diff --git a/daac/distribution_bucket_policy.tf b/daac/distribution_bucket_policy.tf index 6fb7c013..8819b64f 100644 --- a/daac/distribution_bucket_policy.tf +++ b/daac/distribution_bucket_policy.tf @@ -33,9 +33,16 @@ data "aws_iam_policy_document" "distribution_bucket_policy_document" { } } -resource "aws_s3_bucket_policy" "distribution_bucket_policy" { +data "aws_iam_policy_document" "consolidated_distribution_bucket_policy_document" { for_each = local.distribution_bucket_oais + source_policy_documents = flatten([ + data.aws_iam_policy_document.distribution_bucket_policy_document[each.key].json, + try(aws_s3_bucket_policy.allow_crud_from_consolidation["${local.prefix}-${each.key}"].policy, []) + ]) +} +resource "aws_s3_bucket_policy" "consolidated_distribution_bucket_policy" { + for_each = data.aws_iam_policy_document.consolidated_distribution_bucket_policy_document bucket = "${local.prefix}-${each.key}" - policy = try(data.aws_iam_policy_document.distribution_bucket_policy_document[each.key].json, null) + policy = each.value.json } diff --git a/daac/legacy_access_resources.tf b/daac/legacy_access_resources.tf new file mode 100644 index 00000000..2df8a3bc --- /dev/null +++ b/daac/legacy_access_resources.tf @@ -0,0 +1,49 @@ +resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" { + for_each = var.consolidation_acct_id != null ? merge( + aws_s3_bucket.public-bucket, + aws_s3_bucket.standard-bucket, + aws_s3_bucket.protected-bucket, + aws_s3_bucket.workflow-bucket + ) : {} + bucket = each.key + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "${each.key}-CrossAccountReadAccess", + Effect = "Allow" + Principal = { + AWS = local.consolidation_crud_roles + }, + + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ], + + Resource = [ + each.value.arn, + "${each.value.arn}/*" + ] + }, + { + Sid = "${each.key}-CrossAccountWriteAccess", + Effect = "Allow" + Principal = { + AWS = local.consolidation_crud_roles + }, + + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + + Resource = [ + "${each.value.arn}/*" + ] + }, + ] + }) +} diff --git a/daac/locals.tf b/daac/locals.tf index afa49286..d39003a4 100644 --- a/daac/locals.tf +++ b/daac/locals.tf @@ -1,6 +1,6 @@ locals { prefix = "${var.DEPLOY_NAME}-cumulus-${var.MATURITY}" - + consolidation_maturity = var.consolidation_maturity != null ? var.consolidation_maturity: var.MATURITY default_tags = { Deployment = local.prefix } @@ -69,4 +69,9 @@ locals { local.internal_bucket_map, local.partner_bucket_map, ) + # consolidation crud acct roles + consolidation_crud_roles = [ + var.consolidation_acct_id == null ? null : "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role", + var.consolidation_acct_id == null ? null : "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + ] } diff --git a/daac/variables.tf b/daac/variables.tf index b44382c6..06a35b0f 100644 --- a/daac/variables.tf +++ b/daac/variables.tf @@ -67,3 +67,21 @@ variable "s3_replicator_target_prefix" { default = null description = "Prefix that the S3 replicator will write logs to in the target bucket." } + +variable "consolidation_acct_id" { + type = string + description = "account id of relevant cumulus consolidation stack" + default = null +} + +variable "consolidation_deploy_name" { + type = string + description = "deploy_name of relevant consolidation stack" + default = "willow" +} + +variable "consolidation_maturity" { + type = string + description = "maturity of relevant consolidation stack" + default = null +}