From a4b12df833a46505ead19c6a74a4f43e1e928b95 Mon Sep 17 00:00:00 2001 From: etcart Date: Sun, 23 Nov 2025 16:14:16 -0500 Subject: [PATCH 01/25] configurable external access to buckets for cross-account --- daac/locals.tf | 2 +- daac/policy.tf | 271 ++++++++++++++++++++++++++++++++++++++++++++++ daac/variables.tf | 18 +++ 3 files changed, 290 insertions(+), 1 deletion(-) create mode 100644 daac/policy.tf diff --git a/daac/locals.tf b/daac/locals.tf index afa49286..eb2da4eb 100644 --- a/daac/locals.tf +++ b/daac/locals.tf @@ -1,6 +1,6 @@ locals { prefix = "${var.DEPLOY_NAME}-cumulus-${var.MATURITY}" - + consolidation_maturity = var.consolidation_maturity != null ? var.consolidation_maturity: var.MATURITY default_tags = { Deployment = local.prefix } diff --git a/daac/policy.tf b/daac/policy.tf new file mode 100644 index 00000000..c243bb82 --- /dev/null +++ b/daac/policy.tf @@ -0,0 +1,271 @@ +resource "aws_s3_bucket_policy" "standard_cross_acoount_access" { + for_each = var.consolidation_acct_id != null ? aws_s3_bucket.standard-bucket : {} + bucket = each.key + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountWriteAccessEcs", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + { + Sid = "CrossAccountWriteAccessLambda", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + ] + }) +} + +resource "aws_s3_bucket_policy" "public_cross_acoount_access" { + for_each = var.consolidation_acct_id != null ? aws_s3_bucket.public-bucket : {} + bucket = each.key + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountWriteAccessEcs", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + { + Sid = "CrossAccountWriteAccessLambda", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + ] + }) +} + +resource "aws_s3_bucket_policy" "protected_cross_acoount_access" { + for_each = var.consolidation_acct_id != null ? aws_s3_bucket.protected-bucket : {} + bucket = each.key + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountWriteAccessEcs", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + { + Sid = "CrossAccountWriteAccessLambda", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + ] + }) +} + +resource "aws_s3_bucket_policy" "workflow_bucket_cross_acoount_access" { + for_each = var.consolidation_acct_id != null ? aws_s3_bucket.workflow-bucket : {} + bucket = each.key + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountWriteAccessEcs", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + { + Sid = "CrossAccountWriteAccessLambda", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + ] + }) +} \ No newline at end of file diff --git a/daac/variables.tf b/daac/variables.tf index b44382c6..a069876d 100644 --- a/daac/variables.tf +++ b/daac/variables.tf @@ -67,3 +67,21 @@ variable "s3_replicator_target_prefix" { default = null description = "Prefix that the S3 replicator will write logs to in the target bucket." } + +variable "consolidation_acct_id" { + type = string + description = "account id of relevant cumulus consolidation stack" + default = null +} + +variable "consolidation_deploy_name" { + type = string + description = "deploy_name of relevant consolidation stack" + default = "willow" +} + +variable "consolidation_maturity" { + type = string + description = "maturity of relevant consolidation stack" + default = null +} \ No newline at end of file From bdc39d89036d8846696c5c3f0cec0f1f9d4147e6 Mon Sep 17 00:00:00 2001 From: etcart <37375117+etcart@users.noreply.github.com> Date: Mon, 24 Nov 2025 12:08:40 -0500 Subject: [PATCH 02/25] Update daac/policy.tf Co-authored-by: Matt Perry --- daac/policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daac/policy.tf b/daac/policy.tf index c243bb82..faca7aae 100644 --- a/daac/policy.tf +++ b/daac/policy.tf @@ -158,7 +158,7 @@ resource "aws_s3_bucket_policy" "protected_cross_acoount_access" { }, { Sid = "CrossAccountReadAccessEcs" - Effect = "allow" + Effect = "Allow" Principal = { AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" } From 2f303f83afc9c2ff252b3eabf10918368964e598 Mon Sep 17 00:00:00 2001 From: etcart <37375117+etcart@users.noreply.github.com> Date: Mon, 24 Nov 2025 12:15:12 -0500 Subject: [PATCH 03/25] Update daac/policy.tf Co-authored-by: Matt Perry --- daac/policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daac/policy.tf b/daac/policy.tf index faca7aae..d00c2e33 100644 --- a/daac/policy.tf +++ b/daac/policy.tf @@ -210,7 +210,7 @@ resource "aws_s3_bucket_policy" "workflow_bucket_cross_acoount_access" { Statement = [ { Sid = "CrossAccountReadAccessEcs" - Effect = "allow" + Effect = "Allow" Principal = { AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" } From 1cc7f9f19bb0867e8645d82f0c7c46aa859df7f5 Mon Sep 17 00:00:00 2001 From: etcart <37375117+etcart@users.noreply.github.com> Date: Mon, 24 Nov 2025 12:15:30 -0500 Subject: [PATCH 04/25] Update daac/policy.tf Co-authored-by: Matt Perry --- daac/policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daac/policy.tf b/daac/policy.tf index d00c2e33..8f3c3ae0 100644 --- a/daac/policy.tf +++ b/daac/policy.tf @@ -226,7 +226,7 @@ resource "aws_s3_bucket_policy" "workflow_bucket_cross_acoount_access" { }, { Sid = "CrossAccountReadAccessEcs" - Effect = "allow" + Effect = "Allow" Principal = { AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" } From 9ee223f4960c07e15ce552cbaa5610d8b0dec338 Mon Sep 17 00:00:00 2001 From: etcart <37375117+etcart@users.noreply.github.com> Date: Mon, 24 Nov 2025 12:16:05 -0500 Subject: [PATCH 05/25] Update daac/policy.tf Co-authored-by: Matt Perry --- daac/policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daac/policy.tf b/daac/policy.tf index 8f3c3ae0..2386ff70 100644 --- a/daac/policy.tf +++ b/daac/policy.tf @@ -142,7 +142,7 @@ resource "aws_s3_bucket_policy" "protected_cross_acoount_access" { Statement = [ { Sid = "CrossAccountReadAccessEcs" - Effect = "allow" + Effect = "Allow" Principal = { AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" } From 1d8ce047bab087cb2a7b730df0710c409b5f5339 Mon Sep 17 00:00:00 2001 From: etcart Date: Mon, 24 Nov 2025 15:55:28 -0500 Subject: [PATCH 