diff --git a/CHANGELOG.md b/CHANGELOG.md
index 61125a7..af616b8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,11 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+## [6.12.0] - 2022-03-15
+### Added
+- Added functionality for allowing certain IAM roles to have unrestricted read access by schema/prefix mapping - see `apiary_consumer_prefix_iamroles`.
+- Documented `apiary_consumer_iamroles`, `apiary_consumer_prefix_iamroles`, and `apiary_customer_condition` in `VARIABLES.md`.
+
## [6.11.5] - 2022-03-01
### Changed
- Disable S3 object ACLs.
diff --git a/VARIABLES.md b/VARIABLES.md
index da362a7..82aeeef 100644
--- a/VARIABLES.md
+++ b/VARIABLES.md
@@ -2,102 +2,103 @@
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| apiary\_assume\_roles | Cross account AWS IAM roles allowed write access to managed Apiary S3 buckets using assume policy. | `list(any)` | `[]` | no |
-| apiary\_consumer\_iamroles | AWS IAM roles allowed read access to managed Apiary S3 buckets. | `list(string)` | `[]` | no |
-| apiary\_customer\_accounts | AWS account IDs for clients of this Metastore. | `list(string)` | `[]` | no |
-| apiary\_customer\_condition | IAM policy condition applied to customer account s3 object access. | `string` | `""` | no |
-| apiary\_database\_name | Database name to create in RDS for Apiary. | `string` | `"apiary"` | no |
-| apiary\_deny\_iamrole\_actions | List of S3 actions that 'apiary\_deny\_iamroles' are not allowed to perform. | `list(string)` | [
"s3:Abort*",
"s3:Bypass*",
"s3:Delete*",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionTorrent",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:Put*",
"s3:Replicate*",
"s3:Restore*"
]
| no |
-| apiary\_deny\_iamroles | AWS IAM roles denied access to Apiary managed S3 buckets. | `list(string)` | `[]` | no |
-| apiary\_domain\_name | Apiary domain name for Route 53. | `string` | `""` | no |
-| apiary\_governance\_iamroles | AWS IAM governance roles allowed read and tagging access to managed Apiary S3 buckets. | `list(string)` | `[]` | no |
-| apiary\_log\_bucket | Bucket for Apiary logs.If this is blank, module will create a bucket. | `string` | `""` | no |
-| apiary\_log\_prefix | Prefix for Apiary logs. | `string` | `""` | no |
-| apiary\_managed\_schemas | List of maps, each map contains schema name from which S3 bucket names will be derived, and various properties. The corresponding S3 bucket will be named as apiary\_instance-aws\_account-aws\_region-schema\_name. | `list(map(string))` | `[]` | no |
-| apiary\_producer\_iamroles | AWS IAM roles allowed write access to managed Apiary S3 buckets. | `map(any)` | `{}` | no |
-| apiary\_rds\_additional\_sg | Comma-separated string containing additional security groups to attach to RDS. | `list(any)` | `[]` | no |
-| apiary\_shared\_schemas | Schema names which are accessible from read-only metastore, default is all schemas. | `list(any)` | `[]` | no |
-| apiary\_tags | Common tags that get put on all resources. | `map(any)` | n/a | yes |
-| atlas\_cluster\_name | Name of the Atlas cluster where metastore plugin will send DDL events. Defaults to `var.instance_name` if not set. | `string` | `""` | no |
-| atlas\_kafka\_bootstrap\_servers | Kafka instance url. | `string` | `""` | no |
-| aws\_region | AWS region. | `string` | n/a | yes |
-| dashboard\_namespace | k8s namespace to deploy grafana dashboard. | `string` | `"monitoring"` | no |
-| db\_apply\_immediately | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | `bool` | `false` | no |
-| db\_backup\_retention | The number of days to retain backups for the RDS Metastore DB. | `string` | n/a | yes |
-| db\_backup\_window | Preferred backup window for the RDS Metastore DB in UTC. | `string` | `"02:00-03:00"` | no |
-| db\_instance\_class | Instance type for the RDS Metastore DB. | `string` | n/a | yes |
