Merge pull request #524 from umccr/allow-steps-s3-copy-role

data_archive TF: Added steps-s3-copy role for restore and share access from archive buckets
umccr · Jan 6, 2025 · 4c236b9 · 4c236b9
2 parents 8a76af6 + 50a3463
commit 4c236b9
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/terraform/stacks/unimelb/data_archive/analysis_archive.tf b/terraform/stacks/unimelb/data_archive/analysis_archive.tf
@@ -135,6 +135,30 @@ data "aws_iam_policy_document" "analysis_archive" {
       "${aws_s3_bucket.analysis_archive.arn}/*",
     ])
   }
+
+  # Allow the steps-s3-copy role to restore and read to this bucket.
+  statement {
+    sid = "steps_s3_copy_restore_share_access"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.account_id_prod}:role/${local.steps_s3_copy_restore_share_role}"]
+    }
+    actions = sort([
+      # List is needed for aws s3 sync
+      "s3:ListBucket",
+      "s3:RestoreObject",
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+      "s3:GetObjectAttributes",
+      "s3:GetObjectVersionAttributes",
+      "s3:GetObjectTagging",
+      "s3:GetObjectVersionTagging",
+    ])
+    resources = sort([
+      aws_s3_bucket.analysis_archive.arn,
+      "${aws_s3_bucket.analysis_archive.arn}/*",
+    ])
+  }
 }
 
 # ------------------------------------------------------------------------------

diff --git a/terraform/stacks/unimelb/data_archive/fastq_archive.tf b/terraform/stacks/unimelb/data_archive/fastq_archive.tf
@@ -5,6 +5,8 @@ locals {
   # The bucket holding all archived FASTQ data
   # fastq_archive_bucket_name = "${data.aws_caller_identity.current.account_id}-fastq-archive"
   fastq_archive_bucket_name = "archive-prod-fastq-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
+  # The role that the https://github.com/umccr/steps-s3-copy stack for data restore and data sharing
+  steps_s3_copy_restore_share_role = "umccr-wehi-data-sharing-role"  # FIXME to be changed it to a more permanent data sharing role in future
 }
 
 ################################################################################
@@ -140,6 +142,30 @@ data "aws_iam_policy_document" "fastq_archive" {
     ])
   }
 
+  # Allow the steps-s3-copy role to restore and read to this bucket.
+  statement {
+    sid = "steps_s3_copy_restore_share_access"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.account_id_prod}:role/${local.steps_s3_copy_restore_share_role}"]
+    }
+    actions = sort([
+      # List is needed for aws s3 sync
+      "s3:ListBucket",
+      "s3:RestoreObject",
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+      "s3:GetObjectAttributes",
+      "s3:GetObjectVersionAttributes",
+      "s3:GetObjectTagging",
+      "s3:GetObjectVersionTagging",
+    ])
+    resources = sort([
+      aws_s3_bucket.fastq_archive.arn,
+      "${aws_s3_bucket.fastq_archive.arn}/*"
+    ])
+  }
+
   # Statement to allow access to any principal from the prod account
   statement {
 	  sid = "umccr_prod_account_access"