Changes to the s3-remote-state for issue 286

Author: Mike McGirr

modules/s3-full-access-policy/main.tf

@@ -50,11 +50,12 @@ data "aws_iam_policy_document" "s3-full-access" {
     effect = "Allow"
 
     actions = [
-      "s3:ListObjects",
+      # "s3:ListObjects", # TODO this might not be a valid action
+      # See https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html
       "s3:PutObject",
       "s3:GetObject",
       "s3:DeleteObject",
-      "s3:CreateMultipartUpload",
+      # "s3:CreateMultipartUpload", # TODO this might not be a valid action
       "s3:ListMultipartUploadParts",
       "s3:AbortMultipartUpload",
     ]

modules/s3-remote-state/main.tf

@@ -13,7 +13,6 @@ variable "bucket_name" {
 }
 
 variable "principals" {
-  default     = []
   description = "list of user/role ARNs to get full access to the bucket"
   type        = list(string)
 }
@@ -72,8 +71,6 @@ data "aws_iam_policy_document" "s3-full-access" {
   statement {
     effect = "Allow"
 
-    # find an authoritative list of valid Actions for a AWS bucket policy,
-    # I haven't been able to locate one, and the two commented out are invalid
     actions = [
       "s3:PutObject",
       "s3:GetObject",