UPD: canned s3 bucket policy

modules/terraform-setup/main.tf

@@ -75,7 +75,28 @@ resource "aws_s3_bucket_acl" "bucket-acl" {
 
 resource "aws_s3_bucket_policy" "bucket-policy" {
   bucket = aws_s3_bucket.s3bucket.bucket
-  policy = var.bucket-policy-json
+  policy = <<EOT
+{
+  "Id": "policy01",
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowFullAccessFromBastion",
+      "Action": "s3:*",
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::${var.resource-prefix}-tfstate/*",
+        "arn:aws:s3:::${var.resource-prefix}-tfstate"
+      ],
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"
+        ]
+      }
+    }
+  ]
+}
+EOT
 }
 
 resource "aws_dynamodb_table" "tfstate-lock-table" {

modules/terraform-setup/variables.tf

@@ -12,9 +12,8 @@ variable "bucket-enable-lifecycle" {
 variable "bucket-acl" {
   default = "private"
 }
-variable "bucket-policy-json" {}
 variable "enable-bucket-versioning" {
   default = true
 }
 
-variable "bucket-name" {}
+variable "bucket-name" {}