-| db\_instance\_count | Desired count of database cluster instances. | `string` | `"2"` | no |
-| db\_maintenance\_window | Preferred maintenance window for the RDS Metastore DB in UTC. | `string` | `"wed:03:00-wed:04:00"` | no |
-| db\_master\_username | Aurora cluster MySQL master user name. | `string` | `"apiary"` | no |
-| db\_ro\_secret\_name | Aurora cluster MySQL read-only user SecretsManger secret name. | `string` | `""` | no |
-| db\_rw\_secret\_name | Aurora cluster MySQL read/write user SecretsManager secret name. | `string` | `""` | no |
-| disallow\_incompatible\_col\_type\_changes | Hive metastore setting to disallow validation when incompatible schema type changes. | `bool` | `true` | no |
-| docker\_registry\_auth\_secret\_name | Docker Registry authentication SecretManager secret name. | `string` | `""` | no |
-| ecs\_domain\_extension | Domain name to use for hosted zone created by ECS service discovery. | `string` | `"lcl"` | no |
-| elb\_timeout | Idle timeout for Apiary ELB. | `string` | `"1800"` | no |
-| enable\_apiary\_s3\_log\_hive | Create hive database to archive s3 logs in parquet format.Only applicable when module manages logs S3 bucket. | `bool` | `true` | no |
-| enable\_data\_events | Enable managed buckets S3 event notifications. | `bool` | `false` | no |
-| enable\_gluesync | Enable metadata sync from Hive to the Glue catalog. | `bool` | `false` | no |
-| enable\_hive\_metastore\_metrics | Enable sending Hive Metastore metrics to CloudWatch. | `bool` | `false` | no |
-| enable\_metadata\_events | Enable Hive Metastore SNS listener. | `bool` | `false` | no |
-| enable\_s3\_paid\_metrics | Enable managed S3 buckets request and data transfer metrics. | `bool` | `false` | no |
-| enable\_vpc\_endpoint\_services | Enable metastore NLB, Route53 entries VPC access and VPC endpoint services, for cross-account access. | `bool` | `true` | no |
-| encrypt\_db | Specifies whether the DB cluster is encrypted | `bool` | `false` | no |
-| external\_data\_buckets | Buckets that are not managed by Apiary but added to Hive Metastore IAM role access. | `list(any)` | `[]` | no |
-| external\_database\_host | External Metastore database host to support legacy installations, MySQL database won't be created by Apiary when this option is specified. | `string` | `""` | no |
-| hive\_metastore\_port | Port on which both Hive Metastore readwrite and readonly will run. | `number` | `9083` | no |
-| hms\_docker\_image | Docker image ID for the Hive Metastore. | `string` | n/a | yes |
-| hms\_docker\_version | Version of the Docker image for the Hive Metastore. | `string` | n/a | yes |
-| hms\_instance\_type | Hive Metastore instance type, possible values: ecs,k8s. | `string` | `"ecs"` | no |
-| hms\_log\_level | Log level for the Hive Metastore. | `string` | `"INFO"` | no |
-| hms\_nofile\_ulimit | Ulimit for the Hive Metastore container. | `string` | `"32768"` | no |
-| hms\_ro\_cpu | CPU for the read only Hive Metastore ECS task.
Valid values can be 256, 512, 1024, 2048 and 4096.
Reference: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html | `string` | `"512"` | no |
-| hms\_ro\_ecs\_task\_count | Desired ECS task count of the read only Hive Metastore service. | `string` | `"3"` | no |
-| hms\_ro\_heapsize | Heapsize for the read only Hive Metastore.
Valid values: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html | `string` | `"2048"` | no |
-| hms\_rw\_cpu | CPU for the read/write Hive Metastore ECS task.
Valid values can be 256, 512, 1024, 2048 and 4096.
Reference: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html | `string` | `"512"` | no |
-| hms\_rw\_ecs\_task\_count | Desired ECS task count of the read/write Hive Metastore service. | `string` | `"3"` | no |
-| hms\_rw\_heapsize | Heapsize for the read/write Hive Metastore.
