data_template_bucket_policy.tf

# template file for policy section: denying the unencrypted uploads
data "template_file" "bucket_policy_for_deny_unencrypted" {
  template = "${file("${path.module}/templates/bucket_policies/bucket_policy_deny_unencrypted.json.tpl")}"

  vars {
    bucket-arn = "${aws_s3_bucket.s3_bucket.arn}"
  }
}

# template file for policy section: standard users
data "template_file" "bucket_policy_for_a_standard_user" {
  count    = "${length(var.iam_user_s3_standard_names)}"
  template = "${file("${path.module}/templates/bucket_policies/bucket_policy_user_template.json.tpl")}"

  vars {
    bucket-arn = "${aws_s3_bucket.s3_bucket.arn}"
    user-name  = "${element(aws_iam_user.standard_user.*.name, count.index)}"
    kms-key    = "${element(aws_kms_key.kmskey.*.key_id, count.index)}"
  }
}

# combine policy sections into one 
data "template_file" "bucket_policy" {
  template = <<JSON
$${policy_start}
$${deny_unencrypted_object_uploads}
$${user_policies}
$${policy_end}

JSON

  vars {
    policy_start                    = "${file("${path.module}/templates/bucket_policies/bucket_policy_start.json.tpl")}"
    deny_unencrypted_object_uploads = "${data.template_file.bucket_policy_for_deny_unencrypted.rendered}"
    user_policies                   = "${join(",\n", data.template_file.bucket_policy_for_a_standard_user.*.rendered)}"
    policy_end                      = "${file("${path.module}/templates/bucket_policies/bucket_policy_end.json.tpl")}"
  }
}