docs(examples): add custom website bucket policy example

Add a dedicated example showing how to provide website_bucket_policy and link the variable docs to it so consumers can discover the expected configuration faster.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: egarbi

README.md

@@ -112,7 +112,7 @@ In order to run all checks at any point run the following command:
 | <a name="input_tags"></a> [tags](#input\_tags) | Resource tags | `map(string)` | `{}` | no |
 | <a name="input_website_bucket_acl"></a> [website\_bucket\_acl](#input\_website\_bucket\_acl) | (Optional) The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, and log-delivery-write. Defaults to private. | `string` | `"private"` | no |
 | <a name="input_website_bucket_force_destroy"></a> [website\_bucket\_force\_destroy](#input\_website\_bucket\_force\_destroy) | (Optional, Default:false) A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |
-| <a name="input_website_bucket_policy"></a> [website\_bucket\_policy](#input\_website\_bucket\_policy) | (Optional) Map containing the IAM policy for the website bucket. Defaults to null and the policy will be generated automatically. | `any` | `null` | no |
+| <a name="input_website_bucket_policy"></a> [website\_bucket\_policy](#input\_website\_bucket\_policy) | (Optional) Map containing the IAM policy for the website bucket. Defaults to null and the policy will be generated automatically. See examples/custom-website-bucket-policy/main.tf for configuration example. | `any` | `null` | no |
 | <a name="input_website_cors_additional_allowed_origins"></a> [website\_cors\_additional\_allowed\_origins](#input\_website\_cors\_additional\_allowed\_origins) | (Optional) Specifies which origins are allowed besides the domain name specified | `list(string)` | `[]` | no |
 | <a name="input_website_cors_allowed_headers"></a> [website\_cors\_allowed\_headers](#input\_website\_cors\_allowed\_headers) | (Optional) Specifies which headers are allowed. Defaults to Authorization and Content-Length | `list(string)` | <pre>[<br/>  "Authorization",<br/>  "Content-Length"<br/>]</pre> | no |
 | <a name="input_website_cors_allowed_methods"></a> [website\_cors\_allowed\_methods](#input\_website\_cors\_allowed\_methods) | (Optional) Specifies which methods are allowed. Can be GET, PUT, POST, DELETE or HEAD. Defaults to GET and POST | `list(string)` | <pre>[<br/>  "GET",<br/>  "POST"<br/>]</pre> | no |

examples/custom-website-bucket-policy/main.tf

@@ -0,0 +1,40 @@
+module "test_website" {
+  source      = "../../"
+  name_prefix = "test-website"
+
+  providers = {
+    aws.main         = aws.main
+    aws.acm_provider = aws.acm_provider
+  }
+
+  website_domain_name = "test.com"
+
+  create_acm_certificate     = false
+  acm_certificate_arn_to_use = "arn:aws:acm:us-east-1:123456789000:certificate/01234567-89a-bcde-f012-3456789abcde"
+
+  create_route53_hosted_zone = false
+  route53_hosted_zone_id     = "0123456789ABCDEFGHIJK"
+
+  aws_accounts_with_read_view_log_bucket = ["mock_account"]
+
+  website_bucket_policy = {
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowGetListFromSpecificAccount"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::123456789000:root"
+        }
+        Action = [
+          "s3:GetObject",
+          "s3:ListBucket"
+        ]
+        Resource = [
+          "arn:aws:s3:::test.com",
+          "arn:aws:s3:::test.com/*"
+        ]
+      }
+    ]
+  }
+}

examples/custom-website-bucket-policy/mock_provider.tf

@@ -0,0 +1,71 @@
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
+}
+
+provider "aws" {
+  alias                       = "main"
+  region                      = "us-east-1"
+  skip_credentials_validation = true
+  skip_requesting_account_id  = true
+  skip_metadata_api_check     = true
+  s3_use_path_style           = true
+
+  endpoints {
+    apigateway     = "http://localstack:4566"
+    cloudformation = "http://localstack:4566"
+    cloudwatch     = "http://localstack:4566"
+    dynamodb       = "http://localstack:4566"
+    es             = "http://localstack:4566"
+    firehose       = "http://localstack:4566"
+    iam            = "http://localstack:4566"
+    kinesis        = "http://localstack:4566"
+    lambda         = "http://localstack:4566"
+    route53        = "http://localstack:4566"
+    redshift       = "http://localstack:4566"
+    s3             = "http://localstack:4566"
+    secretsmanager = "http://localstack:4566"
+    ses            = "http://localstack:4566"
+    sns            = "http://localstack:4566"
+    sqs            = "http://localstack:4566"
+    ssm            = "http://localstack:4566"
+    stepfunctions  = "http://localstack:4566"
+    sts            = "http://localstack:4566"
+  }
+}
+
+provider "aws" {
+  alias                       = "acm_provider"
+  region                      = "us-east-1"
+  skip_credentials_validation = true
+  skip_requesting_account_id  = true
+  skip_metadata_api_check     = true
+  s3_use_path_style           = true
+
+  endpoints {
+    apigateway     = "http://localstack:4566"
+    cloudformation = "http://localstack:4566"
+    cloudwatch     = "http://localstack:4566"
+    dynamodb       = "http://localstack:4566"
+    es             = "http://localstack:4566"
+    firehose       = "http://localstack:4566"
+    iam            = "http://localstack:4566"
+    kinesis        = "http://localstack:4566"
+    lambda         = "http://localstack:4566"
+    route53        = "http://localstack:4566"
+    redshift       = "http://localstack:4566"
+    s3             = "http://localstack:4566"
+    secretsmanager = "http://localstack:4566"
+    ses            = "http://localstack:4566"
+    sns            = "http://localstack:4566"
+    sqs            = "http://localstack:4566"
+    ssm            = "http://localstack:4566"
+    stepfunctions  = "http://localstack:4566"
+    sts            = "http://localstack:4566"
+  }
+}

variables.tf

@@ -119,7 +119,7 @@ variable "website_server_side_encryption_configuration" {
 }
 
 variable "website_bucket_policy" {
-  description = "(Optional) Map containing the IAM policy for the website bucket. Defaults to null and the policy will be generated automatically."
+  description = "(Optional) Map containing the IAM policy for the website bucket. Defaults to null and the policy will be generated automatically. See examples/custom-website-bucket-policy/main.tf for configuration example."
   type        = any
   default     = null
 }

website.tf

@@ -10,7 +10,7 @@ resource "aws_cloudfront_origin_access_identity" "cf_oai" {
 #------------------------------------------------------------------------------
 # Website S3 Bucket
 #------------------------------------------------------------------------------
-#tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging
+#tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-bucket-encryption
 resource "aws_s3_bucket" "website" {
   # tfsec:ignore:AWS017
   provider = aws.main