Valid values: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html | `string` | `"2048"` | no |
-| iam\_name\_root | Name to identify Hive Metastore IAM roles. | `string` | `"hms"` | no |
-| ingress\_cidr | Generally allowed ingress CIDR list. | `list(string)` | n/a | yes |
-| instance\_name | Apiary instance name to identify resources in multi-instance deployments. | `string` | `""` | no |
-| k8s\_docker\_registry\_secret | Docker Registry authentication K8s secret name. | `string` | `""` | no |
-| kafka\_bootstrap\_servers | Kafka bootstrap servers to send metastore events, setting this enables Hive Metastore Kafka listener. | `string` | `""` | no |
-| kafka\_topic\_name | Kafka topic to send metastore events. | `string` | `""` | no |
-| kiam\_arn | Kiam server IAM role ARN. | `string` | `""` | no |
-| ldap\_base | Active directory LDAP base DN to search users and groups. | `string` | `""` | no |
-| ldap\_ca\_cert | Base64 encoded Certificate Authority bundle to validate LDAPS connections. | `string` | `""` | no |
-| ldap\_secret\_name | Active directory LDAP bind DN SecretsManager secret name. | `string` | `""` | no |
-| ldap\_url | Active directory LDAP URL to configure Hadoop LDAP group mapping. | `string` | `""` | no |
-| metastore\_namespace | k8s namespace to deploy metastore containers. | `string` | `"metastore"` | no |
-| oidc\_provider | EKS cluster OIDC provider name, required for configuring IAM using IRSA. | `string` | `""` | no |
-| private\_subnets | Private subnets. | `list(any)` | n/a | yes |
-| ranger\_audit\_db\_url | Ranger DB audit provider configuration. | `string` | `""` | no |
-| ranger\_audit\_secret\_name | Ranger DB audit secret name. | `string` | `""` | no |
-| ranger\_audit\_solr\_url | Ranger Solr audit provider configuration. | `string` | `""` | no |
-| ranger\_policy\_manager\_url | Ranger admin URL to synchronize policies. | `string` | `""` | no |
-| rds\_max\_allowed\_packet | RDS/MySQL setting for parameter 'max\_allowed\_packet' in bytes. Default is 128MB (Note that MySQL default is 4MB). | `number` | `134217728` | no |
-| rw\_ingress\_cidr | Read-Write metastore ingress CIDR list. If not set, defaults to `var.ingress_cidr`. | `list(string)` | `[]` | no |
-| s3\_enable\_inventory | Enable S3 inventory configuration. | `bool` | `false` | no |
-| s3\_inventory\_customer\_accounts | AWS account IDs allowed to access s3 inventory database. | `list(string)` | `[]` | no |
-| s3\_inventory\_format | Output format for S3 inventory results. Can be Parquet, ORC, CSV | `string` | `"ORC"` | no |
-| s3\_inventory\_update\_schedule | Cron schedule to update S3 inventory tables (if enabled). Defaults to every 12 hours. | `string` | `"0 */12 * * *"` | no |
-| s3\_lifecycle\_abort\_incomplete\_multipart\_upload\_days | Number of days after which incomplete multipart uploads will be deleted. | `string` | `"7"` | no |
-| s3\_lifecycle\_policy\_transition\_period | S3 Lifecycle Policy number of days for Transition rule | `string` | `"30"` | no |
-| s3\_log\_expiry | Number of days after which Apiary S3 bucket logs expire. | `string` | `"365"` | no |
-| s3\_logs\_sqs\_delay\_seconds | The time in seconds that the delivery of all messages in the queue will be delayed. | `number` | `300` | no |
-| s3\_logs\_sqs\_message\_retention\_seconds | Time in seconds after which message will be deleted from the queue. | `number` | `345600` | no |
-| s3\_logs\_sqs\_receive\_wait\_time\_seconds | The time for which a ReceiveMessage call will wait for a message to arrive (long polling) before returning. | `number` | `10` | no |
-| s3\_logs\_sqs\_visibility\_timeout\_seconds | Time in seconds after which message will be returned to the queue if it is not deleted. | `number` | `3600` | no |
-| s3\_storage\_class | S3 storage class after transition using lifecycle policy | `string` | `"INTELLIGENT_TIERING"` | no |
-| secondary\_vpcs | List of VPCs to associate with Service Discovery namespace. | `list(any)` | `[]` | no |
-| system\_schema\_customer\_accounts | AWS account IDs allowed to access system database. | `list(string)` | `[]` | no |
-| system\_schema\_name | Name for the internal system database | `string` | `"apiary_system"` | no |
-| table\_param\_filter | A regular expression for selecting necessary table parameters for the SNS listener. If the value isn't set, then no table parameters are selected. | `string` | `""` | no |
