From 83faa5eb78def886d103de7471c283b7a5b429ed Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 11 Apr 2024 03:35:00 +0200 Subject: [PATCH] Stash of current WIP --- terraform/aws/bucket-access.tf | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/terraform/aws/bucket-access.tf b/terraform/aws/bucket-access.tf index 5d2c5e5d16..55c1aad0ee 100644 --- a/terraform/aws/bucket-access.tf +++ b/terraform/aws/bucket-access.tf @@ -5,30 +5,35 @@ locals { for role, role_value in hub_value : flatten([ [ for bucket in role_value.bucket_admin_access : { - // id can be simplified, it was set to not change anything - id = role == "user-sa" ? "${hub}.${bucket}" : "${hub}.${role}.${bucket}.admin" + bucket = bucket // role should match the id set in irsa.tf role = role == "user-sa" ? hub : "${hub}-${role}" - bucket = bucket actions = ["s3:*"] } ], [ for bucket in role_value.bucket_readonly_access : { - id = "${hub}.${role}.${bucket}.readonly" - // role should match the id set in irsa.tf - role = role == "user-sa" ? hub : "${hub}-${role}" bucket = bucket + // role should match the id set in irsa.tf + role = role == "user-sa" ? hub : "${hub}-${role}" actions = [ "s3:ListBucket", "s3:GetObject", "s3:GetObjectVersion", ] } - ] + ], ]) ] ]) + + // FIXME: + // we have a list of objects like { bucket: ..., role: ..., actions: ...} + // we want to create a map of buckets like { bucket-a: [all objects with bucket-a listed] } + // so, for each bucket, we want a list, where the list is hub_role_bucket but filtered + // + // if we get this, maybe we can provide multiple statements in the + // iam_policy_document and reference just that one. } // FIXME: there can only be one declared per bucket, so if we have multiple