From dda43d3700920a65454732efae51d560d417c769 Mon Sep 17 00:00:00 2001
From: Ezra Neer <ezra@truss.works>
Date: Fri, 10 Mar 2023 08:57:57 -0800
Subject: [PATCH] adds arn as output and custom bucket policy example

---
 README.md                                  |  1 +
 examples/custom_bucket_policy/main.tf      | 37 ++++++++++++++++++++++
 examples/custom_bucket_policy/variables.tf | 16 ++++++++++
 outputs.tf                                 |  5 +++
 4 files changed, 59 insertions(+)
 create mode 100644 examples/custom_bucket_policy/main.tf
 create mode 100644 examples/custom_bucket_policy/variables.tf

diff --git a/README.md b/README.md
index 496681c..fb1dd5b 100644
--- a/README.md
+++ b/README.md
@@ -160,6 +160,7 @@ No modules.
 | Name | Description |
 |------|-------------|
 | aws\_logs\_bucket | ID of the S3 bucket containing AWS logs. |
+| bucket\_arn | ARN of the S3 logs bucket |
 | configs\_logs\_path | S3 path for Config logs. |
 | elb\_logs\_path | S3 path for ELB logs. |
 | redshift\_logs\_path | S3 path for RedShift logs. |
diff --git a/examples/custom_bucket_policy/main.tf b/examples/custom_bucket_policy/main.tf
new file mode 100644
index 0000000..74af008
--- /dev/null
+++ b/examples/custom_bucket_policy/main.tf
@@ -0,0 +1,37 @@
+module "aws_logs" {
+  source = "../../"
+
+  s3_bucket_name = var.test_name
+
+  force_destroy = var.force_destroy
+  tags          = var.tags
+}
+
+data "aws_iam_policy_document" "updated_logs_bucket_policy" {
+  source_policy_documents = [module.aws_logs.s3_bucket_policy.json]
+  statement {
+    sid     = "Allow vpc endpoint"
+    actions = ["s3:*"]
+    effect  = "Allow"
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceVpce"
+      values   = ["vpce-0123567"]
+    }
+
+    resources = [
+      module.aws_logs.bucket_arn,
+      "${module.aws_logs.bucket_arn}/*"
+    ]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+  }
+
+}
+resource "aws_s3_bucket_policy" "logs_updated_bucket_policy" {
+  bucket = module.logs.aws_logs_bucket
+  policy = data.updated_logs_bucket_policy.json
+}
diff --git a/examples/custom_bucket_policy/variables.tf b/examples/custom_bucket_policy/variables.tf
new file mode 100644
index 0000000..0e25c34
--- /dev/null
+++ b/examples/custom_bucket_policy/variables.tf
@@ -0,0 +1,16 @@
+variable "test_name" {
+  type = string
+}
+
+variable "region" {
+  type = string
+}
+
+variable "force_destroy" {
+  type = bool
+}
+
+variable "tags" {
+  type    = map(string)
+  default = {}
+}
diff --git a/outputs.tf b/outputs.tf
index b6cf0f1..603d73d 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -22,3 +22,8 @@ output "s3_bucket_policy" {
   description = "S3 bucket policy"
   value       = data.aws_iam_policy_document.main
 }
+
+output "bucket_arn" {
+  description = "ARN of the S3 logs bucket"
+  value       = aws_s3_bucket.aws_logs.arn
+}