Optionally add vendor_access statements in aws (#29)

* Optionally add vendor_access statements in aws * bugfix * update version
streamnative · Jul 14, 2023 · fd18454 · fd18454
1 parent 0f29634
commit fd18454
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 29 deletions.
diff --git a/modules/aws/main.tf b/modules/aws/main.tf
@@ -58,21 +58,24 @@ locals {
 #-- Trust Relationship for StreamNative Vendor Access Roles
 ######
 data "aws_iam_policy_document" "streamnative_bootstrap_access" {
-  statement {
-    sid     = "AllowStreamNativeVendorAccess"
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
+  dynamic "statement" {
+    for_each = length(var.streamnative_vendor_access_role_arns) > 0 ? [1] : []
+    content {
+      sid      = "AllowStreamNativeVendorAccess"
+      effect   = "Allow"
+      actions  = ["sts:AssumeRole"]
 
-    principals {
-      type        = "AWS"
-      identifiers = var.streamnative_vendor_access_role_arns
-    }
-    dynamic "condition" {
-      for_each = local.assume_conditions
-      content {
-        test     = condition.value["test"]
-        values   = condition.value["values"]
-        variable = condition.value["variable"]
+      principals {
+        type        = "AWS"
+        identifiers = var.streamnative_vendor_access_role_arns
+      }
+      dynamic "condition" {
+        for_each = local.assume_conditions
+        content {
+          test     = condition.value["test"]
+          values   = condition.value["values"]
+          variable = condition.value["variable"]
+        }
       }
     }
   }
@@ -116,21 +119,24 @@ data "aws_iam_policy_document" "streamnative_bootstrap_access" {
 }
 
 data "aws_iam_policy_document" "streamnative_management_access" {
-  statement {
-    sid     = "AllowStreamNativeVendorAccess"
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
+  dynamic "statement" {
+    for_each = length(var.streamnative_vendor_access_role_arns) > 0 ? [1] : []
+    content {
+      sid     = "AllowStreamNativeVendorAccess"
+      effect  = "Allow"
+      actions = ["sts:AssumeRole"]
 
-    principals {
-      type        = "AWS"
-      identifiers = var.streamnative_vendor_access_role_arns
-    }
-    dynamic "condition" {
-      for_each = local.assume_conditions
-      content {
-        test     = condition.value["test"]
-        values   = condition.value["values"]
-        variable = condition.value["variable"]
+      principals {
+        type        = "AWS"
+        identifiers = var.streamnative_vendor_access_role_arns
+      }
+      dynamic "condition" {
+        for_each = local.assume_conditions
+        content {
+          test     = condition.value["test"]
+          values   = condition.value["values"]
+          variable = condition.value["variable"]
+        }
       }
     }
   }

diff --git a/modules/aws/variables.tf b/modules/aws/variables.tf
@@ -69,7 +69,7 @@ variable "s3_bucket_pattern" {
 }
 
 variable "sn_policy_version" {
-  default     = "3.2.0"
+  default     = "3.3.0"
   description = "The value of SNVersion tag"
   type        = string
 }