From 680e102f2bba45774e94c184647ad064e56ada2d Mon Sep 17 00:00:00 2001 From: Florian Reisinger Date: Tue, 28 Jan 2025 12:57:21 +1100 Subject: [PATCH] Fix minor bucket policy issues --- .../unimelb/data_archive/byob_ica_v2.tf | 93 +++++++++---------- 1 file changed, 45 insertions(+), 48 deletions(-) diff --git a/terraform/stacks/unimelb/data_archive/byob_ica_v2.tf b/terraform/stacks/unimelb/data_archive/byob_ica_v2.tf index 3b20b22c..93ea8f42 100644 --- a/terraform/stacks/unimelb/data_archive/byob_ica_v2.tf +++ b/terraform/stacks/unimelb/data_archive/byob_ica_v2.tf @@ -30,9 +30,6 @@ locals { # The role that the orcabus file manager uses to ingest events. orcabus_file_manager_ingest_role = "orcabus-file-manager-ingest-role" orcabus_data_mover_role = "orcabus-data-mover-role" - - # S3 Stops Copy Share role - steps_s3_copy_restore_share_role = "umccr-wehi-data-sharing-role" # FIXME to be changed it to a more permanent data sharing role in future } @@ -891,51 +888,51 @@ data "aws_iam_policy_document" "development_data" { ]) } - statement { - sid = "steps_s3_copy_restore_share_access_read" - principals { - type = "AWS" - identifiers = sort([ - "arn:aws:iam::${local.account_id_dev}:role/${local.steps_s3_copy_restore_share_role}", - ]) - } - actions = sort([ - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:ListMultipartUploadParts", - "s3:AbortMultipartUpload", - "s3:GetObject", - "s3:GetObjectTagging", - "s3:GetObjectVersionTagging", - "s3:GetObjectVersionTagging", - "s3:GetObjectAttributes" - ]) - resources = sort([ - aws_s3_bucket.development_data.arn, - "${aws_s3_bucket.development_data.arn}/*", - ]) - } - - statement { - sid = "steps_s3_copy_restore_share_access_write" - principals { - type = "AWS" - identifiers = sort([ - "arn:aws:iam::${local.account_id_dev}:role/${local.steps_s3_copy_restore_share_role}", - ]) - } - actions = sort([ - "s3:AbortMultipartUpload", - "s3:PutObject", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging", - "s3:DeleteObject" - ]) - resources = sort([ - aws_s3_bucket.development_data.arn, - "${aws_s3_bucket.development_data.arn}/${local.icav2_prefix}${local.icav2_development_project_name}/${local.restored_data_prefix}*", - ]) - } + # statement { + # sid = "steps_s3_copy_restore_share_access_read" + # principals { + # type = "AWS" + # identifiers = sort([ + # "arn:aws:iam::${local.account_id_dev}:role/${local.steps_s3_copy_restore_share_role}", + # ]) + # } + # actions = sort([ + # "s3:ListBucket", + # "s3:ListBucketMultipartUploads", + # "s3:ListMultipartUploadParts", + # "s3:AbortMultipartUpload", + # "s3:GetObject", + # "s3:GetObjectTagging", + # "s3:GetObjectVersionTagging", + # "s3:GetObjectVersionTagging", + # "s3:GetObjectAttributes" + # ]) + # resources = sort([ + # aws_s3_bucket.development_data.arn, + # "${aws_s3_bucket.development_data.arn}/*", + # ]) + # } + + # statement { + # sid = "steps_s3_copy_restore_share_access_write" + # principals { + # type = "AWS" + # identifiers = sort([ + # "arn:aws:iam::${local.account_id_dev}:role/${local.steps_s3_copy_restore_share_role}", + # ]) + # } + # actions = sort([ + # "s3:AbortMultipartUpload", + # "s3:PutObject", + # "s3:PutObjectTagging", + # "s3:PutObjectVersionTagging", + # "s3:DeleteObject" + # ]) + # resources = sort([ + # aws_s3_bucket.development_data.arn, + # "${aws_s3_bucket.development_data.arn}/${local.icav2_prefix}${local.icav2_development_project_name}/${local.restored_data_prefix}*", + # ]) + # } statement { sid = "AccessPointDelegation"