From 93762b1abedce0f470a0f6dab63c838a711c4275 Mon Sep 17 00:00:00 2001
From: Nsikan <20339399+noce2@users.noreply.github.com>
Date: Wed, 26 Jan 2022 21:23:05 +0000
Subject: [PATCH 1/5] Show example of state lock table access control

---
 .../docs/language/settings/backends/s3.mdx    | 35 +++++++++++++++----
 1 file changed, 29 insertions(+), 6 deletions(-)

diff --git a/website/docs/language/settings/backends/s3.mdx b/website/docs/language/settings/backends/s3.mdx
index a338a42e1a..5eab2780b7 100644
--- a/website/docs/language/settings/backends/s3.mdx
+++ b/website/docs/language/settings/backends/s3.mdx
@@ -410,12 +410,35 @@ to only a single state object within an S3 bucket is shown below:
 }
 ```
 
-It is not possible to apply such fine-grained access control to the DynamoDB
-table used for locking, so it is possible for any user with Terraform access
-to lock any workspace state, even if they do not have access to read or write
-that state. If a malicious user has such access they could block attempts to
-use Terraform against some or all of your workspaces as long as locking is
-enabled in the backend configuration.
+It is also possible to apply fine-grained access control to the DynamoDB
+table used for locking. An example policy statement is shown below:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "dynamodb:DeleteItem",
+          "dynamodb:GetItem",
+          "dynamodb:PutItem",
+          "dynamodb:Query",
+          "dynamodb:UpdateItem"
+        ],
+        "Resource" : ["arn:aws:dynamodb:*:*:table/myorg-state-lock-table"],
+        "Condition" : {
+          "ForAllValues:StringEquals" : {
+            "dynamodb:LeadingKeys" : [
+              "myorg-terraform-states/myapp/production/tfstate",
+              "myorg-terraform-states/myapp/production/tfstate-md5"
+            ]
+          }
+        }
+      }
+  ]
+}
+```
 
 ### Configuring Custom User-Agent Information
 

From b5300fc79349323c8e0ac1c8bff87cc1cc33dcc9 Mon Sep 17 00:00:00 2001
From: Nsikan Essien <20339399+noce2@users.noreply.github.com>
Date: Mon, 14 Feb 2022 18:45:30 +0000
Subject: [PATCH 2/5] Incorporate feedback on policy snippet explanation

---
 website/docs/language/settings/backends/s3.mdx | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/website/docs/language/settings/backends/s3.mdx b/website/docs/language/settings/backends/s3.mdx
index 5eab2780b7..a36ea51c9d 100644
--- a/website/docs/language/settings/backends/s3.mdx
+++ b/website/docs/language/settings/backends/s3.mdx
@@ -411,7 +411,13 @@ to only a single state object within an S3 bucket is shown below:
 ```
 
 It is also possible to apply fine-grained access control to the DynamoDB
-table used for locking. An example policy statement is shown below:
+table used for locking. During a `terraform plan`, when the state lock is put in place,
+Terraform stores the full statefile as a document with its partition key set 
+as the s3 object key. After the state lock is released, a digest of the updated
+statefile is placed in DynamoDB with a key similar to that of the original 
+statefile but suffixed with `-md5`. A simple IAM policy that would allow the 
+role assumed for backend operations to perform the aforementioned operations is 
+shown below:
 
 ```json
 {

From 2cda0936bc8332c4e5d30ea330408369660d0e15 Mon Sep 17 00:00:00 2001
From: Nsikan <20339399+noce2@users.noreply.github.com>
Date: Mon, 14 Mar 2022 10:29:19 +0000
Subject: [PATCH 3/5] Update website/docs/language/settings/backends/s3.mdx

Co-authored-by: Laura Pacilio <83350965+laurapacilio@users.noreply.github.com>
---
 website/docs/language/settings/backends/s3.mdx | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/website/docs/language/settings/backends/s3.mdx b/website/docs/language/settings/backends/s3.mdx
index a36ea51c9d..c0d050414c 100644
--- a/website/docs/language/settings/backends/s3.mdx
+++ b/website/docs/language/settings/backends/s3.mdx
@@ -415,9 +415,8 @@ table used for locking. During a `terraform plan`, when the state lock is put in
 Terraform stores the full statefile as a document with its partition key set 
 as the s3 object key. After the state lock is released, a digest of the updated
 statefile is placed in DynamoDB with a key similar to that of the original 
-statefile but suffixed with `-md5`. A simple IAM policy that would allow the 
-role assumed for backend operations to perform the aforementioned operations is 
-shown below:
+statefile but suffixed with `-md5`. The example below shows an IAM policy that would allow the 
+role assumed for backend operations to perform these operations. 
 
