Skip to content

Commit

Permalink
Stash of current WIP
Browse files Browse the repository at this point in the history
  • Loading branch information
consideRatio committed Apr 11, 2024
1 parent 62964d5 commit 04661e8
Showing 1 changed file with 12 additions and 7 deletions.
19 changes: 12 additions & 7 deletions terraform/aws/bucket-access.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,30 +5,35 @@ locals {
for role, role_value in hub_value : flatten([
[
for bucket in role_value.bucket_admin_access : {
// id can be simplified, it was set to not change anything
id = role == "user-sa" ? "${hub}.${bucket}" : "${hub}.${role}.${bucket}.admin"
bucket = bucket
// role should match the id set in irsa.tf
role = role == "user-sa" ? hub : "${hub}-${role}"
bucket = bucket
actions = ["s3:*"]
}
],
[
for bucket in role_value.bucket_readonly_access : {
id = "${hub}.${role}.${bucket}.readonly"
// role should match the id set in irsa.tf
role = role == "user-sa" ? hub : "${hub}-${role}"
bucket = bucket
// role should match the id set in irsa.tf
role = role == "user-sa" ? hub : "${hub}-${role}"
actions = [
"s3:ListBucket",
"s3:GetObject",
"s3:GetObjectVersion",
]
}
]
],
])
]
])

// FIXME:
// we have a list of objects like { bucket: ..., role: ..., actions: ...}
// we want to create a map of buckets like { bucket-a: [all objects with bucket-a listed] }
// so, for each bucket, we want a list, where the list is hub_role_bucket but filtered
//
// if we get this, maybe we can provide multiple statements in the
// iam_policy_document and reference just that one.
}

// FIXME: there can only be one declared per bucket, so if we have multiple
Expand Down

0 comments on commit 04661e8

Please sign in to comment.