S3 trigger now specifies source account for compliance

mitre · Sep 20, 2021 · f68f75b · f68f75b
1 parent 6fb4f54
commit f68f75b
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/main.tf b/main.tf
@@ -212,11 +212,12 @@ data "aws_s3_bucket" "results_bucket" {
 # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission
 #
 resource "aws_lambda_permission" "allow_bucket" {
-  statement_id  = "AllowHeimdallPusherExecutionFromS3Bucket"
-  action        = "lambda:InvokeFunction"
-  function_name = module.serverless-heimdall-pusher-lambda.lambda_function_arn
-  principal     = "s3.amazonaws.com"
-  source_arn    = data.aws_s3_bucket.results_bucket.arn
+  statement_id   = "AllowHeimdallPusherExecutionFromS3Bucket"
+  action         = "lambda:InvokeFunction"
+  function_name  = module.serverless-heimdall-pusher-lambda.lambda_function_arn
+  principal      = "s3.amazonaws.com"
+  source_arn     = data.aws_s3_bucket.results_bucket.arn
+  source_account = var.results_bucket_source_account_id != null ? var.results_bucket_source_account_id : data.aws_caller_identity.current.account_id
 }
 
 ##

diff --git a/variables.tf b/variables.tf
@@ -26,6 +26,12 @@ variable "results_bucket_id" {
   type        = string
 }
 
+variable "results_bucket_source_account_id" {
+  description = "The AWS account ID (without a hyphen) of the results S3 bucket source owner."
+  type        = string
+  default     = null
+}
+
 variable "subnet_ids" {
   description = "The subnet ids to deploy the lambda to."
   type        = list(string)