06/25] WIP checking on access_point --- daac/policy.tf | 73 +++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 61 insertions(+), 12 deletions(-) diff --git a/daac/policy.tf b/daac/policy.tf index 2386ff70..708be524 100644 --- a/daac/policy.tf +++ b/daac/policy.tf @@ -1,6 +1,7 @@ -resource "aws_s3_bucket_policy" "standard_cross_acoount_access" { +resource "aws_s3_access_point" "standard_cross_account_access_point" { for_each = var.consolidation_acct_id != null ? aws_s3_bucket.standard-bucket : {} bucket = each.key + name = "${each.key}-ap" policy = jsonencode({ Version = "2012-10-17", Statement = [ @@ -16,7 +17,7 @@ resource "aws_s3_bucket_policy" "standard_cross_acoount_access" { "s3:ListBucket" ] Resource = [ - "${each.value.arn}", + each.value.arn, "${each.value.arn}/*" ] }, @@ -32,7 +33,7 @@ resource "aws_s3_bucket_policy" "standard_cross_acoount_access" { "s3:ListBucket" ] Resource = [ - "${each.value.arn}", + each.value.arn, "${each.value.arn}/*" ] }, @@ -65,8 +66,56 @@ resource "aws_s3_bucket_policy" "standard_cross_acoount_access" { ] }) } +resource "aws_s3_bucket_policy" "standard_cross_account_access" { + for_each = var.consolidation_acct_id != null ? aws_s3_bucket.standard-bucket : {} + bucket = each.key + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "CrossAccountReadAccess" + Effect = "allow" + Principal = { + AWS = "*" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + each.value.arn, + "${each.value.arn}/*" + ] + Condition = { + StringEquals = { + "s3:DataAccessPointAccount" = var.consolidation_acct_id + } + } + }, + { + Sid = "CrossAccountWriteAccess", + Effect = "Allow", + Principal = { + AWS = "*" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + Condition = { + StringEquals = { + "s3:DataAccessPointAccount" = var.consolidation_acct_id + } + } + }, + ] + }) +} -resource "aws_s3_bucket_policy" "public_cross_acoount_access" { +resource "aws_s3_bucket_policy" "public_cross_account_access" { for_each = var.consolidation_acct_id != null ? aws_s3_bucket.public-bucket : {} bucket = each.key policy = jsonencode({ @@ -84,7 +133,7 @@ resource "aws_s3_bucket_policy" "public_cross_acoount_access" { "s3:ListBucket" ] Resource = [ - "${each.value.arn}", + each.value.arn, "${each.value.arn}/*" ] }, @@ -100,7 +149,7 @@ resource "aws_s3_bucket_policy" "public_cross_acoount_access" { "s3:ListBucket" ] Resource = [ - "${each.value.arn}", + each.value.arn, "${each.value.arn}/*" ] }, @@ -134,7 +183,7 @@ resource "aws_s3_bucket_policy" "public_cross_acoount_access" { }) } -resource "aws_s3_bucket_policy" "protected_cross_acoount_access" { +resource "aws_s3_bucket_policy" "protected_cross_account_access" { for_each = var.consolidation_acct_id != null ? aws_s3_bucket.protected-bucket : {} bucket = each.key policy = jsonencode({ @@ -152,7 +201,7 @@ resource "aws_s3_bucket_policy" "protected_cross_acoount_access" { "s3:ListBucket" ] Resource = [ - "${each.value.arn}", + each.value.arn, "${each.value.arn}/*" ] }, @@ -168,7 +217,7 @@ resource "aws_s3_bucket_policy" "protected_cross_acoount_access" { "s3:ListBucket" ] Resource = [ - "${each.value.arn}", + each.value.arn, "${each.value.arn}/*" ] }, @@ -202,7 +251,7 @@ resource "aws_s3_bucket_policy" "protected_cross_acoount_access" { }) } -resource "aws_s3_bucket_policy" "workflow_bucket_cross_acoount_access" { +resource "aws_s3_bucket_policy" "workflow_bucket_cross_account_access" { for_each = var.consolidation_acct_id != null ? aws_s3_bucket.workflow-bucket : {} bucket = each.key policy = jsonencode({ @@ -220,7 +269,7 @@ resource "aws_s3_bucket_policy" "workflow_bucket_cross_acoount_access" { "s3:ListBucket" ] Resource = [ - "${each.value.arn}", + each.value.arn, "${each.value.arn}/*" ] }, @@ -236,7 +285,7 @@ resource "aws_s3_bucket_policy" "workflow_bucket_cross_acoount_access" { "s3:ListBucket" ] Resource = [ - "${each.value.arn}", + each.value.arn, "${each.value.arn}/*" ] }, From e5a296076ad458994c07c192e790aa0e16671df1 Mon Sep 17 00:00:00 2001 From: etcart Date: Tue, 25 Nov 2025 11:29:21 -0500 Subject: [PATCH 07/25] moving tenant resources to access point policy --- daac/locals.tf | 5 + daac/policy.tf | 320 -------------------------------- daac/tenant_access_resources.tf | 60 ++++++ 3 files changed, 65 insertions(+), 320 deletions(-) delete mode 100644 daac/policy.tf create mode 100644 daac/tenant_access_resources.tf diff --git a/daac/locals.tf b/daac/locals.tf index eb2da4eb..86b296a1 100644 --- a/daac/locals.tf +++ b/daac/locals.tf @@ -69,4 +69,9 @@ locals { local.internal_bucket_map, local.partner_bucket_map, ) + # orchestrator crud acct roles + orchestrator_crud_roles = [ + "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role", + "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + ] } diff --git a/daac/policy.tf b/daac/policy.tf deleted file mode 100644 index 708be524..00000000 --- a/daac/policy.tf +++ /dev/null @@ -1,320 +0,0 @@ -resource "aws_s3_access_point" "standard_cross_account_access_point" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.standard-bucket : {} - bucket = each.key - name = "${each.key}-ap" - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - each.value.arn, - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - each.value.arn, - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountWriteAccessEcs", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - { - Sid = "CrossAccountWriteAccessLambda", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - ] - }) -} -resource "aws_s3_bucket_policy" "standard_cross_account_access" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.standard-bucket : {} - bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccess" - Effect = "allow" - Principal = { - AWS = "*" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - each.value.arn, - "${each.value.arn}/*" - ] - Condition = { - StringEquals = { - "s3:DataAccessPointAccount" = var.consolidation_acct_id - } - } - }, - { - Sid = "CrossAccountWriteAccess", - Effect = "Allow", - Principal = { - AWS = "*" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - Condition = { - StringEquals = { - "s3:DataAccessPointAccount" = var.consolidation_acct_id - } - } - }, - ] - }) -} - -resource "aws_s3_bucket_policy" "public_cross_account_access" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.public-bucket : {} - bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - each.value.arn, - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - each.value.arn, - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountWriteAccessEcs", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - { - Sid = "CrossAccountWriteAccessLambda", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - ] - }) -} - -resource "aws_s3_bucket_policy" "protected_cross_account_access" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.protected-bucket : {} - bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccessEcs" - Effect = "Allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - each.value.arn, - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountReadAccessEcs" - Effect = "Allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - each.value.arn, - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountWriteAccessEcs", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - { - Sid = "CrossAccountWriteAccessLambda", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - ] - }) -} - -resource "aws_s3_bucket_policy" "workflow_bucket_cross_account_access" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.workflow-bucket : {} - bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccessEcs" - Effect = "Allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - each.value.arn, - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountReadAccessEcs" - Effect = "Allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - each.value.arn, - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountWriteAccessEcs", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - { - Sid = "CrossAccountWriteAccessLambda", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - ] - }) -} \ No newline at end of file diff --git a/daac/tenant_access_resources.tf b/daac/tenant_access_resources.tf new file mode 100644 index 00000000..fb154435 --- /dev/null +++ b/daac/tenant_access_resources.tf @@ -0,0 +1,60 @@ +resource "aws_s3_bucket_policy" "allow_crud_from_orchestrator" { + for_each = var.consolidation_acct_id != null ? merge( + aws_s3_bucket.public-bucket, + aws_s3_bucket.standard-bucket, + aws_s3_bucket.protected-bucket, + aws_s3_bucket.workflow-bucket + ) : {} + bucket = each.key + policy = jsonencode({ + + Version = "2012-10-17", + Statement = [ + { + Sid = "${each.key}-CrossAccountReadAccess", + Effect = "Allow" + Principal = { + AWS = local.orchestrator_crud_roles + }, + + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ], + + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ], + Condition = { + StringEquals = { + "s3:DataAccessPointAccount" = var.consolidation_acct_id + } + } + }, + { + Sid = "${each.key}-CrossAccountWriteAccess", + Effect = "Allow" + Principal = { + AWS = local.orchestrator_crud_roles + }, + + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + + Resource = [ + "${each.value.arn}/*" + ], + Condition = { + StringEquals = { + "s3:DataAccessPointAccount" = var.consolidation_acct_id + } + } + }, + ] + }) +} From 70d977708d5503f14702084aea532d9ba00d7429 Mon Sep 17 00:00:00 2001 From: etcart Date: Tue, 25 Nov 2025 15:39:40 -0500 Subject: [PATCH 08/25] orchestrator and tenant policy deploys --- daac/locals.tf | 4 +- daac/orchestrator_access_resources.tf | 55 +++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 daac/orchestrator_access_resources.tf diff --git a/daac/locals.tf b/daac/locals.tf index 86b296a1..bbb5fd3a 100644 --- a/daac/locals.tf +++ b/daac/locals.tf @@ -71,7 +71,7 @@ locals { ) # orchestrator crud acct roles orchestrator_crud_roles = [ - "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role", - "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + var.consolidation_acct_id == null ? null : "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role", + var.consolidation_acct_id == null ? null : "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" ] } diff --git a/daac/orchestrator_access_resources.tf b/daac/orchestrator_access_resources.tf new file mode 100644 index 00000000..7b741f00 --- /dev/null +++ b/daac/orchestrator_access_resources.tf @@ -0,0 +1,55 @@ +variable tenant_account_id_bucket_mapping { + type = map(list(string)) +} + +resource "aws_s3_access_point" "tenant_bucket_access" { + for_each = merge(flatten([ + for account_id, buckets in var.tenant_account_id_bucket_mapping : { + for bucket in buckets : bucket => account_id + } + ] + )...) + # for_each = [{bucket_name='ob-cumulus-sit-private', id="12345"}] + bucket = each.key + name = "${each.key}-access-point" + bucket_account_id = each.value +} + +resource "aws_s3control_access_point_policy" "tenant_ap_policy" { + for_each = aws_s3_access_point.tenant_bucket_access + access_point_arn = each.value.arn + policy = jsonencode({ + Version = "2008-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Principal = { + AWS = data.aws_caller_identity.current.account_id + } + Resource = [ + "${each.value.arn}/object/*", + "${each.value.arn}" + ] + }, + { + Effect = "Allow" + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ] + Principal = { + AWS = data.aws_caller_identity.current.account_id + } + Resource = [ + "${each.value.arn}/object/*" + ] + } + ] + }) +} \ No newline at end of file From ab784e06d215bc20b9bff12152204bdc977b4abd Mon Sep 17 00:00:00 2001 From: etcart Date: Fri, 28 Nov 2025 11:23:35 -0500 Subject: [PATCH 09/25] name change and add default mapping null --- daac/locals.tf | 4 +- daac/orchestrator_access_resources.tf | 17 +- daac/policy.tf | 271 ++++++++++++++++++++++++++ daac/tenant_access_resources.tf | 6 +- daac/variables.tf | 7 +- 5 files changed, 288 insertions(+), 17 deletions(-) create mode 100644 daac/policy.tf diff --git a/daac/locals.tf b/daac/locals.tf index bbb5fd3a..d39003a4 100644 --- a/daac/locals.tf +++ b/daac/locals.tf @@ -69,8 +69,8 @@ locals { local.internal_bucket_map, local.partner_bucket_map, ) - # orchestrator crud acct roles - orchestrator_crud_roles = [ + # consolidation crud acct roles + consolidation_crud_roles = [ var.consolidation_acct_id == null ? null : "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role", var.consolidation_acct_id == null ? null : "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" ] diff --git a/daac/orchestrator_access_resources.tf b/daac/orchestrator_access_resources.tf index 7b741f00..73459d62 100644 --- a/daac/orchestrator_access_resources.tf +++ b/daac/orchestrator_access_resources.tf @@ -1,22 +1,17 @@ -variable tenant_account_id_bucket_mapping { - type = map(list(string)) -} - -resource "aws_s3_access_point" "tenant_bucket_access" { - for_each = merge(flatten([ - for account_id, buckets in var.tenant_account_id_bucket_mapping : { +resource "aws_s3_access_point" "legacy_bucket_access" { + for_each = var.legacy_account_id_bucket_mapping != null ? merge(flatten([ + for account_id, buckets in var.legacy_account_id_bucket_mapping : { for bucket in buckets : bucket => account_id } ] - )...) - # for_each = [{bucket_name='ob-cumulus-sit-private', id="12345"}] + )...) : {} bucket = each.key name = "${each.key}-access-point" bucket_account_id = each.value } -resource "aws_s3control_access_point_policy" "tenant_ap_policy" { - for_each = aws_s3_access_point.tenant_bucket_access +resource "aws_s3control_access_point_policy" "legacy_ap_policy" { + for_each = aws_s3_access_point.legacy_bucket_access access_point_arn = each.value.arn policy = jsonencode({ Version = "2008-10-17" diff --git a/daac/policy.tf b/daac/policy.tf new file mode 100644 index 00000000..c243bb82 --- /dev/null +++ b/daac/policy.tf @@ -0,0 +1,271 @@ +resource "aws_s3_bucket_policy" "standard_cross_acoount_access" { + for_each = var.consolidation_acct_id != null ? aws_s3_bucket.standard-bucket : {} + bucket = each.key + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountWriteAccessEcs", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + { + Sid = "CrossAccountWriteAccessLambda", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + ] + }) +} + +resource "aws_s3_bucket_policy" "public_cross_acoount_access" { + for_each = var.consolidation_acct_id != null ? aws_s3_bucket.public-bucket : {} + bucket = each.key + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountWriteAccessEcs", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + { + Sid = "CrossAccountWriteAccessLambda", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + ] + }) +} + +resource "aws_s3_bucket_policy" "protected_cross_acoount_access" { + for_each = var.consolidation_acct_id != null ? aws_s3_bucket.protected-bucket : {} + bucket = each.key + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountWriteAccessEcs", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + { + Sid = "CrossAccountWriteAccessLambda", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + ] + }) +} + +resource "aws_s3_bucket_policy" "workflow_bucket_cross_acoount_access" { + for_each = var.consolidation_acct_id != null ? aws_s3_bucket.workflow-bucket : {} + bucket = each.key + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountReadAccessEcs" + Effect = "allow" + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + } + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + Resource = [ + "${each.value.arn}", + "${each.value.arn}/*" + ] + }, + { + Sid = "CrossAccountWriteAccessEcs", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + { + Sid = "CrossAccountWriteAccessLambda", + Effect = "Allow", + Principal = { + AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" + }, + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + Resource = "${each.value.arn}/*" + }, + ] + }) +} \ No newline at end of file diff --git a/daac/tenant_access_resources.tf b/daac/tenant_access_resources.tf index fb154435..7d7fcdd7 100644 --- a/daac/tenant_access_resources.tf +++ b/daac/tenant_access_resources.tf @@ -1,4 +1,4 @@ -resource "aws_s3_bucket_policy" "allow_crud_from_orchestrator" { +resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" { for_each = var.consolidation_acct_id != null ? merge( aws_s3_bucket.public-bucket, aws_s3_bucket.standard-bucket, @@ -14,7 +14,7 @@ resource "aws_s3_bucket_policy" "allow_crud_from_orchestrator" { Sid = "${each.key}-CrossAccountReadAccess", Effect = "Allow" Principal = { - AWS = local.orchestrator_crud_roles + AWS = local.consolidation_crud_roles }, Action = [ @@ -37,7 +37,7 @@ resource "aws_s3_bucket_policy" "allow_crud_from_orchestrator" { Sid = "${each.key}-CrossAccountWriteAccess", Effect = "Allow" Principal = { - AWS = local.orchestrator_crud_roles + AWS = local.consolidation_crud_roles }, Action = [ diff --git a/daac/variables.tf b/daac/variables.tf index a069876d..eefb1efa 100644 --- a/daac/variables.tf +++ b/daac/variables.tf @@ -84,4 +84,9 @@ variable "consolidation_maturity" { type = string description = "maturity of relevant consolidation stack" default = null -} \ No newline at end of file +} +variable legacy_account_id_bucket_mapping { + type = map(list(string)) + description = "mapping of legacy daac account Ids to buckets in format {: [, ...]}" + default = null +} From 760e0eb9846e8a65a8e01d5f1ff89c0835601f07 Mon Sep 17 00:00:00 2001 From: etcart Date: Fri, 28 Nov 2025 11:56:30 -0500 Subject: [PATCH 10/25] rename for consolidation/legacy scheme --- ...ator_access_resources.tf => consolidation_access_resources.tf} | 0 daac/{tenant_access_resources.tf => legacy_access_resources.tf} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename daac/{orchestrator_access_resources.tf => consolidation_access_resources.tf} (100%) rename daac/{tenant_access_resources.tf => legacy_access_resources.tf} (100%) diff --git a/daac/orchestrator_access_resources.tf b/daac/consolidation_access_resources.tf similarity index 100% rename from daac/orchestrator_access_resources.tf rename to daac/consolidation_access_resources.tf diff --git a/daac/tenant_access_resources.tf b/daac/legacy_access_resources.tf similarity index 100% rename from daac/tenant_access_resources.tf rename to daac/legacy_access_resources.tf From b02c3f587648397f0b1f3992ca89f789c6b2f86c Mon Sep 17 00:00:00 2001 From: etcart Date: Tue, 2 Dec 2025 13:44:27 -0500 Subject: [PATCH 11/25] fix for iams getting mangeld --- daac/legacy_access_resources.