From 4b89d0168217186b694554bd3d30392321ab75bd Mon Sep 17 00:00:00 2001 From: Jim Enright Date: Thu, 16 May 2024 08:55:16 +0100 Subject: [PATCH] Enable bucket versioning and change cross account policy to be inline Signed-off-by: Jim Enright --- modules/terraform-cdp-aws-pre-reqs/README.md | 25 ++++----- modules/terraform-cdp-aws-pre-reqs/main.tf | 54 +++++++++---------- .../terraform-cdp-aws-pre-reqs/variables.tf | 33 +++++++++--- 3 files changed, 64 insertions(+), 48 deletions(-) diff --git a/modules/terraform-cdp-aws-pre-reqs/README.md b/modules/terraform-cdp-aws-pre-reqs/README.md index ab506a7..7740f2c 100644 --- a/modules/terraform-cdp-aws-pre-reqs/README.md +++ b/modules/terraform-cdp-aws-pre-reqs/README.md @@ -53,24 +53,23 @@ In each directory an example `terraform.tfvars.sample` values file is included t | [aws_iam_policy.cdp_datalake_admin_s3_data_access_policy](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_policy) | resource | | [aws_iam_policy.cdp_datalake_backup_policy](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_policy) | resource | | [aws_iam_policy.cdp_datalake_restore_policy](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_policy) | resource | -| [aws_iam_policy.cdp_extra_xaccount_policy](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_policy) | resource | | [aws_iam_policy.cdp_idbroker_policy](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_policy) | resource | | [aws_iam_policy.cdp_log_bucket_data_access_policy](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_policy) | resource | | [aws_iam_policy.cdp_log_data_access_policy](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_policy) | resource | | [aws_iam_policy.cdp_ranger_audit_s3_data_access_policy](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_policy) | resource | -| [aws_iam_policy.cdp_xaccount_policy](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_policy) | resource | | [aws_iam_role.cdp_datalake_admin_role](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role) | resource | | [aws_iam_role.cdp_idbroker_role](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role) | resource | | [aws_iam_role.cdp_log_role](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role) | resource | | [aws_iam_role.cdp_ranger_audit_role](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role) | resource | | [aws_iam_role.cdp_xaccount_role](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.cdp_extra_xaccount_policy](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.cdp_xaccount_policy](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy_attachment.cdp_datalake_admin_role_attach1](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cdp_datalake_admin_role_attach2](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cdp_datalake_admin_role_attach3](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cdp_datalake_admin_role_attach4](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cdp_datalake_admin_role_attach5](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cdp_datalake_admin_role_attach6](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.cdp_extra_xaccount_attach](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cdp_idbroker_role_attach1](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cdp_idbroker_role_attach2](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cdp_log_role_attach1](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | @@ -82,12 +81,12 @@ In each directory an example `terraform.tfvars.sample` values file is included t | [aws_iam_role_policy_attachment.cdp_ranger_audit_role_attach4](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cdp_ranger_audit_role_attach5](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cdp_ranger_audit_role_attach6](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.cdp_xaccount_role_attach](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_kms_alias.cdp_kms_alias](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/kms_alias) | resource | | [aws_kms_key.cdp_kms_key](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/kms_key) | resource | | [aws_s3_bucket.cdp_storage_locations](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_public_access_block.cdp_storage_locations](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.cdp_storage_location_kms](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.cdp_storage_location_versioning](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/s3_bucket_versioning) | resource | | [aws_s3_object.cdp_backup_storage_object](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/s3_object) | resource | | [aws_s3_object.cdp_log_storage_object](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/s3_object) | resource | | [aws_security_group.cdp_default_sg](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/security_group) | resource | @@ -134,7 +133,7 @@ In each directory an example `terraform.tfvars.sample` values file is included t | [xaccount\_external\_id](#input\_xaccount\_external\_id) | External ID of the cross account | `string` | n/a | yes | | [agent\_source\_tag](#input\_agent\_source\_tag) | Tag to identify deployment source | `map(any)` | 
{
  "agent_source": "tf-cdp-module"
}
| no | | [aws\_region](#input\_aws\_region) | Region which Cloud resources will be created | `string` | `null` | no | -| [backup\_bucket\_access\_policy\_doc](#input\_backup\_bucket\_access\_policy\_doc) | Backup Bucket Access Data Access Policy | `string` | `null` | no | +| [backup\_bucket\_access\_policy\_doc](#input\_backup\_bucket\_access\_policy\_doc) | Contents of Backup Bucket Access Data Access Policy | `string` | `null` | no | | [backup\_bucket\_access\_policy\_name](#input\_backup\_bucket\_access\_policy\_name) | Backup Bucket Access Data Access Policy Name | `string` | `null` | no | | [backup\_storage](#input\_backup\_storage) | Optional Backup location for CDP environment. If not provided follow the data\_storage variable | 
object({
    backup_storage_bucket = string
    backup_storage_object = string
  })
| `null` | no | | [cdp\_default\_sg\_egress\_cidrs](#input\_cdp\_default\_sg\_egress\_cidrs) | List of egress CIDR blocks for CDP Default Security Group Egress rule | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | @@ -143,26 +142,28 @@ In each directory an example `terraform.tfvars.sample` values file is included t | [cdp\_private\_subnet\_ids](#input\_cdp\_private\_subnet\_ids) | List of private subnet ids. Required if create\_vpc is false. | `list(any)` | `null` | no | | [cdp\_public\_subnet\_ids](#input\_cdp\_public\_subnet\_ids) | List of public subnet ids. Required if create\_vpc is false. | `list(any)` | `null` | no | | [cdp\_vpc\_id](#input\_cdp\_vpc\_id) | VPC ID for CDP environment. Required if create\_vpc is false. | `string` | `null` | no | +| [create\_extra\_xaccount\_policy](#input\_create\_extra\_xaccount\_policy) | Create extra Cross-Account Policy for missing iam:Tag* permissions required for Data Services. | `bool` | `true` | no | | [create\_vpc](#input\_create\_vpc) | Flag to specify if the VPC should be created | `bool` | `true` | no | | [create\_vpc\_endpoints](#input\_create\_vpc\_endpoints) | Flag to specify if VPC Endpoints should be created | `bool` | `true` | no | | [data\_bucket\_access\_policy\_doc](#input\_data\_bucket\_access\_policy\_doc) | Data Bucket Access Data Access Policy | `string` | `null` | no | | [data\_bucket\_access\_policy\_name](#input\_data\_bucket\_access\_policy\_name) | Data Bucket Access Data Access Policy Name | `string` | `null` | no | | [data\_storage](#input\_data\_storage) | Data storage locations for CDP environment | 
object({
    data_storage_bucket = string
    data_storage_object = string
  })
