From 8b4e78b781617f68554efebcda75d982a382f650 Mon Sep 17 00:00:00 2001
From: Alex Schofield <git@ajschof.me>
Date: Mon, 19 Aug 2024 16:31:50 +0100
Subject: fix(tf): fix permissions for bucket/object access

---
 terraform/iam.tf | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/terraform/iam.tf b/terraform/iam.tf
index 0e5fa6d..7585ff8 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -28,17 +28,19 @@ resource "aws_iam_role" "multi_service_role" {
 ########################################################################
 # S3 SETUP                                                        
 # Description: allows allows retention/tagging/access control settings
-# Lambda IAM Policy for S3 Write
+# Lambda IAM Policy for S3
 ########################################################################
 
 # S3 DEFINE POLICY
 data "aws_iam_policy_document" "s3_data_policy_doc" {
   statement {
+    effect = "Allow"
     actions = [
       "s3:PutObject",
       "s3:PutObjectRetention",
       "s3:PutObjectTagging",
-      "s3:PutObjectAcl"
+      "s3:PutObjectAcl",
+      "s3:ListObjects"
     ]
     resources = [
       "${aws_s3_bucket.extract_bucket.arn}/*",
@@ -46,6 +48,17 @@ data "aws_iam_policy_document" "s3_data_policy_doc" {
       "${aws_s3_bucket.lambda_code_bucket.arn}/*",
     ]
   }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:ListBuckets",
+      "s3:ListAllMyBuckets"
+    ]
+    resources = [
+      "arn:aws:s3:::*",
+    ]
+  }
 }
 
 
-- 
cgit v1.2.3