infra(tf): add wip write policy and attach policy

1 files changed, 21 insertions, 12 deletions

diff --git a/terraform/iam.tf b/terraform/iam.tf
index b9919a5..dda4d74 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -22,27 +22,36 @@ resource "aws_iam_role" "bentley_service_role" {
     EOF
 }
 
+# lambda setup
+
+
 # s3 setup
-# allows to list and retrieve s3 buckets, and allows retention/tagging/access control settings
+# allows allows retention/tagging/access control settings
 data "aws_iam_policy_document" "s3_data_policy_doc" {
   statement {
     actions = [
-      "s3:ListAllMyBuckets",
-      "s3:GetBucketLocation"
-      ]
-    resources = ["arn:aws:s3:::*"]
-  }
-  
-  statement {
-    actions = [
       "s3:PutObject",
       "s3:PutObjectRetention",
       "s3:PutObjectTagging",
       "s3:PutObjectAcl"
     ]
     resources = [
-      "${aws_s3_bucket.data_bucket.arn}/*",
-      "${aws_s3_bucket.code_bucket.arn}/*"
+      "${aws_s3_bucket.extract_bucket.arn}/*",
+      "${aws_s3_bucket.transform_bucket.arn}/*",
+      "${aws_s3_bucket.lambda_bucket.arn}/*",
     ]
   }
-}
\ No newline at end of file
+}
+
+# write policy
+resource "aws_iam_policy" "s3_policy" {
+    policy = data.aws_iam_policy_document.s3_data_policy_doc.json
+}
+
+# attach policy to role
+resource "aws_iam_role_policy_attachment" "s3_policy_attachment" {
+    role = aws_iam_role.bentley_service_role.name
+    policy_arn = aws_iam_policy.s3_policy.arn
+}
+
+# lambda setup