-| vpc\_id | VPC ID. | `string` | n/a | yes |
-| enable\_dashboard | make EKS & ECS dashboard optional | `bool` | true | no |
-| rds\_family | RDS Family | `string` | aurora5.6 | no |
+| Name | Description | Type | Default | Required |
+|-----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------:|
+| apiary\_assume\_roles | Cross account AWS IAM roles allowed write access to managed Apiary S3 buckets using assume policy. | `list(any)` | `[]` | no |
+| apiary\_consumer\_iamroles | AWS IAM roles allowed unrestricted (not subject to `apiary_customer_condition`) read access to all data in managed Apiary S3 buckets. | `list(string)` | `[]` | no |
+| apiary\_consumer\_prefix\_iamroles | AWS IAM roles allowed unrestricted (not subject to `apiary_customer_condition`) read access to certain prefixes in managed Apiary S3 buckets. See below section for more information and format. | `map(map(list(string)` | `{}` | no |
+| apiary\_customer\_accounts | AWS account IDs for clients of this Metastore. | `list(string)` | `[]` | no |
+| apiary\_customer\_condition | IAM policy condition applied to customer account S3 object access. | `string` | `""` | no |
+| apiary\_database\_name | Database name to create in RDS for Apiary. | `string` | `"apiary"` | no |
+| apiary\_deny\_iamrole\_actions | List of S3 actions that 'apiary\_deny\_iamroles' are not allowed to perform. | `list(string)` | [
"s3:Abort*",
"s3:Bypass*",
"s3:Delete*",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionTorrent",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:Put*",
"s3:Replicate*",
"s3:Restore*"
]
| no |
+| apiary\_deny\_iamroles | AWS IAM roles denied access to Apiary managed S3 buckets. | `list(string)` | `[]` | no |
+| apiary\_domain\_name | Apiary domain name for Route 53. | `string` | `""` | no |
+| apiary\_governance\_iamroles | AWS IAM governance roles allowed read and tagging access to managed Apiary S3 buckets. | `list(string)` | `[]` | no |
+| apiary\_log\_bucket | Bucket for Apiary logs.If this is blank, module will create a bucket. | `string` | `""` | no |
+| apiary\_log\_prefix | Prefix for Apiary logs. | `string` | `""` | no |
+| apiary\_managed\_schemas | List of maps, each map contains schema name from which S3 bucket names will be derived, and various properties. The corresponding S3 bucket will be named as apiary\_instance-aws\_account-aws\_region-schema\_name. | `list(map(string))` | `[]` | no |
+| apiary\_producer\_iamroles | AWS IAM roles allowed write access to managed Apiary S3 buckets. | `map(any)` | `{}` | no |
+| apiary\_rds\_additional\_sg | Comma-separated string containing additional security groups to attach to RDS. | `list(any)` | `[]` | no |
+| apiary\_shared\_schemas | Schema names which are accessible from read-only metastore, default is all schemas. | `list(any)` | `[]` | no |
+| apiary\_tags | Common tags that get put on all resources. | `map(any)` | n/a | yes |
+| atlas\_cluster\_name | Name of the Atlas cluster where metastore plugin will send DDL events. Defaults to `var.instance_name` if not set. | `string` | `""` | no |
+| atlas\_kafka\_bootstrap\_servers | Kafka instance url. | `string` | `""` | no |
+| aws\_region | AWS region. | `string` | n/a | yes |
+| dashboard\_namespace | k8s namespace to deploy grafana dashboard. | `string` | `"monitoring"` | no |
+| db\_apply\_immediately | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | `bool` | `false` | no |
+| db\_backup\_retention | The number of days to retain backups for the RDS Metastore DB. | `string` | n/a | yes |
+| db\_backup\_window | Preferred backup window for the RDS Metastore DB in UTC. | `string` | `"02:00-03:00"` | no |
+| db\_instance\_class | Instance type for the RDS Metastore DB. | `string` | n/a | yes |
+| db\_instance\_count | Desired count of database cluster instances. | `string` | `"2"` | no |
+| db\_maintenance\_window | Preferred maintenance window for the RDS Metastore DB in UTC. | `string` | `"wed:03:00-wed:04:00"` | no |
+| db\_master\_username | Aurora cluster MySQL master user name. | `string` | `"apiary"` | no |
+| db\_ro\_secret\_name | Aurora cluster MySQL read-only user SecretsManger secret name. | `string` | `""` | no |
+| db\_rw\_secret\_name | Aurora cluster MySQL read/write user SecretsManager secret name. | `string` | `""` | no |