| `null` | no | | [datalake\_admin\_role\_name](#input\_datalake\_admin\_role\_name) | Datalake Admin role Name | `string` | `null` | no | -| [datalake\_admin\_s3\_policy\_doc](#input\_datalake\_admin\_s3\_policy\_doc) | Location or Contents of Datalake Admin S3 Data Access Policy | `string` | `null` | no | +| [datalake\_admin\_s3\_policy\_doc](#input\_datalake\_admin\_s3\_policy\_doc) | Contents of Datalake Admin S3 Data Access Policy | `string` | `null` | no | | [datalake\_admin\_s3\_policy\_name](#input\_datalake\_admin\_s3\_policy\_name) | Datalake Admin S3 Data Access Policy Name | `string` | `null` | no | -| [datalake\_backup\_policy\_doc](#input\_datalake\_backup\_policy\_doc) | Location of Datalake Backup Data Access Policy | `string` | `null` | no | +| [datalake\_backup\_policy\_doc](#input\_datalake\_backup\_policy\_doc) | Contents of Datalake Backup Data Access Policy | `string` | `null` | no | | [datalake\_backup\_policy\_name](#input\_datalake\_backup\_policy\_name) | Datalake backup Data Access Policy Name | `string` | `null` | no | -| [datalake\_restore\_policy\_doc](#input\_datalake\_restore\_policy\_doc) | Location of Datalake Restore Data Access Policy | `string` | `null` | no | +| [datalake\_restore\_policy\_doc](#input\_datalake\_restore\_policy\_doc) | Contents of Datalake Restore Data Access Policy | `string` | `null` | no | | [datalake\_restore\_policy\_name](#input\_datalake\_restore\_policy\_name) | Datalake restore Data Access Policy Name | `string` | `null` | no | +| [enable\_bucket\_versioning](#input\_enable\_bucket\_versioning) | Flag to enable versioning of S3 buckets. | `bool` | `true` | no | | [enable\_kms\_bucket\_encryption](#input\_enable\_kms\_bucket\_encryption) | Flag to create AWS KMS for encryption of S3 buckets. Currently disabled as further settings needed for successful CDP deployment. | `bool` | `false` | no | | [env\_tags](#input\_env\_tags) | Tags applied to provised resources | `map(any)` | `null` | no | | [idbroker\_policy\_name](#input\_idbroker\_policy\_name) | IDBroker Policy name | `string` | `null` | no | | [idbroker\_role\_name](#input\_idbroker\_role\_name) | IDBroker service role Name | `string` | `null` | no | | [ingress\_extra\_cidrs\_and\_ports](#input\_ingress\_extra\_cidrs\_and\_ports) | List of extra CIDR blocks and ports to include in Security Group Ingress rules | 
object({
    cidrs = list(string)
    ports = list(number)
  })
| 
{
  "cidrs": [],
  "ports": []
}
| no | -| [log\_bucket\_access\_policy\_doc](#input\_log\_bucket\_access\_policy\_doc) | Log Bucket Access Data Access Policy | `string` | `null` | no | +| [log\_bucket\_access\_policy\_doc](#input\_log\_bucket\_access\_policy\_doc) | Contents of Log Bucket Access Data Access Policy | `string` | `null` | no | | [log\_bucket\_access\_policy\_name](#input\_log\_bucket\_access\_policy\_name) | Log Bucket Access Data Access Policy Name | `string` | `null` | no | -| [log\_data\_access\_policy\_doc](#input\_log\_data\_access\_policy\_doc) | Location or Contents of Log Data Access Policy | `string` | `null` | no | +| [log\_data\_access\_policy\_doc](#input\_log\_data\_access\_policy\_doc) | Contents of Log Data Access Policy | `string` | `null` | no | | [log\_data\_access\_policy\_name](#input\_log\_data\_access\_policy\_name) | Log Data Access Policy Name | `string` | `null` | no | | [log\_role\_name](#input\_log\_role\_name) | Log service role Name | `string` | `null` | no | | [log\_storage](#input\_log\_storage) | Optional log locations for CDP environment. If not provided follow the data\_storage variable | 
object({
    log_storage_bucket = string
    log_storage_object = string
  })
| `null` | no | @@ -171,7 +172,7 @@ In each directory an example `terraform.tfvars.sample` values file is included t | [public\_cidr\_range](#input\_public\_cidr\_range) | Size of each public subnet. Required if create\_vpc is true. Number of subnets will be automatically selected to match on the number of Availability Zones in the selected AWS region. (Depending on the selected deployment pattern, one subnet will be created per region.) | `number` | `24` | no | | [random\_id\_for\_bucket](#input\_random\_id\_for\_bucket) | Create a random suffix for the bucket names | `bool` | `true` | no | | [ranger\_audit\_role\_name](#input\_ranger\_audit\_role\_name) | Ranger Audit role Name | `string` | `null` | no | -| [ranger\_audit\_s3\_policy\_doc](#input\_ranger\_audit\_s3\_policy\_doc) | Location or Contents of Ranger S3 Audit Data Access Policy | `string` | `null` | no | +| [ranger\_audit\_s3\_policy\_doc](#input\_ranger\_audit\_s3\_policy\_doc) | Contents of Ranger S3 Audit Data Access Policy | `string` | `null` | no | | [ranger\_audit\_s3\_policy\_name](#input\_ranger\_audit\_s3\_policy\_name) | Ranger S3 Audit Data Access Policy Name | `string` | `null` | no | | [security\_group\_default\_name](#input\_security\_group\_default\_name) | Default Security Group for CDP environment | `string` | `null` | no | | [security\_group\_endpoint\_name](#input\_security\_group\_endpoint\_name) | Security Group for VPC Endpoints | `string` | `null` | no | @@ -185,7 +186,7 @@ In each directory an example `terraform.tfvars.sample` values file is included t | [vpc\_public\_inbound\_acl\_rules](#input\_vpc\_public\_inbound\_acl\_rules) | Inbound network ACLs for Public subnets. Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | | [vpc\_public\_outbound\_acl\_rules](#input\_vpc\_public\_outbound\_acl\_rules) | Public subnets outbound network ACLs. Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | | [vpc\_public\_subnets\_map\_public\_ip\_on\_launch](#input\_vpc\_public\_subnets\_map\_public\_ip\_on\_launch) | Auto-assign public IP on launch for instances created in Public Subnets. Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `bool` | `true` | no | -| [xaccount\_account\_policy\_doc](#input\_xaccount\_account\_policy\_doc) | Location of cross acount policy document | `string` | `null` | no | +| [xaccount\_account\_policy\_doc](#input\_xaccount\_account\_policy\_doc) | Contents of cross acount policy document | `string` | `null` | no | | [xaccount\_policy\_name](#input\_xaccount\_policy\_name) | Cross Account Policy name | `string` | `null` | no | | [xaccount\_role\_name](#input\_xaccount\_role\_name) | Cross account Assume role Name | `string` | `null` | no | diff --git a/modules/terraform-cdp-aws-pre-reqs/main.tf b/modules/terraform-cdp-aws-pre-reqs/main.tf index d307737..3922fe2 100644 --- a/modules/terraform-cdp-aws-pre-reqs/main.tf +++ b/modules/terraform-cdp-aws-pre-reqs/main.tf @@ -281,6 +281,18 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "cdp_storage_locat } } +resource "aws_s3_bucket_versioning" "cdp_storage_location_versioning" { + + for_each = var.enable_bucket_versioning ? aws_s3_bucket.cdp_storage_locations : {} + + bucket = each.value.id + + versioning_configuration { + status = "Enabled" + } + +} + # ------- AWS Buckets directory structures ------- # # Data Storage Objects # NOTE: Removing creation of the data storage object because CDP overrides this @@ -322,18 +334,6 @@ resource "aws_s3_object" "cdp_backup_storage_object" { ] } -# ------- AWS Cross Account Policy ------- -# The policy here is a dict variable so we'll use the variable -# directly in the aws_iam_policy resource. -resource "aws_iam_policy" "cdp_xaccount_policy" { - name = local.xaccount_policy_name - description = "CDP Cross Account policy for ${var.env_prefix}" - - tags = merge(local.env_tags, { Name = local.xaccount_policy_name }) - - policy = local.xaccount_account_policy_doc -} - # ------- CDP IDBroker Assume Role policy ------- # First create the assume role policy document data "aws_iam_policy_document" "cdp_idbroker_policy_doc" { @@ -486,10 +486,12 @@ resource "aws_iam_role" "cdp_xaccount_role" { tags = merge(local.env_tags, { Name = local.xaccount_role_name }) } -# Attach AWS Cross Account Policy to Cross Account Role -resource "aws_iam_role_policy_attachment" "cdp_xaccount_role_attach" { - role = aws_iam_role.cdp_xaccount_role.name - policy_arn = aws_iam_policy.cdp_xaccount_policy.arn +# Create AWS Cross Account Inline Policy +resource "aws_iam_role_policy" "cdp_xaccount_policy" { + name = local.xaccount_policy_name + role = aws_iam_role.cdp_xaccount_role.id + + policy = local.xaccount_account_policy_doc } # Wait for propagation of IAM xaccount role. @@ -774,6 +776,8 @@ resource "aws_iam_role_policy_attachment" "cdp_ranger_audit_role_attach6" { # ------- Add missing iam:Tag* permissions to Cross-Account Policy ------- # First create the extra policy document data "aws_iam_policy_document" "cdp_extra_xaccount_policy_doc" { + count = var.create_extra_xaccount_policy ? 