asfadmin · etcart · Dec 10, 2025 · Nov 23, 2025 · Nov 24, 2025 · Nov 24, 2025
diff --git a/daac/distribution_bucket_policy.tf b/daac/distribution_bucket_policy.tf
@@ -33,9 +33,16 @@ data "aws_iam_policy_document" "distribution_bucket_policy_document" {
   }
 }
 
-resource "aws_s3_bucket_policy" "distribution_bucket_policy" {
+data "aws_iam_policy_document" "consolidated_distribution_bucket_policy_document" {
   for_each = local.distribution_bucket_oais
+  source_policy_documents = flatten([
+    data.aws_iam_policy_document.distribution_bucket_policy_document[each.key].json,
+    try(aws_s3_bucket_policy.allow_crud_from_consolidation["${local.prefix}-${each.key}"].policy, [])
+  ])
+}
 
+resource "aws_s3_bucket_policy" "consolidated_distribution_bucket_policy" {
+  for_each = data.aws_iam_policy_document.consolidated_distribution_bucket_policy_document
   bucket = "${local.prefix}-${each.key}"
-  policy = try(data.aws_iam_policy_document.distribution_bucket_policy_document[each.key].json, null)
+  policy = each.value.json
 }
diff --git a/daac/legacy_access_resources.tf b/daac/legacy_access_resources.tf
@@ -0,0 +1,49 @@
+resource "aws_s3_bucket_policy" "allow_crud_from_consolidation" {
+  for_each = var.consolidation_acct_id != null ? merge(
+    aws_s3_bucket.public-bucket,
+    aws_s3_bucket.standard-bucket,
+    aws_s3_bucket.protected-bucket,
+    aws_s3_bucket.workflow-bucket
+  ) : {}
+  bucket = each.key
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid = "${each.key}-CrossAccountReadAccess",
+        Effect =  "Allow"
+        Principal = {
+          AWS = local.consolidation_crud_roles
+        },
+
+        Action = [
+          "s3:GetObject",
+          "s3:GetObjectVersion",
+          "s3:ListBucket"
+        ],
+
+        Resource = [
+          each.value.arn,
+          "${each.value.arn}/*"
+        ]
+      },
+      {
+        Sid = "${each.key}-CrossAccountWriteAccess",
+        Effect =  "Allow"
+        Principal = {
+          AWS = local.consolidation_crud_roles
+        },
+
+        Action = [
+          "s3:PutObject",
+          "s3:PutObjectAcl",
+          "s3:DeleteObject"
+        ],
+
+        Resource = [
+          "${each.value.arn}/*"
+        ]
+      },
+    ]
+  })
+}
diff --git a/daac/locals.tf b/daac/locals.tf
@@ -1,6 +1,6 @@
 locals {
   prefix = "${var.DEPLOY_NAME}-cumulus-${var.MATURITY}"
-
+  consolidation_maturity = var.consolidation_maturity != null ? var.consolidation_maturity: var.MATURITY
   default_tags = {
     Deployment = local.prefix
   }
@@ -69,4 +69,9 @@ locals {
     local.internal_bucket_map,
     local.partner_bucket_map,
   )
+  # consolidation crud acct roles
+  consolidation_crud_roles = [
+    var.consolidation_acct_id == null ? null : "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}_ecs_cluster_instance_role",
+    var.consolidation_acct_id == null ? null : "arn:aws:iam::${var.consolidation_acct_id}:role/${var.consolidation_deploy_name}-cumulus-${local.consolidation_maturity}-lambda-processing"
+  ]
 }
diff --git a/daac/variables.tf b/daac/variables.tf
@@ -67,3 +67,21 @@ variable "s3_replicator_target_prefix" {
   default     = null
   description = "Prefix that the S3 replicator will write logs to in the target bucket."
 }
+
+variable "consolidation_acct_id" {
+  type = string
+  description = "account id of relevant cumulus consolidation stack"
+  default = null
+}
+
+variable "consolidation_deploy_name" {
+  type = string
+  description = "deploy_name of relevant consolidation stack"
+  default = "willow"
+}
+
+variable "consolidation_maturity" {
+  type = string
+  description = "maturity of relevant consolidation stack"
+  default = null
+}