+| disallow\_incompatible\_col\_type\_changes | Hive metastore setting to disallow validation when incompatible schema type changes. | `bool` | `true` | no |
+| docker\_registry\_auth\_secret\_name | Docker Registry authentication SecretManager secret name. | `string` | `""` | no |
+| ecs\_domain\_extension | Domain name to use for hosted zone created by ECS service discovery. | `string` | `"lcl"` | no |
+| elb\_timeout | Idle timeout for Apiary ELB. | `string` | `"1800"` | no |
+| enable\_apiary\_s3\_log\_hive | Create hive database to archive s3 logs in parquet format.Only applicable when module manages logs S3 bucket. | `bool` | `true` | no |
+| enable\_data\_events | Enable managed buckets S3 event notifications. | `bool` | `false` | no |
+| enable\_gluesync | Enable metadata sync from Hive to the Glue catalog. | `bool` | `false` | no |
+| enable\_hive\_metastore\_metrics | Enable sending Hive Metastore metrics to CloudWatch. | `bool` | `false` | no |
+| enable\_metadata\_events | Enable Hive Metastore SNS listener. | `bool` | `false` | no |
+| enable\_s3\_paid\_metrics | Enable managed S3 buckets request and data transfer metrics. | `bool` | `false` | no |
+| enable\_vpc\_endpoint\_services | Enable metastore NLB, Route53 entries VPC access and VPC endpoint services, for cross-account access. | `bool` | `true` | no |
+| encrypt\_db | Specifies whether the DB cluster is encrypted | `bool` | `false` | no |
+| external\_data\_buckets | Buckets that are not managed by Apiary but added to Hive Metastore IAM role access. | `list(any)` | `[]` | no |
+| external\_database\_host | External Metastore database host to support legacy installations, MySQL database won't be created by Apiary when this option is specified. | `string` | `""` | no |
+| hive\_metastore\_port | Port on which both Hive Metastore readwrite and readonly will run. | `number` | `9083` | no |
+| hms\_docker\_image | Docker image ID for the Hive Metastore. | `string` | n/a | yes |
+| hms\_docker\_version | Version of the Docker image for the Hive Metastore. | `string` | n/a | yes |
+| hms\_instance\_type | Hive Metastore instance type, possible values: ecs,k8s. | `string` | `"ecs"` | no |
+| hms\_log\_level | Log level for the Hive Metastore. | `string` | `"INFO"` | no |
+| hms\_nofile\_ulimit | Ulimit for the Hive Metastore container. | `string` | `"32768"` | no |
+| hms\_ro\_cpu | CPU for the read only Hive Metastore ECS task.
Valid values can be 256, 512, 1024, 2048 and 4096.
Reference: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html | `string` | `"512"` | no |
+| hms\_ro\_ecs\_task\_count | Desired ECS task count of the read only Hive Metastore service. | `string` | `"3"` | no |
+| hms\_ro\_heapsize | Heapsize for the read only Hive Metastore.
Valid values: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html | `string` | `"2048"` | no |
+| hms\_rw\_cpu | CPU for the read/write Hive Metastore ECS task.
Valid values can be 256, 512, 1024, 2048 and 4096.
Reference: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html | `string` | `"512"` | no |
+| hms\_rw\_ecs\_task\_count | Desired ECS task count of the read/write Hive Metastore service. | `string` | `"3"` | no |
+| hms\_rw\_heapsize | Heapsize for the read/write Hive Metastore.
Valid values: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html | `string` | `"2048"` | no |
+| iam\_name\_root | Name to identify Hive Metastore IAM roles. | `string` | `"hms"` | no |
+| ingress\_cidr | Generally allowed ingress CIDR list. | `list(string)` | n/a | yes |
+| instance\_name | Apiary instance name to identify resources in multi-instance deployments. | `string` | `""` | no |
+| k8s\_docker\_registry\_secret | Docker Registry authentication K8s secret name. | `string` | `""` | no |
+| kafka\_bootstrap\_servers | Kafka bootstrap servers to send metastore events, setting this enables Hive Metastore Kafka listener. | `string` | `""` | no |
+| kafka\_topic\_name | Kafka topic to send metastore events. | `string` | `""` | no |
+| kiam\_arn | Kiam server IAM role ARN. | `string` | `""` | no |
+| ldap\_base | Active directory LDAP base DN to search users and groups. | `string` | `""` | no |
+| ldap\_ca\_cert | Base64 encoded Certificate Authority bundle to validate LDAPS connections. | `string` | `""` | no |
+| ldap\_secret\_name | Active directory LDAP bind DN SecretsManager secret name. | `string` | `""` | no |