1 : 0 + version = "2012-10-17" statement { @@ -788,18 +792,12 @@ data "aws_iam_policy_document" "cdp_extra_xaccount_policy_doc" { } } -# Then create the policy using the document -resource "aws_iam_policy" "cdp_extra_xaccount_policy" { - name = "${var.env_prefix}-cross-account-extra" - description = "Additional Cross Account Policy for ${var.env_prefix}" - - tags = { Name = "${var.env_prefix}-cross-account-extra" } +# Then create the inline policy using the document +resource "aws_iam_role_policy" "cdp_extra_xaccount_policy" { + count = var.create_extra_xaccount_policy ? 1 : 0 - policy = data.aws_iam_policy_document.cdp_extra_xaccount_policy_doc.json -} + name = "${var.env_prefix}-cross-account-extra" + role = aws_iam_role.cdp_xaccount_role.id -# Attach this policy to the cross account role -resource "aws_iam_role_policy_attachment" "cdp_extra_xaccount_attach" { - role = aws_iam_role.cdp_xaccount_role.name - policy_arn = aws_iam_policy.cdp_extra_xaccount_policy.arn + policy = data.aws_iam_policy_document.cdp_extra_xaccount_policy_doc[0].json } diff --git a/modules/terraform-cdp-aws-pre-reqs/variables.tf b/modules/terraform-cdp-aws-pre-reqs/variables.tf index 8e54286..b2fdb03 100644 --- a/modules/terraform-cdp-aws-pre-reqs/variables.tf +++ b/modules/terraform-cdp-aws-pre-reqs/variables.tf @@ -357,6 +357,16 @@ variable "enable_kms_bucket_encryption" { } +variable "enable_bucket_versioning" { + + type = bool + + description = "Flag to enable versioning of S3 buckets." + + default = true + +} + # ------- Policies ------- # Cross Account Policy (name and document) variable "xaccount_policy_name" { @@ -368,11 +378,18 @@ variable "xaccount_policy_name" { variable "xaccount_account_policy_doc" { type = string - description = "Location of cross acount policy document" + description = "Contents of cross acount policy document" default = null } +variable "create_extra_xaccount_policy" { + type = bool + description = "Create extra Cross-Account Policy for missing iam:Tag* permissions required for Data Services." + + default = true +} + # CDP IDBroker Assume Role policy variable "idbroker_policy_name" { type = string @@ -391,7 +408,7 @@ variable "log_data_access_policy_name" { variable "log_data_access_policy_doc" { type = string - description = "Location or Contents of Log Data Access Policy" + description = "Contents of Log Data Access Policy" default = null } @@ -406,7 +423,7 @@ variable "ranger_audit_s3_policy_name" { variable "ranger_audit_s3_policy_doc" { type = string - description = "Location or Contents of Ranger S3 Audit Data Access Policy" + description = "Contents of Ranger S3 Audit Data Access Policy" default = null } @@ -421,21 +438,21 @@ variable "datalake_admin_s3_policy_name" { variable "datalake_admin_s3_policy_doc" { type = string - description = "Location or Contents of Datalake Admin S3 Data Access Policy" + description = "Contents of Datalake Admin S3 Data Access Policy" default = null } variable "datalake_backup_policy_doc" { type = string - description = "Location of Datalake Backup Data Access Policy" + description = "Contents of Datalake Backup Data Access Policy" default = null } variable "datalake_restore_policy_doc" { type = string - description = "Location of Datalake Restore Data Access Policy" + description = "Contents of Datalake Restore Data Access Policy" default = null } @@ -485,13 +502,13 @@ variable "data_bucket_access_policy_doc" { } variable "log_bucket_access_policy_doc" { type = string - description = "Log Bucket Access Data Access Policy" + description = "Contents of Log Bucket Access Data Access Policy" default = null } variable "backup_bucket_access_policy_doc" { type = string - description = "Backup Bucket Access Data Access Policy" + description = "Contents of Backup Bucket Access Data Access Policy" default = null }