feat: Support for S3 lock file IAM permissions

pawelpesz · pawelpesz · commit d10daf48f999 · 2025-04-24T16:45:05.000+01:00
diff --git a/README.md b/README.md
@@ -127,6 +127,7 @@ See [the official document](https://www.terraform.io/docs/backends/types/s3.html
 | <a name="input_s3_logging_target_prefix"></a> [s3\_logging\_target\_prefix](#input\_s3\_logging\_target\_prefix) | The prefix to apply on bucket logs, e.g "logs/". | `string` | no |
 | <a name="input_state_bucket_prefix"></a> [state\_bucket\_prefix](#input\_state\_bucket\_prefix) | Creates a unique state bucket name beginning with the specified prefix. | `string` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to resources. | `map(string)` | no |
+| <a name="input_terraform_iam_policy_add_lockfile_permissions"></a> [terraform\_iam\_policy\_add\_lockfile\_permissions](#input\_terraform\_iam\_policy\_add\_lockfile\_permissions) | Whether to add permissions for the S3 lockfile (recommended for Terraform 1.11+). | `bool` | no |
 | <a name="input_terraform_iam_policy_create"></a> [terraform\_iam\_policy\_create](#input\_terraform\_iam\_policy\_create) | Specifies whether to terraform IAM policy is created. | `bool` | no |
 | <a name="input_terraform_iam_policy_name"></a> [terraform\_iam\_policy\_name](#input\_terraform\_iam\_policy\_name) | If override\_terraform\_iam\_policy\_name is true, use this policy name instead of dynamic name with policy\_prefix | `string` | no |
 | <a name="input_terraform_iam_policy_name_prefix"></a> [terraform\_iam\_policy\_name\_prefix](#input\_terraform\_iam\_policy\_name\_prefix) | Creates a unique name beginning with the specified prefix. | `string` | no |
diff --git a/policy.tf b/policy.tf
@@ -19,10 +19,13 @@ data "aws_iam_policy_document" "terraform" {
   }
 
   statement {
-    actions = [
-      "s3:GetObject",
-      "s3:PutObject"
-    ]
+    actions = concat(
+      [
+        "s3:GetObject",
+        "s3:PutObject"
+      ],
+      var.terraform_iam_policy_add_lockfile_permissions ? ["s3:DeleteObject"] : []
+    )
     resources = ["${aws_s3_bucket.state.arn}/*"]
   }
 
diff --git a/variables.tf b/variables.tf
@@ -26,6 +26,12 @@ variable "terraform_iam_policy_name_prefix" {
   default     = "terraform"
 }
 
+variable "terraform_iam_policy_add_lockfile_permissions" {
+  description = "Whether to add permissions for the S3 lockfile (recommended for Terraform 1.11+)."
+  type        = bool
+  default     = false
+}
+
 #---------------------------------------------------------------------------------------------------
 # KMS Key for Encrypting S3 Buckets
 #---------------------------------------------------------------------------------------------------
