fix: attach bucket access policy to content bucket instead of assembler

byu-oit · Apr 10, 2024 · 710346e · 710346e
1 parent 93e82fc
commit 710346e
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 48 deletions.
diff --git a/iac/modules/app/content-bucket.tf b/iac/modules/app/content-bucket.tf
@@ -133,3 +133,35 @@ resource "aws_s3_bucket_versioning" "bucket_versioning" {
     status = "Enabled"
   }
 }
+
+resource "aws_s3_bucket_policy" "allow_builder_access" {
+  bucket = aws_s3_bucket.CdnContentBucket.id
+  policy = data.aws_iam_policy.CdnContentBucketAllowBuilderUpdates.arn
+}
+
+
+data  "aws_iam_policy" "CdnContentBucketAllowBuilderUpdates" {
+  name        = "CdnContentBucketAllowBuilderUpdates"
+  description = "Allows assembler to access s3 content bucket"
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:ListBucket",
+          "s3:PutBucketWebsite",
+          "s3:Get*"
+        ],
+        "Resource" : "arn:aws:s3:::${aws_s3_bucket.CdnContentBucket.id}"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:*",
+        ],
+        "Resource" :"arn:aws:s3:::${aws_s3_bucket.CdnContentBucket.id}/*"
+      }
+    ]
+  })
+}
diff --git a/iac/modules/app/main.tf b/iac/modules/app/main.tf
@@ -62,42 +62,6 @@ resource "aws_iam_policy" "AllowCloudFrontInvalidation" {
   })
 }
 
-resource "aws_iam_policy" "CdnContentBucketAllowBuilderUpdates" {
-  name        = "CdnContentBucketAllowBuilderUpdates"
-  description = "Allows S3 Access From Assembler"
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "s3:ListBucket",
-          "s3:PutBucketWebsite",
-          "s3:Get*"
-        ],
-        "Resource" : "arn:aws:s3:::${aws_s3_bucket.CdnContentBucket.id}"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_policy" "S3ObjectAccess" {
-  name        = "S3ObjectAccess"
-  description = "Allows S3 Object Access From Assembler"
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "s3:*",
-        ],
-        "Resource" : "arn:aws:s3:::${aws_s3_bucket.CdnContentBucket.id}/*"
-      }
-    ]
-  })
-}
-
 data "aws_ecr_repository" "assembler_ecr_repo" {
   name = "${var.cdn_name}-assembler"
 }
@@ -144,18 +108,6 @@ resource "aws_iam_role_policy_attachment" "AllowAssemblerImageAccessAttachment"
   policy_arn = aws_iam_policy.AllowAssemblerImageAccess.arn
 }
 
-resource "aws_iam_role_policy_attachment" "S3ObjectAccess" {
-  depends_on = [aws_iam_policy.S3ObjectAccess, aws_iam_role.CdnBuilderRole]
-  role       = aws_iam_role.CdnBuilderRole.name
-  policy_arn = aws_iam_policy.S3ObjectAccess.arn
-}
-
-resource "aws_iam_role_policy_attachment" "CdnContentBucketAllowBuilderUpdates" {
-  depends_on = [aws_iam_policy.CdnContentBucketAllowBuilderUpdates, aws_iam_role.CdnBuilderRole]
-  role       = aws_iam_role.CdnBuilderRole.name
-  policy_arn = aws_iam_policy.CdnContentBucketAllowBuilderUpdates.arn
-}
-
 data "aws_iam_policy_document" "ecs_invokation_policy" {
   version = "2012-10-17"
   statement {