diff options
| author | Ellie <ecsymonds@gmail.com> | 2024-08-13 11:55:00 +0100 |
|---|---|---|
| committer | Ellie <ecsymonds@gmail.com> | 2024-08-13 11:55:00 +0100 |
| commit | 65e470c0bce51381da8f401f0ba07bd20a76071f (patch) | |
| tree | 3492dbac63cf7b59b6a7c2d3844f56e59a8794fc | |
| parent | c75e650dbeb1390336d15487a2c87c53337cd8dc (diff) | |
| download | de-project-bentley-65e470c0bce51381da8f401f0ba07bd20a76071f.tar.gz de-project-bentley-65e470c0bce51381da8f401f0ba07bd20a76071f.zip | |
infra(tf): add wip write policy and attach policy
| -rw-r--r-- | terraform/iam.tf | 33 |
1 files changed, 21 insertions, 12 deletions
diff --git a/terraform/iam.tf b/terraform/iam.tf index b9919a5..dda4d74 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -22,27 +22,36 @@ resource "aws_iam_role" "bentley_service_role" { EOF } +# lambda setup + + # s3 setup -# allows to list and retrieve s3 buckets, and allows retention/tagging/access control settings +# allows allows retention/tagging/access control settings data "aws_iam_policy_document" "s3_data_policy_doc" { statement { actions = [ - "s3:ListAllMyBuckets", - "s3:GetBucketLocation" - ] - resources = ["arn:aws:s3:::*"] - } - - statement { - actions = [ "s3:PutObject", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectAcl" ] resources = [ - "${aws_s3_bucket.data_bucket.arn}/*", - "${aws_s3_bucket.code_bucket.arn}/*" + "${aws_s3_bucket.extract_bucket.arn}/*", + "${aws_s3_bucket.transform_bucket.arn}/*", + "${aws_s3_bucket.lambda_bucket.arn}/*", ] } -}
\ No newline at end of file +} + +# write policy +resource "aws_iam_policy" "s3_policy" { + policy = data.aws_iam_policy_document.s3_data_policy_doc.json +} + +# attach policy to role +resource "aws_iam_role_policy_attachment" "s3_policy_attachment" { + role = aws_iam_role.bentley_service_role.name + policy_arn = aws_iam_policy.s3_policy.arn +} + +# lambda setup |