Merge pull request #110 from flamingspaz/fixthebucket

Split Jenkins bucket policies to separate resources

backups.tf

@@ -13,8 +13,35 @@ data "aws_iam_policy_document" "jenkins-backup-bucket-policy" {
 
         resources = [
             "${aws_s3_bucket.jenkins-duplicity-backup.arn}",
-            "${aws_s3_bucket.jenkins-public-duplicity-backup.arn}",
             "${aws_s3_bucket.jenkins-duplicity-backup.arn}/*",
+        ]
+
+        condition {
+            test = "StringNotLike"
+            variable = "aws:userId"
+            values = [
+                "${aws_iam_role.admin-access-role.unique_id}:*",
+                "${var.aws_account_id}"
+            ]
+        }
+    }
+}
+
+data "aws_iam_policy_document" "jenkins-public-backup-bucket-policy" {
+
+    statement {
+        effect = "Deny"
+        actions = [
+            "s3:*",
+        ]
+
+        principals {
+            type = "AWS"
+            identifiers = ["*"]
+        }
+
+        resources = [
+            "${aws_s3_bucket.jenkins-public-duplicity-backup.arn}",
             "${aws_s3_bucket.jenkins-public-duplicity-backup.arn}/*"
         ]
 
@@ -59,5 +86,5 @@ resource "aws_s3_bucket_policy" "jenkins-backup-bucket-policy-attachment" {
 
 resource "aws_s3_bucket_policy" "jenkins-public-backup-bucket-policy-attachment" {
   bucket = "${aws_s3_bucket.jenkins-public-duplicity-backup.id}"
-  policy = "${data.aws_iam_policy_document.jenkins-backup-bucket-policy.json}"
+  policy = "${data.aws_iam_policy_document.jenkins-public-backup-bucket-policy.json}"
 }