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/daac/legacy_access_resources.tf b/daac/legacy_access_resources.tf index 7d7fcdd7..a93af912 100644 --- a/daac/legacy_access_resources.tf +++ b/daac/legacy_access_resources.tf @@ -14,7 +14,7 @@ resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" { Sid = "${each.key}-CrossAccountReadAccess", Effect = "Allow" Principal = { - AWS = local.consolidation_crud_roles + AWS = "*" }, Action = [ @@ -37,7 +37,7 @@ resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" { Sid = "${each.key}-CrossAccountWriteAccess", Effect = "Allow" Principal = { - AWS = local.consolidation_crud_roles + AWS = "*" }, Action = [ From 612b98656f15934388c4799db6081234bf7dd9e2 Mon Sep 17 00:00:00 2001 From: etcart Date: Tue, 2 Dec 2025 13:59:56 -0500 Subject: [PATCH 12/25] removing ap stuff --- daac/consolidation_access_resources.tf | 50 -------------------------- daac/legacy_access_resources.tf | 18 +++------- 2 files changed, 4 insertions(+), 64 deletions(-) delete mode 100644 daac/consolidation_access_resources.tf diff --git a/daac/consolidation_access_resources.tf b/daac/consolidation_access_resources.tf deleted file mode 100644 index 73459d62..00000000 --- a/daac/consolidation_access_resources.tf +++ /dev/null @@ -1,50 +0,0 @@ -resource "aws_s3_access_point" "legacy_bucket_access" { - for_each = var.legacy_account_id_bucket_mapping != null ? merge(flatten([ - for account_id, buckets in var.legacy_account_id_bucket_mapping : { - for bucket in buckets : bucket => account_id - } - ] - )...) : {} - bucket = each.key - name = "${each.key}-access-point" - bucket_account_id = each.value -} - -resource "aws_s3control_access_point_policy" "legacy_ap_policy" { - for_each = aws_s3_access_point.legacy_bucket_access - access_point_arn = each.value.arn - policy = jsonencode({ - Version = "2008-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Principal = { - AWS = data.aws_caller_identity.current.account_id - } - Resource = [ - "${each.value.arn}/object/*", - "${each.value.arn}" - ] - }, - { - Effect = "Allow" - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ] - Principal = { - AWS = data.aws_caller_identity.current.account_id - } - Resource = [ - "${each.value.arn}/object/*" - ] - } - ] - }) -} \ No newline at end of file diff --git a/daac/legacy_access_resources.tf b/daac/legacy_access_resources.tf index a93af912..03c5bdc2 100644 --- a/daac/legacy_access_resources.tf +++ b/daac/legacy_access_resources.tf @@ -14,7 +14,7 @@ resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" { Sid = "${each.key}-CrossAccountReadAccess", Effect = "Allow" Principal = { - AWS = "*" + AWS = local.consolidation_crud_roles }, Action = [ @@ -26,18 +26,13 @@ resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" { Resource = [ "${each.value.arn}", "${each.value.arn}/*" - ], - Condition = { - StringEquals = { - "s3:DataAccessPointAccount" = var.consolidation_acct_id - } - } + ] }, { Sid = "${each.key}-CrossAccountWriteAccess", Effect = "Allow" Principal = { - AWS = "*" + AWS = local.consolidation_crud_roles }, Action = [ @@ -48,12 +43,7 @@ resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" { Resource = [ "${each.value.arn}/*" - ], - Condition = { - StringEquals = { - "s3:DataAccessPointAccount" = var.consolidation_acct_id - } - } + ] }, ] }) From c38f5e76281413ba77cfc6f2c533ef66085744e5 Mon Sep 17 00:00:00 2001 From: etcart Date: Tue, 2 Dec 2025 14:23:00 -0500 Subject: [PATCH 13/25] some more cleanup --- daac/policy.tf | 271 ---------------------------------------------- daac/variables.tf | 7 +- 2 files changed, 1 insertion(+), 277 deletions(-) delete mode 100644 daac/policy.tf diff --git a/daac/policy.tf b/daac/policy.tf deleted file mode 100644 index c243bb82..00000000 --- a/daac/policy.tf +++ /dev/null @@ -1,271 +0,0 @@ -resource "aws_s3_bucket_policy" "standard_cross_acoount_access" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.standard-bucket : {} - bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountWriteAccessEcs", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - { - Sid = "CrossAccountWriteAccessLambda", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - ] - }) -} - -resource "aws_s3_bucket_policy" "public_cross_acoount_access" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.public-bucket : {} - bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountWriteAccessEcs", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - { - Sid = "CrossAccountWriteAccessLambda", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - ] - }) -} - -resource "aws_s3_bucket_policy" "protected_cross_acoount_access" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.protected-bucket : {} - bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountWriteAccessEcs", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - { - Sid = "CrossAccountWriteAccessLambda", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - ] - }) -} - -resource "aws_s3_bucket_policy" "workflow_bucket_cross_acoount_access" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.workflow-bucket : {} - bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountWriteAccessEcs", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - { - Sid = "CrossAccountWriteAccessLambda", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - ] - }) -} \ No newline at end of file diff --git a/daac/variables.tf b/daac/variables.tf index eefb1efa..a069876d 100644 --- a/daac/variables.tf +++ b/daac/variables.tf @@ -84,9 +84,4 @@ variable "consolidation_maturity" { type = string description = "maturity of relevant consolidation stack" default = null -} -variable legacy_account_id_bucket_mapping { - type = map(list(string)) - description = "mapping of legacy daac account Ids to buckets in format {: [, ...]