From 0a637be9b374004cd5d605c85af1fc55dbefddcb Mon Sep 17 00:00:00 2001
From: Radek Simko <radek.simko@timeinc.com>
Date: Wed, 19 Aug 2015 10:15:43 +0100
Subject: [PATCH] aws: Add example w/ S3 & cross-account access

---
 .../aws-s3-cross-account-access/README.md     | 20 +++++++
 examples/aws-s3-cross-account-access/main.tf  | 54 +++++++++++++++++++
 examples/aws-s3-cross-account-access/prod.txt |  1 +
 .../terraform.template.tfvars                 | 10 ++++
 examples/aws-s3-cross-account-access/test.txt |  1 +
 .../aws-s3-cross-account-access/variables.tf  |  8 +++
 6 files changed, 94 insertions(+)
 create mode 100644 examples/aws-s3-cross-account-access/README.md
 create mode 100644 examples/aws-s3-cross-account-access/main.tf
 create mode 100644 examples/aws-s3-cross-account-access/prod.txt
 create mode 100644 examples/aws-s3-cross-account-access/terraform.template.tfvars
 create mode 100644 examples/aws-s3-cross-account-access/test.txt
 create mode 100644 examples/aws-s3-cross-account-access/variables.tf

diff --git a/examples/aws-s3-cross-account-access/README.md b/examples/aws-s3-cross-account-access/README.md
new file mode 100644
index 000000000..fa94aa301
--- /dev/null
+++ b/examples/aws-s3-cross-account-access/README.md
@@ -0,0 +1,20 @@
+# S3 bucket with cross-account access
+
+This example describes how to create an S3 bucket in one AWS account and give access to that bucket to another user from another AWS account using bucket policy.
+It demonstrates capabilities of provider aliases.
+
+See [more in the S3 documentation](http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html).
+
+## How to run
+
+Either `cp terraform.template.tfvars terraform.tfvars` and modify that new file accordingly or provide variables via CLI:
+
+```
+terraform apply \
+	-var="prod_access_key=AAAAAAAAAAAAAAAAAAA" \
+	-var="prod_secret_key=SuperSecretKeyForAccountA" \
+	-var="test_account_id=123456789012" \
+	-var="test_access_key=BBBBBBBBBBBBBBBBBBB" \
+	-var="test_secret_key=SuperSecretKeyForAccountB" \
+	-var="bucket_name=tf-bucket-in-prod" \
+```
diff --git a/examples/aws-s3-cross-account-access/main.tf b/examples/aws-s3-cross-account-access/main.tf
new file mode 100644
index 000000000..ffe565bef
--- /dev/null
+++ b/examples/aws-s3-cross-account-access/main.tf
@@ -0,0 +1,54 @@
+provider "aws" {
+	alias = "prod"
+
+	region = "us-east-1"
+	access_key = "${var.prod_access_key}"
+	secret_key = "${var.prod_secret_key}"
+}
+
+resource "aws_s3_bucket" "prod" {
+	provider = "aws.prod"
+
+	bucket = "${var.bucket_name}"
+	acl = "private"
+	policy = <<POLICY
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowTest",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${var.test_account_id}:root"
+            },
+            "Action": "s3:*",
+            "Resource": "arn:aws:s3:::${var.bucket_name}/*"
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket_object" "prod" {
+	provider = "aws.prod"
+
+    bucket = "${aws_s3_bucket.prod.id}"
+    key = "object-uploaded-via-prod-creds"
+    source = "${path.module}/prod.txt"
+}
+
+provider "aws" {
+	alias = "test"
+
+	region = "us-east-1"
+	access_key = "${var.test_access_key}"
+	secret_key = "${var.test_secret_key}"
+}
+
+resource "aws_s3_bucket_object" "test" {
+	provider = "aws.test"
+
+    bucket = "${aws_s3_bucket.prod.id}"
+    key = "object-uploaded-via-test-creds"
+    source = "${path.module}/test.txt"
+}
diff --git a/examples/aws-s3-cross-account-access/prod.txt b/examples/aws-s3-cross-account-access/prod.txt
new file mode 100644
index 000000000..ed34353f9
--- /dev/null
+++ b/examples/aws-s3-cross-account-access/prod.txt
@@ -0,0 +1 @@
+Hello from PROD
diff --git a/examples/aws-s3-cross-account-access/terraform.template.tfvars b/examples/aws-s3-cross-account-access/terraform.template.tfvars
new file mode 100644
index 000000000..a4fb4c59b
--- /dev/null
+++ b/examples/aws-s3-cross-account-access/terraform.template.tfvars
@@ -0,0 +1,10 @@
+# prod account
+prod_access_key = "AAAAAAAAAAAAAAAAAAA"
+prod_secret_key = "SuperSecretKeyForAccountA"
+
+# test account
+test_account_id = "123456789012"
+test_access_key = "BBBBBBBBBBBBBBBBBBB"
+test_secret_key = "SuperSecretKeyForAccountB"
+
+bucket_name = "tf-test-bucket-in-prod"
diff --git a/examples/aws-s3-cross-account-access/test.txt b/examples/aws-s3-cross-account-access/test.txt
new file mode 100644
index 000000000..d395fa951
--- /dev/null
+++ b/examples/aws-s3-cross-account-access/test.txt
@@ -0,0 +1 @@
+Hello from Test
diff --git a/examples/aws-s3-cross-account-access/variables.tf b/examples/aws-s3-cross-account-access/variables.tf
new file mode 100644
index 000000000..eeb89f9db
--- /dev/null
+++ b/examples/aws-s3-cross-account-access/variables.tf
@@ -0,0 +1,8 @@
+variable "prod_access_key" {}
+variable "prod_secret_key" {}
+
+variable "test_account_id" {}
+variable "test_access_key" {}
+variable "test_secret_key" {}
+
+variable "bucket_name" {}