Restricting access to S3 bucket by custom tag on the IAM identity according to security email in databricks_aws_bucket_policy data resource (#1694)

Author: edmondop

aws/data_aws_bucket_policy.go

@@ -39,6 +39,14 @@ func DataAwsBucketPolicy() *schema.Resource {
 					},
 				},
 			}
+			e2AccountId := d.Get("databricks_e2_account_id").(string)
+			if e2AccountId != "" {
+				policy.Statements[0].Condition = map[string]map[string]string{
+					"StringEquals": {
+						"aws:PrincipalTag/DatabricksAccountId": e2AccountId,
+					},
+				}
+			}
 			if v, ok := d.GetOk("full_access_role"); ok {
 				policy.Statements[0].Principal["AWS"] = v.(string)
 			}
@@ -57,6 +65,10 @@ func DataAwsBucketPolicy() *schema.Resource {
 				Default:  "414351767826",
 				Optional: true,
 			},
+			"databricks_e2_account_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 			"full_access_role": {
 				Type:     schema.TypeString,
 				Optional: true,

aws/data_aws_bucket_policy_test.go

@@ -37,3 +37,19 @@ func TestDataAwsBucketPolicy_FullAccessRole(t *testing.T) {
 	j := d.Get("json")
 	assert.Lenf(t, j, 413, "Strange length for policy: %s", j)
 }
+
+func TestDataAwsBucketPolicyConfusedDeputyProblem(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Read:        true,
+		Resource:    DataAwsBucketPolicy(),
+		NonWritable: true,
+		ID:          ".",
+		HCL: `
+		bucket = "abc"
+		databricks_e2_account_id = "my_e2_account_id"
+		`,
+	}.Apply(t)
+	assert.NoError(t, err)
+	j := d.Get("json")
+	assert.Lenf(t, j, 575, "Strange length for policy: %s", j)
+}

docs/data-sources/aws_bucket_policy.md

@@ -74,6 +74,7 @@ resource "aws_s3_bucket_policy" "ds" {
 
 * `bucket` - (Required) AWS S3 Bucket name for which to generate the policy document.
 * `full_access_role` - (Optional) Data access role that can have full access for this bucket
+* `databricks_e2_account_id` - (Optional) Your Databricks E2 account ID. Used to generate  restrictive IAM policies that will increase the security of your root bucket 
 
 ## Attribute Reference