allow write list and read list to be separate

smiller171 · smiller171 · commit 1902eac48b9f · 2021-05-14T11:52:27.000-04:00
diff --git a/README.md b/README.md
@@ -48,8 +48,8 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_allow_cross_account_write"></a> [allow\_cross\_account\_write](#input\_allow\_cross\_account\_write) | Allow write access to helm repo from `allowed_account_ids` | `bool` | `false` | no |
 | <a name="input_allowed_account_ids"></a> [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of AWS account IDs to grant read-only access to the repo. Due to how policies are constructed, there's effectively a limit of about 9 accounts. | `list(string)` | `[]` | no |
+| <a name="input_allowed_account_ids_write"></a> [allowed\_account\_ids\_write](#input\_allowed\_account\_ids\_write) | List of AWS account IDs to grant write access to the repo. Due to how policies are constructed, there's effectively a limit of about 9 accounts. | `list(string)` | `[]` | no |
 | <a name="input_logging_bucket"></a> [logging\_bucket](#input\_logging\_bucket) | S3 bucket name to log bucket access requests to (optional) | `string` | `null` | no |
 | <a name="input_logging_bucket_prefix"></a> [logging\_bucket\_prefix](#input\_logging\_bucket\_prefix) | S3 bucket prefix to log bucket access requests to (optional). If blank but a `logging_bucket` is specified, this will be set to the name of the bucket | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Bucket name for the helm repo. Specify to control the exact name of the bucket, otherwise use `name_suffix` | `string` | `null` | no |
diff --git a/main.tf b/main.tf
@@ -131,7 +131,7 @@ data "aws_iam_policy_document" "this" {
   }
 
   dynamic "statement" {
-    for_each = var.allow_cross_account_write ? var.allowed_account_ids : []
+    for_each = var.allowed_account_ids_write
 
     content {
       sid       = "Allow Cross-account write access (${statement.value})"
diff --git a/variables.tf b/variables.tf
@@ -1,18 +1,18 @@
 ########################################
 # General Vars
 ########################################
-variable "allow_cross_account_write" {
-  default     = false
-  description = "Allow write access to helm repo from `allowed_account_ids`"
-  type        = bool
-}
-
 variable "allowed_account_ids" {
   default     = []
   description = "List of AWS account IDs to grant read-only access to the repo. Due to how policies are constructed, there's effectively a limit of about 9 accounts."
   type        = list(string)
 }
 
+variable "allowed_account_ids_write" {
+  default     = []
+  description = "List of AWS account IDs to grant write access to the repo. Due to how policies are constructed, there's effectively a limit of about 9 accounts."
+  type        = list(string)
+}
+
 variable "logging_bucket" {
   default     = null
   description = "S3 bucket name to log bucket access requests to (optional)"

Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,7 @@ data "aws_iam_policy_document" "this" {`
`131`	`131`	`}`
`132`	`132`
`133`	`133`	`dynamic "statement" {`
`134`		`- for_each = var.allow_cross_account_write ? var.allowed_account_ids : []`
	`134`	`+ for_each = var.allowed_account_ids_write`
`135`	`135`
`136`	`136`	`content {`
`137`	`137`	`sid = "Allow Cross-account write access (${statement.value})"`