Skip to content

Commit

Permalink
fix: iam bucket/object permissions (#14)
Browse files Browse the repository at this point in the history 
## Description
<!--- Describe your changes in detail -->

## Motivation and Context
<!--- Why is this change required? What problem does it solve? -->
<!--- If it fixes an open issue, please link to the issue here. -->

## Breaking Changes
<!-- Does this break backwards compatibility with the current major
version? -->
<!-- If so, please provide an explanation why it is necessary. -->

## How Has This Been Tested?
- [ ] I have updated at least one of the `examples/*` to demonstrate and
validate my change(s)
- [ ] I have tested and validated these changes using one or more of the
provided `examples/*` projects
<!--- Users should start with an existing example as its written, deploy
it, then check their changes against it -->
<!--- This will highlight breaking/disruptive changes. Once you have
checked, deploy your changes to verify -->
<!--- Please describe how you tested your changes -->
- [ ] I have executed `pre-commit run -a` on my pull request
<!--- Please see
https://github.com/antonbabenko/pre-commit-terraform#how-to-install for
how to install -->
  • Loading branch information
@applike-ss
applike-ss authored Dec 19, 2023
1 parent e0d5024 commit aefb260
Showing 1 changed file with 26 additions and 5 deletions.
31 changes: 26 additions & 5 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,35 @@ locals {
data "aws_iam_policy_document" "policy" {
statement {
actions = [
"s3:HeadObject",
"s3:PutObject",
"s3:GetObject",
"s3:GetBucketAcl",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListAllMyBuckets"
]
resources = [
"arn:aws:s3:::${module.this.environment}-flink-${module.this.aws_account_id}-${module.this.aws_region}",
"arn:aws:s3:::${module.this.namespace}-${module.this.organizational_unit}-datalake",
]
}
statement {
actions = [
"s3:Get*",
"s3:Delete*",
"s3:Put*",
"s3:AbortMultipartUpload",
"s3:ListBucket"
]
resources = [
"arn:aws:s3:::${module.this.environment}-datalake-${module.this.aws_account_id}-${module.this.aws_region}/flink/${module.this.tenant}/*",
"arn:aws:s3:::${module.this.environment}-flink-${module.this.aws_account_id}-${module.this.aws_region}/*",
"arn:aws:s3:::${module.this.namespace}-${module.this.organizational_unit}-datalake/*",
]
}
statement {
actions = [
"sts:AssumeRole",
]
resources = [
"*",
]
}
}
Expand Down Expand Up @@ -53,7 +75,6 @@ module "ecr_applications" {

context = module.this.context
name = each.key
delimiter = "/"
label_order = var.label_orders.ecr

force_delete = true
Expand Down

0 comments on commit aefb260

Please sign in to comment.