Policy Packs
Enforce Approved Replication Accounts for AWS S3 Buckets

Policy Setting: AWS > S3 > Bucket > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "aws_s3_bucket_approved_custom" {
resource = turbot_policy_pack.main.id
type = "tmod:@turbot/aws-s3#/policy/types/bucketApprovedCustom"
template_input = <<-EOT
{
bucket: resource{
replication: get(path:"Replication")
}
approvedReplicationAccountsList: constant(value: "['012345678901', '123456789012']")
}
EOT
template = <<-EOT
{%- if $.bucket.replication and $.bucket.replication | length == 0 -%}
{%- set data = {
"title": "Replication",
"result": "Approved",
"message": "Bucket does not have replication enabled"
} -%}
{%- elif $.bucket.replication -%}
{%- set replicationApproved = true -%}
{%- for rule in $.bucket.replication.Rules -%}
{%- if rule.Destination.Account not in $.approvedReplicationAccountsList -%}
{%- set replicationApproved = false -%}
{%- endif -%}
{%- endfor -%}
{%- if replicationApproved -%}
{%- set data = {
"title": "Replication",
"result": "Approved",
"message": "Replication destination account(s) approved"
} -%}
{%- else -%}
{%- set data = {
"title": "Replication",
"result": "Not approved",
"message": "Replication destination account(s) not approved"
} -%}
{%- endif %}
{%- else -%}
{%- set data = {
"title": "Replication",
"result": "Skip",
"message": "No data for replication yet"
} -%}
{% endif %}
{{ data | json }}
EOT
}