_base\_path](#input\_ssm\_base\_path) | The base path for SSM parameters where created IAM user's access key is stored | `string` | `"/s3_user/"` | no |

docs/terraform.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -108,7 +108,8 @@
108108
| <a name="input_s3_replication_rules"></a> [s3\_replication\_rules](#input\_s3\_replication\_rules) | Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | <pre>list(object({<br/> id = optional(string)<br/> priority = optional(number)<br/> prefix = optional(string)<br/> status = optional(string, "Enabled")<br/> # delete_marker_replication { status } had been flattened for convenience<br/> delete_marker_replication_status = optional(string, "Disabled")<br/> # Add the configuration as it appears in the resource, for consistency<br/> # this nested version takes precedence if both are provided.<br/> delete_marker_replication = optional(object({<br/> status = string<br/> }))<br/><br/> # destination_bucket is specified here rather than inside the destination object because before optional<br/> # attributes, it made it easier to work with the Terraform type system and create a list of consistent type.<br/> # It is preserved for backward compatibility, but the nested version takes priority if both are provided.<br/> destination_bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/><br/> destination = object({<br/> bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/> storage_class = optional(string, "STANDARD")<br/> # replica_kms_key_id at this level is for backward compatibility, and is overridden by the one in `encryption_configuration`<br/> replica_kms_key_id = optional(string, "")<br/> encryption_configuration = optional(object({<br/> replica_kms_key_id = string<br/> }))<br/> access_control_translation = optional(object({<br/> owner = string<br/> }))<br/> # account_id is for backward compatibility, overridden by account<br/> account_id = optional(string)<br/> account = optional(string)<br/> # For convenience, specifying either metrics or replication_time enables both<br/> metrics = optional(object({<br/> event_threshold = optional(object({<br/> minutes = optional(number, 15) # Currently 15 is the only valid number<br/> }), { minutes = 15 })<br/> status = optional(string, "Enabled")<br/> }), { status = "Disabled" })<br/> # To preserve backward compatibility, Replication Time Control (RTC) is automatically enabled<br/> # when metrics are enabled. To enable metrics without RTC, you must explicitly configure<br/> # replication_time.status = "Disabled".<br/> replication_time = optional(object({<br/> time = optional(object({<br/> minutes = optional(number, 15) # Currently 15 is the only valid number<br/> }), { minutes = 15 })<br/> status = optional(string)<br/> }))<br/> })<br/><br/> source_selection_criteria = optional(object({<br/> replica_modifications = optional(object({<br/> status = string # Either Enabled or Disabled<br/> }))<br/> sse_kms_encrypted_objects = optional(object({<br/> status = optional(string)<br/> }))<br/> }))<br/> # filter.prefix overrides top level prefix<br/> filter = optional(object({<br/> prefix = optional(string)<br/> tags = optional(map(string), {})<br/> }))<br/> }))</pre> | `null` | no |
109109
| <a name="input_s3_replication_source_roles"></a> [s3\_replication\_source\_roles](#input\_s3\_replication\_source\_roles) | Cross-account IAM Role ARNs that will be allowed to perform S3 replication to this bucket (for replication within the same AWS account, it's not necessary to adjust the bucket policy). | `list(string)` | `[]` | no |
110110
| <a name="input_s3_request_payment_configuration"></a> [s3\_request\_payment\_configuration](#input\_s3\_request\_payment\_configuration) | S3 request payment configuration | <pre>object({<br/> enabled = bool<br/> expected_bucket_owner = optional(string)<br/> payer = string<br/> })</pre> | <pre>{<br/> "enabled": false,<br/> "payer": "BucketOwner"<br/>}</pre> | no |
111-
| <a name="input_source_ip_allow_list"></a> [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket | `list(string)` | `[]` | no |
111+
| <a name="input_source_ip_allow_list"></a> [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket. Add a CICD IP or VPN IP here or the bucket is a risk of getting locked out. To only deny s3 object access by IP, see `var.source_ip_allow_list_s3_objects`. | `list(string)` | `[]` | no |
112+
| <a name="input_source_ip_allow_list_s3_objects"></a> [source\_ip\_allow\_list\_s3\_objects](#input\_source\_ip\_allow\_list\_s3\_objects) | List of IP addresses to allow to perform all s3 object actions to the bucket | `list(string)` | `[]` | no |
112113
| <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON) that are merged together into the exported document.<br/>Statements defined in source\_policy\_documents must have unique SIDs.<br/>Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no |
113114
| <a name="input_sse_algorithm"></a> [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no |
114115
| <a name="input_ssm_base_path"></a> [ssm\_base\_path](#input\_ssm\_base\_path) | The base path for SSM parameters where created IAM user's access key is stored | `string` | `"/s3_user/"` | no |

variables.tf

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -420,7 +420,14 @@ variable "privileged_principal_actions" {
420420
variable "source_ip_allow_list" {
421421
type = list(string)
422422
default = []
423-
description = "List of IP addresses to allow to perform all actions to the bucket"
423+
description = "List of IP addresses to allow to perform all actions to the bucket. Add a CICD IP or VPN IP here or the bucket is a risk of getting locked out. To only deny s3 object access by IP, see `var.source_ip_allow_list_s3_objects`."
424+
nullable = false
425+
}
426+
427+
variable "source_ip_allow_list_s3_objects" {
428+
type = list(string)
429+
default = []
430+
description = "List of IP addresses to allow to perform all s3 object actions to the bucket"
424431
nullable = false
425432
}
426433

0 commit comments

Comments
 (0)