}" - default = null -} +} \ No newline at end of file From 7f2ebf0dd71fa18c0c293d37e766710ed7e3ebd7 Mon Sep 17 00:00:00 2001 From: etcart Date: Tue, 2 Dec 2025 14:23:36 -0500 Subject: [PATCH 14/25] remove policy --- daac/policy.tf | 271 ------------------------------------------------- 1 file changed, 271 deletions(-) delete mode 100644 daac/policy.tf diff --git a/daac/policy.tf b/daac/policy.tf deleted file mode 100644 index c243bb82..00000000 --- a/daac/policy.tf +++ /dev/null @@ -1,271 +0,0 @@ -resource "aws_s3_bucket_policy" "standard_cross_acoount_access" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.standard-bucket : {} - bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountWriteAccessEcs", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - { - Sid = "CrossAccountWriteAccessLambda", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - ] - }) -} - -resource "aws_s3_bucket_policy" "public_cross_acoount_access" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.public-bucket : {} - bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountWriteAccessEcs", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - { - Sid = "CrossAccountWriteAccessLambda", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - ] - }) -} - -resource "aws_s3_bucket_policy" "protected_cross_acoount_access" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.protected-bucket : {} - bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountWriteAccessEcs", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - { - Sid = "CrossAccountWriteAccessLambda", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - ] - }) -} - -resource "aws_s3_bucket_policy" "workflow_bucket_cross_acoount_access" { - for_each = var.consolidation_acct_id != null ? aws_s3_bucket.workflow-bucket : {} - bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountReadAccessEcs" - Effect = "allow" - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - } - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Resource = [ - "${each.value.arn}", - "${each.value.arn}/*" - ] - }, - { - Sid = "CrossAccountWriteAccessEcs", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - { - Sid = "CrossAccountWriteAccessLambda", - Effect = "Allow", - Principal = { - AWS = "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing" - }, - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ], - Resource = "${each.value.arn}/*" - }, - ] - }) -} \ No newline at end of file From c186cb513a63e06039fd306f37e557e42be7ce20 Mon Sep 17 00:00:00 2001 From: etcart Date: Wed, 3 Dec 2025 13:47:25 -0500 Subject: [PATCH 15/25] pretty sure this will work --- daac/distribution_bucket_policy.tf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/daac/distribution_bucket_policy.tf b/daac/distribution_bucket_policy.tf index 6fb7c013..e65cf2b5 100644 --- a/daac/distribution_bucket_policy.tf +++ b/daac/distribution_bucket_policy.tf @@ -31,6 +31,23 @@ data "aws_iam_policy_document" "distribution_bucket_policy_document" { ] } } + statement { + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket" + ] + + resources = [ + "arn:aws:s3:::${local.prefix}-${each.key}", + "arn:aws:s3:::${local.prefix}-${each.key}/*" + ] + principals { + type = "AWS" + identifiers = local.consolidation_crud_roles + } + } } resource "aws_s3_bucket_policy" "distribution_bucket_policy" { From ca597c9001366c5b2411aa1423c80d5b7b86c581 Mon Sep 17 00:00:00 2001 From: etcart Date: Wed, 3 Dec 2025 17:05:54 -0500 Subject: [PATCH 16/25] parsing oai's polciy on top of consolidation policy --- daac/distribution_bucket_policy.tf | 58 ++++++++++++++---------------- 1 file changed, 26 insertions(+), 32 deletions(-) diff --git a/daac/distribution_bucket_policy.tf b/daac/distribution_bucket_policy.tf index 6fb7c013..636b4a87 100644 --- a/daac/distribution_bucket_policy.tf +++ b/daac/distribution_bucket_policy.tf @@ -4,38 +4,32 @@ data "aws_cloudfront_origin_access_identity" "distribution_cloudfront_oai" { id = each.key } -data "aws_iam_policy_document" "distribution_bucket_policy_document" { - for_each = local.distribution_bucket_oais - - statement { - actions = ["s3:GetObject"] - resources = ["arn:aws:s3:::${local.prefix}-${each.key}/*"] - - principals { - type = "AWS" - identifiers = [ - data.aws_cloudfront_origin_access_identity.distribution_cloudfront_oai[each.value].iam_arn - ] - } - } - - # Need ListBucket permissions so that missing keys will return 404 errors instead of 403 - statement { - actions = ["s3:ListBucket"] - resources = ["arn:aws:s3:::${local.prefix}-${each.key}"] - - principals { - type = "AWS" - identifiers = [ - data.aws_cloudfront_origin_access_identity.distribution_cloudfront_oai[each.value].iam_arn - ] - } - } -} - resource "aws_s3_bucket_policy" "distribution_bucket_policy" { for_each = local.distribution_bucket_oais - - bucket = "${local.prefix}-${each.key}" - policy = try(data.aws_iam_policy_document.distribution_bucket_policy_document[each.key].json, null) + bucket = each.key + policy = jsonencode({ + Version = "2012-10-17", + Statement = concat(jsondecode(aws_s3_bucket_policy.allow_crud_from_consolidation[each.key].policy).Statement, [ + { + Sid = "${each.key}-DistributionPolicyGet" + Effect = "Allow" + Action = ["s3:GetObject"] + Resource = ["arn:aws:s3:::${each.key}/*"] + + Principal = { + AWS = data.aws_cloudfront_origin_access_identity.distribution_cloudfront_oai[each.value].iam_arn + } + }, + { + Sid = "${each.key}-DistributionPolicyList" + Effect = "Allow" + Action = ["s3:ListBucket"] + Resource = ["arn:aws:s3:::${each.key}"] + + Principal = { + AWS = data.aws_cloudfront_origin_access_identity.distribution_cloudfront_oai[each.value].iam_arn + } + } + ]) + }) } From b52f3a3f281775263ab47803ca8d426ce0cc4389 Mon Sep 17 00:00:00 2001 From: etcart Date: Thu, 4 Dec 2025 12:36:02 -0500 Subject: [PATCH 17/25] try for no account ID --- daac/distribution_bucket_policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daac/distribution_bucket_policy.tf b/daac/distribution_bucket_policy.tf index 636b4a87..095abda7 100644 --- a/daac/distribution_bucket_policy.tf +++ b/daac/distribution_bucket_policy.tf @@ -9,7 +9,7 @@ resource "aws_s3_bucket_policy" "distribution_bucket_policy" { bucket = each.key policy = jsonencode({ Version = "2012-10-17", - Statement = concat(jsondecode(aws_s3_bucket_policy.allow_crud_from_consolidation[each.key].policy).Statement, [ + Statement = concat(try(jsondecode(aws_s3_bucket_policy.allow_crud_from_consolidation[each.key].policy).Statement, []), [ { Sid = "${each.key}-DistributionPolicyGet" Effect = "Allow" From 45f5458ff0bad71f8916b0ebc980023295b5e55e Mon Sep 17 00:00:00 2001 From: etcart Date: Thu, 4 Dec 2025 12:45:17 -0500 Subject: [PATCH 18/25] over to non-ap --- daac/consolidation_access_resources.tf | 50 -------------------------- daac/legacy_access_resources.tf | 18 +++------- daac/variables.tf | 7 +--- 3 files changed, 5 insertions(+), 70 deletions(-) delete mode 100644 daac/consolidation_access_resources.tf diff --git a/daac/consolidation_access_resources.tf b/daac/consolidation_access_resources.tf deleted file mode 100644 index 73459d62..00000000 --- a/daac/consolidation_access_resources.tf +++ /dev/null @@ -1,50 +0,0 @@ -resource "aws_s3_access_point" "legacy_bucket_access" { - for_each = var.legacy_account_id_bucket_mapping != null ? merge(flatten([ - for account_id, buckets in var.legacy_account_id_bucket_mapping : { - for bucket in buckets : bucket => account_id - } - ] - )...) : {} - bucket = each.key - name = "${each.key}-access-point" - bucket_account_id = each.value -} - -resource "aws_s3control_access_point_policy" "legacy_ap_policy" { - for_each = aws_s3_access_point.legacy_bucket_access - access_point_arn = each.value.arn - policy = jsonencode({ - Version = "2008-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket" - ] - Principal = { - AWS = data.aws_caller_identity.current.account_id - } - Resource = [ - "${each.value.arn}/object/*", - "${each.value.arn}" - ] - }, - { - Effect = "Allow" - Action = [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject" - ] - Principal = { - AWS = data.aws_caller_identity.current.account_id - } - Resource = [ - "${each.value.arn}/object/*" - ] - } - ] - }) -} \ No newline at end of file diff --git a/daac/legacy_access_resources.tf b/daac/legacy_access_resources.tf index a93af912..03c5bdc2 100644 --- a/daac/legacy_access_resources.tf +++ b/daac/legacy_access_resources.tf @@ -14,7 +14,7 @@ resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" { Sid = "${each.key}-CrossAccountReadAccess", Effect = "Allow" Principal = { - AWS = "*" + AWS = local.consolidation_crud_roles }, Action = [ @@ -26,18 +26,13 @@ resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" { Resource = [ "${each.value.arn}", "${each.value.arn}/*" - ], - Condition = { - StringEquals = { - "s3:DataAccessPointAccount" = var.consolidation_acct_id - } - } + ] }, { Sid = "${each.key}-CrossAccountWriteAccess", Effect = "Allow" Principal = { - AWS = "*" + AWS = local.consolidation_crud_roles }, Action = [ @@ -48,12 +43,7 @@ resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" { Resource = [ "${each.value.arn}/*" - ], - Condition = { - StringEquals = { - "s3:DataAccessPointAccount" = var.consolidation_acct_id - } - } + ] }, ] }) diff --git a/daac/variables.tf b/daac/variables.tf index eefb1efa..a069876d 100644 --- a/daac/variables.tf +++ b/daac/variables.tf @@ -84,9 +84,4 @@ variable "consolidation_maturity" { type = string description = "maturity of relevant consolidation stack" default = null -} -variable legacy_account_id_bucket_mapping { - type = map(list(string)) - description = "mapping of legacy daac account Ids to buckets in format {: [, ...]}" - default = null -} +} \ No newline at end of file From 533a0dce21ac9efe6b8ee513c1d35a57ace1979c Mon Sep 17 00:00:00 2001 From: etcart Date: Thu, 4 Dec 2025 12:49:03 -0500 Subject: [PATCH 19/25] linting --- daac/legacy_access_resources.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daac/legacy_access_resources.tf b/daac/legacy_access_resources.tf index 03c5bdc2..a5c02671 100644 --- a/daac/legacy_access_resources.tf +++ b/daac/legacy_access_resources.tf @@ -24,7 +24,7 @@ resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" { ], Resource = [ - "${each.value.arn}", + each.value.arn, "${each.value.arn}/*" ] }, From 9b20575ca012dab6c04f6884d19106705db4d0a2 Mon Sep 17 00:00:00 2001 From: etcart Date: Thu, 4 Dec 2025 12:50:27 -0500 Subject: [PATCH 20/25] newline --- daac/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daac/variables.tf b/daac/variables.tf index a069876d..06a35b0f 100644 --- a/daac/variables.tf +++ b/daac/variables.tf @@ -84,4 +84,4 @@ variable "consolidation_maturity" { type = string description = "maturity of relevant consolidation stack" default = null -} \ No newline at end of file +} From fda10bd98f29c690ac130752a5e997c43bb235a5 Mon Sep 17 00:00:00 2001 From: etcart Date: Mon, 8 Dec 2025 15:08:55 -0500 Subject: [PATCH 21/25] better multi-policy joining --- daac/distribution_bucket_policy.tf | 62 ++++++++++++++++++------------ 1 file changed, 37 insertions(+), 25 deletions(-) diff --git a/daac/distribution_bucket_policy.tf b/daac/distribution_bucket_policy.tf index 095abda7..793e71ab 100644 --- a/daac/distribution_bucket_policy.tf +++ b/daac/distribution_bucket_policy.tf @@ -4,32 +4,44 @@ data "aws_cloudfront_origin_access_identity" "distribution_cloudfront_oai" { id = each.key } +data "aws_iam_policy_document" "distribution_bucket_policy_document" { + for_each = local.distribution_bucket_oais + + statement { + actions = ["s3:GetObject"] + resources = ["arn:aws:s3:::${local.prefix}-${each.key}/*"] + + principals { + type = "AWS" + identifiers = [ + data.aws_cloudfront_origin_access_identity.distribution_cloudfront_oai[each.value].iam_arn + ] + } + } + + # Need ListBucket permissions so that missing keys will return 404 errors instead of 403 + statement { + actions = ["s3:ListBucket"] + resources = ["arn:aws:s3:::${local.prefix}-${each.key}"] + + principals { + type = "AWS" + identifiers = [ + data.aws_cloudfront_origin_access_identity.distribution_cloudfront_oai[each.value].iam_arn + ] + } + } +} + +data "aws_iam_policy_document" "consolidated_distribution_bucket_policy_document" { + source_policy_documents = flatten([ + data.aws_iam_policy_document.distribution_bucket_policy_document.json, + try(aws_s3_bucket_policy.allow_crud_from_consolidation[each.key].policy.json, []) + ]) +} + resource "aws_s3_bucket_policy" "distribution_bucket_policy" { for_each = local.distribution_bucket_oais bucket = each.key - policy = jsonencode({ - Version = "2012-10-17", - Statement = concat(try(jsondecode(aws_s3_bucket_policy.allow_crud_from_consolidation[each.key].policy).Statement, []), [ - { - Sid = "${each.key}-DistributionPolicyGet" - Effect = "Allow" - Action = ["s3:GetObject"] - Resource = ["arn:aws:s3:::${each.key}/*"] - - Principal = { - AWS = data.aws_cloudfront_origin_access_identity.distribution_cloudfront_oai[each.value].iam_arn - } - }, - { - Sid = "${each.key}-DistributionPolicyList" - Effect = "Allow" - Action = ["s3:ListBucket"] - Resource = ["arn:aws:s3:::${each.key}"] - - Principal = { - AWS = data.aws_cloudfront_origin_access_identity.distribution_cloudfront_oai[each.value].iam_arn - } - } - ]) - }) + policy = aws_iam_policy_document.consolidated_distribution_bucket_policy_document } From aa2cf5ff35fa1c2f7ea0a11303880d1ff42e42bb Mon Sep 17 00:00:00 2001 From: etcart Date: Mon, 8 Dec 2025 17:15:56 -0500 Subject: [PATCH 22/25] mistaken reference --- daac/distribution_bucket_policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daac/distribution_bucket_policy.tf b/daac/distribution_bucket_policy.tf index 793e71ab..b5e2fcc3 100644 --- a/daac/distribution_bucket_policy.tf +++ b/daac/distribution_bucket_policy.tf @@ -43,5 +43,5 @@ data "aws_iam_policy_document" "consolidated_distribution_bucket_policy_document resource "aws_s3_bucket_policy" "distribution_bucket_policy" { for_each = local.distribution_bucket_oais bucket = each.key - policy = aws_iam_policy_document.consolidated_distribution_bucket_policy_document + policy = data.aws_iam_policy_document.consolidated_distribution_bucket_policy_document } From 921fe7556d72606d99aa22b70636a157da6903ef Mon Sep 17 00:00:00 2001 From: etcart Date: Tue, 9 Dec 2025 16:45:31 -0500 Subject: [PATCH 23/25] fixes --- daac/distribution_bucket_policy.tf | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/daac/distribution_bucket_policy.tf b/daac/distribution_bucket_policy.tf index b5e2fcc3..9c7d4994 100644 --- a/daac/distribution_bucket_policy.tf +++ b/daac/distribution_bucket_policy.tf @@ -34,14 +34,15 @@ data "aws_iam_policy_document" "distribution_bucket_policy_document" { } data "aws_iam_policy_document" "consolidated_distribution_bucket_policy_document" { + for_each = local.distribution_bucket_oais source_policy_documents = flatten([ - data.aws_iam_policy_document.distribution_bucket_policy_document.json, - try(aws_s3_bucket_policy.allow_crud_from_consolidation[each.key].policy.json, []) + data.aws_iam_policy_document.distribution_bucket_policy_document[each.key].json, + try(aws_s3_bucket_policy.allow_crud_from_consolidation[each.key].policy, []) ]) } resource "aws_s3_bucket_policy" "distribution_bucket_policy" { - for_each = local.distribution_bucket_oais + for_each = data.aws_iam_policy_document.consolidated_distribution_bucket_policy_document bucket = each.key - policy = data.aws_iam_policy_document.consolidated_distribution_bucket_policy_document + policy = each.value.json } From dc035b6b8b7333f7d407f4de11efb3d7bc377c91 Mon Sep 17 00:00:00 2001 From: etcart Date: Wed, 10 Dec 2025 12:14:09 -0500 Subject: [PATCH 24/25] finally figured out a syntax error --- daac/distribution_bucket_policy.tf | 6 +++--- daac/legacy_access_resources.tf | 1 - 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/daac/distribution_bucket_policy.tf b/daac/distribution_bucket_policy.tf index 9c7d4994..70058d2c 100644 --- a/daac/distribution_bucket_policy.tf +++ b/daac/distribution_bucket_policy.tf @@ -41,8 +41,8 @@ data "aws_iam_policy_document" "consolidated_distribution_bucket_policy_document ]) } -resource "aws_s3_bucket_policy" "distribution_bucket_policy" { - for_each = data.aws_iam_policy_document.consolidated_distribution_bucket_policy_document - bucket = each.key +resource "aws_s3_bucket_policy" "consolidated_distribution_bucket_policy_document" { + for_each = data.aws_iam_policy_document.distribution_bucket_policy_document + bucket = "${local.prefix}-${each.key}" policy = each.value.json } diff --git a/daac/legacy_access_resources.tf b/daac/legacy_access_resources.tf index a5c02671..2df8a3bc 100644 --- a/daac/legacy_access_resources.tf +++ b/daac/legacy_access_resources.tf @@ -7,7 +7,6 @@ resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" { ) : {} bucket = each.key policy = jsonencode({ - Version = "2012-10-17", Statement = [ { From 65ee588ff66a28316b841984ab7e8efd88770960 Mon Sep 17 00:00:00 2001 From: etcart Date: Wed, 10 Dec 2025 12:25:08 -0500 Subject: [PATCH 25/25] corrected key fo rbucket policy --- daac/distribution_bucket_policy.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/daac/distribution_bucket_policy.tf b/daac/distribution_bucket_policy.tf index 70058d2c..8819b64f 100644 --- a/daac/distribution_bucket_policy.tf +++ b/daac/distribution_bucket_policy.tf @@ -37,12 +37,12 @@ data "aws_iam_policy_document" "consolidated_distribution_bucket_policy_document for_each = local.distribution_bucket_oais source_policy_documents = flatten([ data.aws_iam_policy_document.distribution_bucket_policy_document[each.key].json, - try(aws_s3_bucket_policy.allow_crud_from_consolidation[each.key].policy, []) + try(aws_s3_bucket_policy.allow_crud_from_consolidation["${local.prefix}-${each.key}"].policy, []) ]) } -resource "aws_s3_bucket_policy" "consolidated_distribution_bucket_policy_document" { - for_each = data.aws_iam_policy_document.distribution_bucket_policy_document +resource "aws_s3_bucket_policy" "consolidated_distribution_bucket_policy" { + for_each = data.aws_iam_policy_document.consolidated_distribution_bucket_policy_document bucket = "${local.prefix}-${each.key}" policy = each.value.json }