+| ldap\_url | Active directory LDAP URL to configure Hadoop LDAP group mapping. | `string` | `""` | no |
+| metastore\_namespace | k8s namespace to deploy metastore containers. | `string` | `"metastore"` | no |
+| oidc\_provider | EKS cluster OIDC provider name, required for configuring IAM using IRSA. | `string` | `""` | no |
+| private\_subnets | Private subnets. | `list(any)` | n/a | yes |
+| ranger\_audit\_db\_url | Ranger DB audit provider configuration. | `string` | `""` | no |
+| ranger\_audit\_secret\_name | Ranger DB audit secret name. | `string` | `""` | no |
+| ranger\_audit\_solr\_url | Ranger Solr audit provider configuration. | `string` | `""` | no |
+| ranger\_policy\_manager\_url | Ranger admin URL to synchronize policies. | `string` | `""` | no |
+| rds\_max\_allowed\_packet | RDS/MySQL setting for parameter 'max\_allowed\_packet' in bytes. Default is 128MB (Note that MySQL default is 4MB). | `number` | `134217728` | no |
+| rw\_ingress\_cidr | Read-Write metastore ingress CIDR list. If not set, defaults to `var.ingress_cidr`. | `list(string)` | `[]` | no |
+| s3\_enable\_inventory | Enable S3 inventory configuration. | `bool` | `false` | no |
+| s3\_inventory\_customer\_accounts | AWS account IDs allowed to access s3 inventory database. | `list(string)` | `[]` | no |
+| s3\_inventory\_format | Output format for S3 inventory results. Can be Parquet, ORC, CSV | `string` | `"ORC"` | no |
+| s3\_inventory\_update\_schedule | Cron schedule to update S3 inventory tables (if enabled). Defaults to every 12 hours. | `string` | `"0 */12 * * *"` | no |
+| s3\_lifecycle\_abort\_incomplete\_multipart\_upload\_days | Number of days after which incomplete multipart uploads will be deleted. | `string` | `"7"` | no |
+| s3\_lifecycle\_policy\_transition\_period | S3 Lifecycle Policy number of days for Transition rule | `string` | `"30"` | no |
+| s3\_log\_expiry | Number of days after which Apiary S3 bucket logs expire. | `string` | `"365"` | no |
+| s3\_logs\_sqs\_delay\_seconds | The time in seconds that the delivery of all messages in the queue will be delayed. | `number` | `300` | no |
+| s3\_logs\_sqs\_message\_retention\_seconds | Time in seconds after which message will be deleted from the queue. | `number` | `345600` | no |
+| s3\_logs\_sqs\_receive\_wait\_time\_seconds | The time for which a ReceiveMessage call will wait for a message to arrive (long polling) before returning. | `number` | `10` | no |
+| s3\_logs\_sqs\_visibility\_timeout\_seconds | Time in seconds after which message will be returned to the queue if it is not deleted. | `number` | `3600` | no |
+| s3\_storage\_class | S3 storage class after transition using lifecycle policy | `string` | `"INTELLIGENT_TIERING"` | no |
+| secondary\_vpcs | List of VPCs to associate with Service Discovery namespace. | `list(any)` | `[]` | no |
+| system\_schema\_customer\_accounts | AWS account IDs allowed to access system database. | `list(string)` | `[]` | no |
+| system\_schema\_name | Name for the internal system database | `string` | `"apiary_system"` | no |
+| table\_param\_filter | A regular expression for selecting necessary table parameters for the SNS listener. If the value isn't set, then no table parameters are selected. | `string` | `""` | no |
+| vpc\_id | VPC ID. | `string` | n/a | yes |
+| enable\_dashboard | make EKS & ECS dashboard optional | `bool` | true | no |
+| rds\_family | RDS Family | `string` | aurora5.6 | no |
### apiary_assume_roles
@@ -161,3 +162,135 @@ Name | Description | Type | Default | Required |
| encryption | S3 objects encryption type, supported values are AES256,aws:kms. | string | null | no |
| admin_roles | IAM roles configured with admin access on corresponding KMS keys,required when encryption type is `aws:kms`. | string | null | no |
| client_roles | IAM roles configured with usage access on corresponding KMS keys,required when encryption type is `aws:kms`. | string | null | no |
+
+
+### apiary_consumer_iamroles
+
+A list of cross-account IAM role ARNs that are allowed to read all data in all Apiary managed schemas. These roles are not subject to any restrictions imposed by
+`apiary_customer_condition` policies.
+
+An example entry looks like:
+```
+apiary_consumer_iamroles = [
+ "arn:aws:iam:::role/",
+ "arn:aws:iam:::role/",
+ ...
