Skip to content

Instantly share code, notes, and snippets.

@gswallow

gswallow/terraform_s3_policy.json

Created January 11, 2019 21:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gswallow/f8180961f2886f8ea2329738aa9d7c89 to your computer and use it in GitHub Desktop.
Save gswallow/f8180961f2886f8ea2329738aa9d7c89 to your computer and use it in GitHub Desktop.
Download ZIP
S3 bucket policy for cross-account terraform use
Raw
terraform_s3_policy.json
{
"Version": "2012-10-17",
"Id": "Policy1547233271159",
"Statement": [
{
"Sid": "Allow-non-prod-to-list-bucket-objects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::terraform-state-storage"
},
{
"Sid": "Deny-non-prod-from-listing-bucket-objects-in-prod-folder",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::terraform-state-storage",
"Condition": {
"StringLike": {
"s3:prefix": [
"env:/prod/*"
]
}
}
},
{
"Sid": "Allow-non-prod-users-to-CRUD-bucket-objects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
},
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:RestoreObject"
],
"Resource": "arn:aws:s3:::terraform-state-storage/*"
},
{
"Sid": "Deny-non-prod-users-from-objects-in-prod-folder",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::terraform-state-storage/env:/prod/*"
}
]
}
@gswallow
Copy link
Author

Props to @magnetikonline for clueing me into the right condition syntax: https://gist.github.com/magnetikonline/6215d9e80021c1f8de12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment