From 3c9293de9e64cbf0a3ce7193e4c43919826a51d6 Mon Sep 17 00:00:00 2001
From: Victor San Kho Lin <victor@sankholin.com>
Date: Fri, 3 Jan 2025 10:57:22 +1100
Subject: [PATCH] data_archive TF: Added steps-s3-copy role for restore and
 share access from archive buckets

---
 .../unimelb/data_archive/analysis_archive.tf  | 20 +++++++++++++++++
 .../unimelb/data_archive/fastq_archive.tf     | 22 +++++++++++++++++++
 2 files changed, 42 insertions(+)

diff --git a/terraform/stacks/unimelb/data_archive/analysis_archive.tf b/terraform/stacks/unimelb/data_archive/analysis_archive.tf
index a42d5c8a..51956a90 100644
--- a/terraform/stacks/unimelb/data_archive/analysis_archive.tf
+++ b/terraform/stacks/unimelb/data_archive/analysis_archive.tf
@@ -135,6 +135,26 @@ data "aws_iam_policy_document" "analysis_archive" {
       "${aws_s3_bucket.analysis_archive.arn}/*",
     ])
   }
+
+  # Allow the steps-s3-copy role to restore and read to this bucket.
+  statement {
+    sid = "steps_s3_copy_restore_share_access"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.account_id_prod}:role/${local.steps_s3_copy_restore_share_role}"]
+    }
+    actions = sort([
+      # List is needed for aws s3 sync
+      "s3:ListBucket",
+      "s3:RestoreObject",
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+    ])
+    resources = sort([
+      aws_s3_bucket.analysis_archive.arn,
+      "${aws_s3_bucket.analysis_archive.arn}/*",
+    ])
+  }
 }
 
 # ------------------------------------------------------------------------------
diff --git a/terraform/stacks/unimelb/data_archive/fastq_archive.tf b/terraform/stacks/unimelb/data_archive/fastq_archive.tf
index b1f81943..d1a025bc 100644
--- a/terraform/stacks/unimelb/data_archive/fastq_archive.tf
+++ b/terraform/stacks/unimelb/data_archive/fastq_archive.tf
@@ -5,6 +5,8 @@ locals {
   # The bucket holding all archived FASTQ data
   # fastq_archive_bucket_name = "${data.aws_caller_identity.current.account_id}-fastq-archive"
   fastq_archive_bucket_name = "archive-prod-fastq-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
+  # The role that the https://github.com/umccr/steps-s3-copy stack for data restore and data sharing
+  steps_s3_copy_restore_share_role = "umccr-wehi-data-sharing-role"  # FIXME to be changed it to a more permanent data sharing role in future
 }
 
 ################################################################################
@@ -140,6 +142,26 @@ data "aws_iam_policy_document" "fastq_archive" {
     ])
   }
 
+  # Allow the steps-s3-copy role to restore and read to this bucket.
+  statement {
+    sid = "steps_s3_copy_restore_share_access"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.account_id_prod}:role/${local.steps_s3_copy_restore_share_role}"]
+    }
+    actions = sort([
+      # List is needed for aws s3 sync
+      "s3:ListBucket",
+      "s3:RestoreObject",
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+    ])
+    resources = sort([
+      aws_s3_bucket.fastq_archive.arn,
+      "${aws_s3_bucket.fastq_archive.arn}/*"
+    ])
+  }
+
   # Statement to allow access to any principal from the prod account
   statement {
 	  sid = "umccr_prod_account_access"