+]
+```
+
+### apiary_consumer_prefix_iamroles
+
+A map of map of list of IAM roles. Each top-level map entry is the name of an Apiary managed schema. Each entry in that map is an S3 prefix in that schema. The value of that map entry
+is a list of IAM roles that has unrestricted read access to objects under that S3 prefix. These roles are not subject to any restrictions imposed by
+`apiary_customer_condition` policies.
+
+An example entry looks like:
+```
+apiary_consumer_prefix_iamroles = {
+ sandbox = {
+ "prefix1/with/several/levels" = [
+ "arn:aws:iam:::role/",
+ "arn:aws:iam:::role/"
+ ]
+ prefix2 = [
+ "arn:aws:iam:::role/"
+ ]
+ }
+ test = {
+ prefixroletest = [
+ "arn:aws:iam:::role/",
+ "arn:aws:iam:::role/"
+ ]
+ "prefixroletest2" = [
+ "arn:aws:iam:::role/"
+ ]
+ }
+}
+```
+
+### apiary_customer_condition
+
+A string that defines a list of conditions that restrict which objects in an Apiary schema's S3 bucket may be read cross-account by accounts in the `customer_accounts` list.
+The string is a semicolon-delimited list of comma-delimited strings that specify conditions that are valid in AWS S3 bucket policy
+[Condition](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html) sections. This condition is applied to every Apiary schema's S3 bucket policy.
+
+An example entry to limit access to:
+- Only requests from certain VPC CIDR blocks
+- And only to objects that have:
+ - Either an S3 tag of `data-sensitivity=false` or
+ - An S3 tag of `data-type=image*`
+looks like:
+```
+apiary_customer_condition = <",
+ "",
+ ...
+ "customer_accountN_ARN"
+ ]
+ },
+ "Action": [
+ "s3:GetObject",
+ "s3:GetObjectAcl"
+ ],
+ "Resource": "arn:aws:s3:::apiary---/*",
+ "Condition": {
+ "StringEquals": {
+ "s3:ExistingObjectTag/data-sensitivity": "false"
+ },
+ "IpAddress": {
+ "aws:VpcSourceIp": [
+ "10.0.0.0/8",
+ "100.64.0.0/10"
+ ]
+ }
+ }
+ },
+ {
+ "Sid": "Apiary customer account object permissions",
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": [
+ "",
+ "",
+ ...
+ "customer_accountN_ARN"
+ ]
+ },
+ "Action": [
+ "s3:GetObject",
+ "s3:GetObjectAcl"
+ ],
+ "Resource": "arn:aws:s3:::apiary---/*",
+ "Condition": {
+ "StringLike": {
+ "s3:ExistingObjectTag/data-type": "image*"
+ },
+ "IpAddress": {
+ "aws:VpcSourceIp": [
+ "10.0.0.0/8",
+ "100.64.0.0/10"
+ ]
+ }
+ }
+ },
+ ]
+```
+#### Interactions with `apiary_consumer_iamroles` and `apiary_consumer_prefix_iamroles`
+- Note that any IAM roles in `apiary_consumer_iamroles` would not be subject to the restrictions from `apiary_customer_condition`, and so could read any S3 object, even if they don't have a `data-sensitivity` tag, or if the `data-sensitivity` tag is `true`, or if there is no `data-type` tag of `image*`.
+- Note that any IAM roles in `apiary_consumer_prefix_iamroles` would not be subject to the restrictions from `apiary_customer_condition` for the schemas and prefixes specified in the map, and so could read any S3 object under those prefixes, even if they don't have a `data-sensitivity` tag, or if the `data-sensitivity` tag is `true`, or if there is no `data-type` tag of `image*`.
\ No newline at end of file
diff --git a/s3.tf b/s3.tf
index 0018fc0..dfbd350 100644
--- a/s3.tf
+++ b/s3.tf
@@ -8,26 +8,23 @@
### Apiary S3 policy template
##
-data "template_file" "bucket_policy" {
- for_each = {
- for schema in local.schemas_info : "${schema["schema_name"]}" => schema
- }
- template = file("${path.module}/templates/apiary-bucket-policy.json")
-
- vars = {
- #if apiary_shared_schemas is empty or contains current schema, allow customer accounts to access this bucket.
