From 5b6b1818417581d9e718d43d6384818a3ab66e0b Mon Sep 17 00:00:00 2001
From: Michael Arnold <github@razorsedge.org>
Date: Tue, 27 Jul 2021 10:59:31 -0400
Subject: [PATCH] Add an optional list of IP CIDRs which can access the S3
 website.

---
 main.tf      | 28 ++++++++++++++++++++++++++++
 variables.tf |  8 +++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index a85e2d9..c2ec343 100644
--- a/main.tf
+++ b/main.tf
@@ -153,6 +153,34 @@ data "aws_iam_policy_document" "default" {
     }
   }
 
+  dynamic "statement" {
+    for_each = flatten(var.trusted_ips) != [] ? [1] : []
+
+    # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html
+    content {
+      sid       = "AllowTrustedIPsOnly"
+      effect    = "Deny"
+      actions   = ["s3:*"]
+      resources = [local.bucket_arn, "${local.bucket_arn}/*"]
+
+      principals {
+        identifiers = ["*"]
+        type        = "*"
+      }
+
+      condition {
+        test     = "NotIpAddress"
+        values   = var.trusted_ips
+        variable = "aws:SourceIp"
+      }
+      condition {
+        test     = "Bool"
+        values   = ["false"]
+        variable = "aws:ViaAWSService"
+      }
+    }
+  }
+
   # Support replication ARNs
   dynamic "statement" {
     for_each = flatten(data.aws_iam_policy_document.replication.*.statement)
diff --git a/variables.tf b/variables.tf
index 5bb0f4b..74e5539 100644
--- a/variables.tf
+++ b/variables.tf
@@ -157,4 +157,10 @@ variable "allow_ssl_requests_only" {
   type        = bool
   default     = false
   description = "Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests"
-}
\ No newline at end of file
+}
+
+variable "trusted_ips" {
+  type        = list(string)
+  default     = []
+  description = "(Optional) List of IP CIDRs which can access the S3 website"
+}