Add option to skip the root access policy

blichev · Dec 18, 2019 · 9ec6e4e · 9ec6e4e
1 parent 273141a
commit 9ec6e4e
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -675,6 +675,7 @@ remote_state {
   skip_bucket_versioning         = true # use only if the object store does not support versioning
   skip_bucket_ssencryption       = true # use only if non-encrypted Terraform State is required and/or the object store does not support server-side encryption
   skip_bucket_accesslogging      = true # use only if the cost for the extra object space is undesirable or the object store does not support access logging
+  skip_bucket_root_access        = true # use only if the AWS account root user should not have access to the remote state bucket for some reason
   enable_lock_table_ssencryption = true # use only if non-encrypted DynamoDB Lock Table for the Terraform State is required and/or the NoSQL database service does not support server-side encryption
 
   shared_credentials_file     = "/path/to/credentials/file"
@@ -687,7 +688,7 @@ remote_state {
 If you experience an error for any of these configurations, confirm you are using Terraform v0.12.2 or greater.
 
 Further, the config options `s3_bucket_tags`, `dynamodb_table_tags`, `skip_bucket_versioning`,
-`skip_bucket_ssencryption`, `skip_bucket_accesslogging`, and `enable_lock_table_ssencryption` are only valid for
+`skip_bucket_ssencryption`, `skip_bucket_accesslogging`, `skip_bucket_root_access`, and `enable_lock_table_ssencryption` are only valid for
 backend `s3`. They are used by terragrunt and are **not** passed on to
 terraform. See section [Create remote state and locking resources automatically](#create-remote-state-and-locking-resources-automatically).
 

diff --git a/docs/_use-cases/keep-your-remote-state-configuration-dry.md b/docs/_use-cases/keep-your-remote-state-configuration-dry.md
@@ -176,6 +176,7 @@ remote_state {
   skip_bucket_versioning         = true # use only if the object store does not support versioning
   skip_bucket_ssencryption       = true # use only if non-encrypted Terraform State is required and/or the object store does not support server-side encryption
   skip_bucket_accesslogging      = true # use only if the cost for the extra object space is undesirable or the object store does not support access logging
+  skip_bucket_root_access        = true # use only if the AWS account root user should not have access to the remote state bucket for some reason
   enable_lock_table_ssencryption = true # use only if non-encrypted DynamoDB Lock Table for the Terraform State is required and/or the NoSQL database service does not support server-side encryption
 
   shared_credentials_file     = "/path/to/credentials/file"
@@ -187,7 +188,7 @@ remote_state {
 
 If you experience an error for any of these configurations, confirm you are using Terraform v0.12.2 or greater.
 
-Further, the config options `s3_bucket_tags`, `dynamodb_table_tags`, `skip_bucket_versioning`, `skip_bucket_ssencryption`, `skip_bucket_accesslogging`, and `enable_lock_table_ssencryption` are only valid for backend `s3`. They are used by terragrunt and are **not** passed on to terraform. See section [Create remote state and locking resources automatically](#create-remote-state-and-locking-resources-automatically).
+Further, the config options `s3_bucket_tags`, `dynamodb_table_tags`, `skip_bucket_versioning`, `skip_bucket_ssencryption`, `skip_bucket_root_access`, `skip_bucket_accesslogging`, and `enable_lock_table_ssencryption` are only valid for backend `s3`. They are used by terragrunt and are **not** passed on to terraform. See section [Create remote state and locking resources automatically](#create-remote-state-and-locking-resources-automatically).
 
 ### GCS-specific remote state settings
 

diff --git a/remote/remote_state_s3.go b/remote/remote_state_s3.go
@@ -33,6 +33,7 @@ type ExtendedRemoteStateConfigS3 struct {
 	SkipBucketVersioning        bool              `mapstructure:"skip_bucket_versioning"`
 	SkipBucketSSEncryption      bool              `mapstructure:"skip_bucket_ssencryption"`
 	SkipBucketAccessLogging     bool              `mapstructure:"skip_bucket_accesslogging"`
+	SkipBucketRootAccess        bool              `mapstructure:"skip_bucket_root_access"`
 	EnableLockTableSSEncryption bool              `mapstructure:"enable_lock_table_ssencryption"`
 }
 
@@ -44,6 +45,7 @@ var terragruntOnlyConfigs = []string{
 	"skip_bucket_versioning",
 	"skip_bucket_ssencryption",
 	"skip_bucket_accesslogging",
+	"skip_bucket_root_access",
 	"enable_lock_table_ssencryption",
 }
 
@@ -358,7 +360,9 @@ func CreateS3BucketWithVersioningSSEncryptionAndAccessLogging(s3Client *s3.S3, c
 		return err
 	}
 
-	if err := EnableRootAccesstoS3Bucket(s3Client, &config.remoteStateConfigS3, terragruntOptions); err != nil {
+	if config.SkipBucketRootAccess {
+		terragruntOptions.Logger.Printf("Root access is disabled for the remote state S3 bucket %s using 'skip_bucket_root_access' config.", config.remoteStateConfigS3.Bucket)
+	} else if err := EnableRootAccesstoS3Bucket(s3Client, &config.remoteStateConfigS3, terragruntOptions); err != nil {
 		return err
 	}