diff options
| author | Ellie <ecsymonds@gmail.com> | 2024-08-13 11:25:33 +0100 |
|---|---|---|
| committer | Ellie <ecsymonds@gmail.com> | 2024-08-13 11:25:33 +0100 |
| commit | c75e650dbeb1390336d15487a2c87c53337cd8dc (patch) | |
| tree | 4f2b411eeaf19b740d4403dc805b5d1ca7359d86 /terraform | |
| parent | 387552682b4a45faf80f0c0bbde8cff8d2a02027 (diff) | |
| download | de-project-bentley-c75e650dbeb1390336d15487a2c87c53337cd8dc.tar.gz de-project-bentley-c75e650dbeb1390336d15487a2c87c53337cd8dc.zip | |
infra(tf): add s3 policy for list & write
Diffstat (limited to 'terraform')
| -rw-r--r-- | terraform/iam.tf | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/terraform/iam.tf b/terraform/iam.tf index 7501373..b9919a5 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -1,5 +1,3 @@ -# define - resource "aws_iam_role" "bentley_service_role" { assume_role_policy = <<EOF { @@ -24,6 +22,27 @@ resource "aws_iam_role" "bentley_service_role" { EOF } -# create - -# attach
\ No newline at end of file +# s3 setup +# allows to list and retrieve s3 buckets, and allows retention/tagging/access control settings +data "aws_iam_policy_document" "s3_data_policy_doc" { + statement { + actions = [ + "s3:ListAllMyBuckets", + "s3:GetBucketLocation" + ] + resources = ["arn:aws:s3:::*"] + } + + statement { + actions = [ + "s3:PutObject", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectAcl" + ] + resources = [ + "${aws_s3_bucket.data_bucket.arn}/*", + "${aws_s3_bucket.code_bucket.arn}/*" + ] + } +}
\ No newline at end of file |