From 68da9079ca1f1141272fa77e2569aaa8ebbcf48c Mon Sep 17 00:00:00 2001
From: rpoluri <38321430+rpoluri@users.noreply.github.com>
Date: Thu, 17 Jun 2021 13:42:50 -0500
Subject: [PATCH] Feature/s3 inventory customer accounts (#192)

* variable to grant access to s3 inventory s3 bucket

* update changelog

Co-authored-by: Raj Poluri <rpoluri@expediagroup.com>
---
 CHANGELOG.md |  4 ++++
 VARIABLES.md |  1 +
 s3-other.tf  | 20 ++++++++++++++++++++
 variables.tf |  6 ++++++
 4 files changed, 31 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e42b2a2..952af93 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.8.1] - 2021-06-17
+### Added
+- Add support for cross account access to s3 inventory.
+
 ## [6.8.0] - 2021-05-10
 ### Added
 - Add support for Apiary-specific RDS parameter groups.
diff --git a/VARIABLES.md b/VARIABLES.md
index a6b3a6c..1577507 100644
--- a/VARIABLES.md
+++ b/VARIABLES.md
@@ -66,6 +66,7 @@
 | ranger_policy_manager_url | Ranger admin URL to synchronize policies. | string | `` | no |
 | rds_max_allowed_packet | RDS/MySQL setting for parameter 'max_allowed_packet' in bytes. | number | `134217728` | no |
 | s3_enable_inventory | Enable S3 inventory configuration. | bool | `false` | no |
+| s3_inventory_customer_accounts | AWS account IDs allowed to access s3 inventory database. | list | - | no |
 | s3_inventory_format | Output format for S3 inventory results. Can be Parquet, ORC, CSV | string | `ORC` | no |
 | s3_inventory_update_schedule | Cron schedule to update S3 inventory tables (if enabled). Defaults to every 12 hours. | string | `0 */12 * * *` | no |
 | s3_lifecycle_policy_transition_period | Number of days for transition to a different storage class using lifecycle policy. | string  | `30` | no |
diff --git a/s3-other.tf b/s3-other.tf
index f987b40..47d57db 100644
--- a/s3-other.tf
+++ b/s3-other.tf
@@ -29,6 +29,26 @@ resource "aws_s3_bucket" "apiary_inventory_bucket" {
           }
        }
     },
+%{if length(var.s3_inventory_customer_accounts) > 0}
+    {
+        "Sid": "S3 inventory customer account permissions",
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": [ "${join("\",\"", formatlist("arn:aws:iam::%s:root", var.s3_inventory_customer_accounts))}" ]
+        },
+        "Action": [
+            "s3:GetBucketLocation",
+            "s3:GetObject",
+            "s3:GetObjectAcl",
+            "s3:GetBucketAcl",
+            "s3:ListBucket"
+        ],
+        "Resource": [
+            "arn:aws:s3:::${local.s3_inventory_bucket}",
+            "arn:aws:s3:::${local.s3_inventory_bucket}/*"
+        ]
+    },
+%{endif}
     {
       "Sid": "DenyUnSecureCommunications",
       "Effect": "Deny",
diff --git a/variables.tf b/variables.tf
index 9f55298..58570fe 100644
--- a/variables.tf
+++ b/variables.tf
@@ -349,6 +349,12 @@ variable "s3_inventory_format" {
   default     = "ORC"
 }
 
+variable "s3_inventory_customer_accounts" {
+  description = "AWS account IDs allowed to access s3 inventory database."
+  type        = list(string)
+  default     = []
+}
+
 variable "ranger_policy_manager_url" {
   description = "Ranger admin URL to synchronize policies."
   type        = string