diff options
| author | bulve-ad <78788030+bulve-ad@users.noreply.github.com> | 2024-08-21 15:51:03 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-08-21 15:51:03 +0100 |
| commit | ce76bbb2b32b58a93d88db4abdb1bbfbf27243ea (patch) | |
| tree | b8e77c62b6a2d50ab04215beb54055d14210a423 /terraform/iam.tf | |
| parent | c8e94530b65d6807b2b9bb246a542963839cce9d (diff) | |
| parent | d01d3bed939d7a17ea2205af502baeeb35510b5c (diff) | |
| download | de-project-bentley-ce76bbb2b32b58a93d88db4abdb1bbfbf27243ea.tar.gz de-project-bentley-ce76bbb2b32b58a93d88db4abdb1bbfbf27243ea.zip | |
Merge branch 'development' into feature/transform_lambda
Diffstat (limited to 'terraform/iam.tf')
| -rw-r--r-- | terraform/iam.tf | 48 |
1 files changed, 46 insertions, 2 deletions
diff --git a/terraform/iam.tf b/terraform/iam.tf index 0e5fa6d..3d62b69 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -28,17 +28,21 @@ resource "aws_iam_role" "multi_service_role" { ######################################################################## # S3 SETUP # Description: allows allows retention/tagging/access control settings -# Lambda IAM Policy for S3 Write +# Lambda IAM Policy for S3 ######################################################################## # S3 DEFINE POLICY data "aws_iam_policy_document" "s3_data_policy_doc" { statement { + effect = "Allow" actions = [ "s3:PutObject", "s3:PutObjectRetention", "s3:PutObjectTagging", - "s3:PutObjectAcl" + "s3:PutObjectAcl", + "s3:ListObjects", + "s3:ListObjectsV2", + "s3:GetObject" ] resources = [ "${aws_s3_bucket.extract_bucket.arn}/*", @@ -46,6 +50,19 @@ data "aws_iam_policy_document" "s3_data_policy_doc" { "${aws_s3_bucket.lambda_code_bucket.arn}/*", ] } + + statement { + effect = "Allow" + actions = [ + "s3:ListBucket", + "s3:ListAllMyBuckets", + "s3:ListObjectsV2", + "s3:ListObjects" + ] + resources = [ + "arn:aws:s3:::*", + ] + } } @@ -156,3 +173,30 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_events_attachment" { role = aws_iam_role.multi_service_role.name policy_arn = aws_iam_policy.cloudwatch_events_policy.arn } + +######################### +# SECRETS MANAGER SETUP # +######################### + +# Policy Doc +data "aws_iam_policy_document" "secrets_manager_policy_doc" { + statement { + effect = "Allow" + actions = [ + "secretsmanager:GetSecretValue" + ] + resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:bentley-secrets-Na0yc8"] + } +} + +# SM Policy Resource +resource "aws_iam_policy" "secrets_manager_policy" { + name = "secrets_manager_policy" + policy = data.aws_iam_policy_document.secrets_manager_policy_doc.json +} + +# Attach SM Policy to Role +resource "aws_iam_role_policy_attachment" "secrets_manager_attachment" { + role = aws_iam_role.multi_service_role.name + policy_arn = aws_iam_policy.secrets_manager_policy.arn +} |