bugfix deprecate deployment_principal_arns (cloudposse#257)

This patch refactors the passing of deployment principals, such that it uses static/known map keys. This allows this module to be applied at the same time as the deployment principal (e.g., an iam user) is is deployed. Hashicorp recommends storing only known values in map keys, and leaving all dynamic/unknown values in the map values ([source0](https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#limitations-on-values-used-in-for_each), [source1](hashicorp/terraform#30838 (comment))).
abeluck · Aug 11, 2023 · ac8c6ee · ac8c6ee
1 parent 91ab131
commit ac8c6ee
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 6 deletions.
diff --git a/deprecated.tf b/deprecated.tf
@@ -7,6 +7,8 @@ locals {
   cloudfront_access_log_include_cookies = var.log_include_cookies == null ? var.cloudfront_access_log_include_cookies : var.log_include_cookies
   cloudfront_access_log_prefix          = var.log_prefix == null ? var.cloudfront_access_log_prefix : var.log_prefix
 
+  deployment_principals = var.deployment_principal_arns == null ? var.deployment_principals : { for arn, path_prefix in var.deployment_principal_arns : arn => { "arn" : arn, "path_prefix" : path_prefix } }
+
   # New variables, but declare them here for consistency
   cloudfront_access_log_create_bucket = var.cloudfront_access_log_create_bucket
 }

diff --git a/main.tf b/main.tf
@@ -183,19 +183,19 @@ data "aws_iam_policy_document" "s3_website_origin" {
 }
 
 data "aws_iam_policy_document" "deployment" {
-  for_each = local.enabled ? var.deployment_principal_arns : {}
+  for_each = local.enabled ? local.deployment_principals : {}
 
   statement {
     actions = var.deployment_actions
 
     resources = distinct(flatten([
       [local.origin_bucket.arn],
-      formatlist("${local.origin_bucket.arn}/%s*", each.value),
+      formatlist("${local.origin_bucket.arn}/%s*", each.value.path_prefix),
     ]))
 
     principals {
       type        = "AWS"
-      identifiers = [each.key]
+      identifiers = [each.value.arn]
     }
   }
 }

diff --git a/variables.tf b/variables.tf
@@ -480,8 +480,8 @@ variable "versioning_enabled" {
   description = "When set to 'true' the s3 origin bucket will have versioning enabled"
 }
 
-variable "deployment_principal_arns" {
-  type        = map(list(string))
+variable "deployment_principals" {
+  type        = map(object({ path_prefix = string, arn = string }))
   default     = {}
   description = <<-EOT
     (Optional) Map of IAM Principal ARNs to lists of S3 path prefixes to grant `deployment_actions` permissions.
@@ -633,6 +633,13 @@ variable "origin_groups" {
 
 # Variables below here are DEPRECATED and should not be used anymore
 
+variable "deployment_principal_arns" {
+  type        = map(list(string))
+  default     = null
+  description = "DEPRECATED. Use `deployment_principals` instead."
+}
+
+
 variable "access_log_bucket_name" {
   type        = string
   default     = null
@@ -679,4 +686,4 @@ variable "http_version" {
   type        = string
   default     = "http2"
   description = "The maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3 and http3"
-}
+}