- customer_principal = (length(var.apiary_shared_schemas) == 0 || contains(var.apiary_shared_schemas, each.key)) && each.value["customer_accounts"] != "" ? join("\",\"", formatlist("arn:aws:iam::%s:root", split(",", each.value["customer_accounts"]))) : ""
- customer_condition = var.apiary_customer_condition
-
- bucket_name = each.value["data_bucket"]
- encryption = each.value["encryption"]
- kms_key_arn = each.value["encryption"] == "aws:kms" ? aws_kms_key.apiary_kms[each.key].arn : ""
- consumer_iamroles = join("\",\"", var.apiary_consumer_iamroles)
- producer_iamroles = replace(lookup(var.apiary_producer_iamroles, each.key, ""), ",", "\",\"")
- deny_iamroles = join("\",\"", var.apiary_deny_iamroles)
- deny_iamrole_actions = join("\",\"", var.apiary_deny_iamrole_actions)
- client_roles = replace(lookup(each.value, "client_roles", ""), ",", "\",\"")
- governance_iamroles = join("\",\"", var.apiary_governance_iamroles)
+locals {
+ bucket_policy_map = {
+ for schema in local.schemas_info : schema["schema_name"] => templatefile("${path.module}/templates/apiary-bucket-policy.json", {
+ #if apiary_shared_schemas is empty or contains current schema, allow customer accounts to access this bucket.
+ customer_principal = (length(var.apiary_shared_schemas) == 0 || contains(var.apiary_shared_schemas, schema["schema_name"])) && schema["customer_accounts"] != "" ? join("\",\"", formatlist("arn:aws:iam::%s:root", split(",", schema["customer_accounts"]))) : ""
+ customer_condition = var.apiary_customer_condition
+ bucket_name = schema["data_bucket"]
+ encryption = schema["encryption"]
+ kms_key_arn = schema["encryption"] == "aws:kms" ? aws_kms_key.apiary_kms[schema["schema_name"]].arn : ""
+ consumer_iamroles = join("\",\"", var.apiary_consumer_iamroles)
+ producer_iamroles = replace(lookup(var.apiary_producer_iamroles, schema["schema_name"], ""), ",", "\",\"")
+ deny_iamroles = join("\",\"", var.apiary_deny_iamroles)
+ deny_iamrole_actions = join("\",\"", var.apiary_deny_iamrole_actions)
+ client_roles = replace(lookup(schema, "client_roles", ""), ",", "\",\"")
+ governance_iamroles = join("\",\"", var.apiary_governance_iamroles)
+ consumer_prefix_roles = lookup(var.apiary_consumer_prefix_iamroles, schema["schema_name"], {})
+ })
}
}
@@ -42,7 +39,7 @@ resource "aws_s3_bucket" "apiary_data_bucket" {
bucket = each.value["data_bucket"]
acl = "private"
request_payer = "BucketOwner"
- policy = data.template_file.bucket_policy[each.key].rendered
+ policy = local.bucket_policy_map[each.key]
tags = merge(map("Name", each.value["data_bucket"]),
var.apiary_tags,
jsondecode(lookup(each.value, "tags", "{}")))
diff --git a/templates/apiary-bucket-policy.json b/templates/apiary-bucket-policy.json
index a85912d..4a41401 100644
--- a/templates/apiary-bucket-policy.json
+++ b/templates/apiary-bucket-policy.json
@@ -54,6 +54,22 @@
},
%{endfor}
%{endif}
+%{for prefix, role_list in consumer_prefix_roles ~}
+%{if length(role_list) > 0 }
+ {
+ "Sid": "Apiary consumer_prefix_iamroles policy",
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": ${jsonencode([for role in role_list: trim(role, " ")])}
+ },
+ "Action": [
+ "s3:GetObject",
+ "s3:GetObjectAcl"
+ ],
+ "Resource": "arn:aws:s3:::${bucket_name}/${trim(prefix," /")}/*"
+ },
+%{endif}
+%{endfor ~}
%{endif}
%{if deny_iamroles != ""}
{
diff --git a/variables.tf b/variables.tf
index f455ebe..b7b9cfc 100644
--- a/variables.tf
+++ b/variables.tf
@@ -175,11 +175,17 @@ variable "apiary_assume_roles" {
}
variable "apiary_consumer_iamroles" {
- description = "AWS IAM roles allowed read access to managed Apiary S3 buckets."
+ description = "AWS IAM roles allowed unrestricted read access to managed Apiary S3 buckets."
type = list(string)
default = []
}
+variable "apiary_consumer_prefix_iamroles" {
+ description = "AWS IAM roles allowed unrestricted read access to certain prefixes in managed Apiary S3 buckets."
+ type = map(any)
+ default = {}
+}
+
variable "apiary_producer_iamroles" {
description = "AWS IAM roles allowed write access to managed Apiary S3 buckets."
type = map(any)