 ```json
 {

From 880a4631a28c56003206dc988f9ad6c74caa28cb Mon Sep 17 00:00:00 2001
From: Nsikan Essien <20339399+noce2@users.noreply.github.com>
Date: Mon, 14 Mar 2022 10:35:34 +0000
Subject: [PATCH 4/5] Add dyanmo docs link and snippet comments

---
 website/docs/language/settings/backends/s3.mdx | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/website/docs/language/settings/backends/s3.mdx b/website/docs/language/settings/backends/s3.mdx
index c0d050414c..796945477f 100644
--- a/website/docs/language/settings/backends/s3.mdx
+++ b/website/docs/language/settings/backends/s3.mdx
@@ -415,8 +415,9 @@ table used for locking. During a `terraform plan`, when the state lock is put in
 Terraform stores the full statefile as a document with its partition key set 
 as the s3 object key. After the state lock is released, a digest of the updated
 statefile is placed in DynamoDB with a key similar to that of the original 
-statefile but suffixed with `-md5`. The example below shows an IAM policy that would allow the 
-role assumed for backend operations to perform these operations. 
+statefile but suffixed with `-md5`. A simple IAM policy that would allow the 
+role assumed for backend operations to perform the aforementioned operations is 
+shown below:
 
 ```json
 {
@@ -435,8 +436,8 @@ role assumed for backend operations to perform these operations.
         "Condition" : {
           "ForAllValues:StringEquals" : {
             "dynamodb:LeadingKeys" : [
-              "myorg-terraform-states/myapp/production/tfstate",
-              "myorg-terraform-states/myapp/production/tfstate-md5"
+              "myorg-terraform-states/myapp/production/tfstate", // during a state lock the full state file is stored with this key
+              "myorg-terraform-states/myapp/production/tfstate-md5" // after the lock is released a hash of the statefile's contents are stored with this key
             ]
           }
         }
@@ -445,6 +446,8 @@ role assumed for backend operations to perform these operations.
 }
 ```
 
+Refer to the [AWS documentation on DynamoDB fine-grained locking](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html) for more details.
+
 ### Configuring Custom User-Agent Information
 
 Note this feature is optional and only available in Terraform v0.13.1+.

From a813854a82488e46ba19a98284a96ee7c780c108 Mon Sep 17 00:00:00 2001
From: Nsikan <20339399+noce2@users.noreply.github.com>
Date: Tue, 29 Mar 2022 16:40:59 +0100
Subject: [PATCH 5/5] Update website/docs/language/settings/backends/s3.mdx

Co-authored-by: Laura Pacilio <83350965+laurapacilio@users.noreply.github.com>
---
 website/docs/language/settings/backends/s3.mdx | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/website/docs/language/settings/backends/s3.mdx b/website/docs/language/settings/backends/s3.mdx
index 796945477f..3ce1f57f5f 100644
--- a/website/docs/language/settings/backends/s3.mdx
+++ b/website/docs/language/settings/backends/s3.mdx
@@ -411,13 +411,9 @@ to only a single state object within an S3 bucket is shown below:
 ```
 
 It is also possible to apply fine-grained access control to the DynamoDB
-table used for locking. During a `terraform plan`, when the state lock is put in place,
-Terraform stores the full statefile as a document with its partition key set 
-as the s3 object key. After the state lock is released, a digest of the updated
-statefile is placed in DynamoDB with a key similar to that of the original 
-statefile but suffixed with `-md5`. A simple IAM policy that would allow the 
-role assumed for backend operations to perform the aforementioned operations is 
-shown below:
+table used for locking. When Terraform puts the state lock in place during `terraform plan`, it stores the full state file as a document and sets the s3 object key as the partition key for the document. After the state lock is released, Terraform places a digest of the updated state file in DynamoDB. The key is similar to the one for the original state file, but is suffixed with `-md5`. 
+
+The example below shows a simple IAM policy that allows the backend operations role to perform these operations:
 
 ```json
 {