From 88b7e8cd19d73d52ed53cc4acb7e26a44ab753f7 Mon Sep 17 00:00:00 2001
From: jakemulley <jakemulley@users.noreply.github.com>
Date: Tue, 2 May 2023 22:01:12 +0100
Subject: [PATCH] Create policy and output ARN for IRSA

---
 main.tf    | 79 +++++++++++++++++++++++++++++++++++++++++++++++++-----
 outputs.tf |  3 +++
 2 files changed, 75 insertions(+), 7 deletions(-)

diff --git a/main.tf b/main.tf
index 79a80e4..fa629a5 100644
--- a/main.tf
+++ b/main.tf
@@ -21,6 +21,16 @@ data "template_file" "user_policy" {
 locals {
   bucket_name   = var.bucket_name == "" ? "cloud-platform-${random_id.id.hex}" : var.bucket_name
   s3_bucket_arn = "arn:aws:s3:::${aws_s3_bucket.bucket.id}"
+
+  default_tags = {
+    namespace              = var.namespace
+    business-unit          = var.business-unit
+    application            = var.application
+    is-production          = var.is-production
+    environment-name       = var.environment-name
+    owner                  = var.team_name
+    infrastructure-support = var.infrastructure-support
+  }
 }
 
 resource "aws_s3_bucket" "bucket" {
@@ -125,6 +135,17 @@ resource "aws_s3_bucket" "bucket" {
   }
 }
 
+resource "aws_s3_bucket_public_access_block" "block_public_access" {
+  count  = var.enable_allow_block_pub_access ? 1 : 0
+  bucket = aws_s3_bucket.bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+# Legacy long-lived credentials
 resource "aws_iam_user" "user" {
   name = "s3-bucket-user-${random_id.id.hex}"
   path = "/system/s3-bucket-user/"
@@ -185,12 +206,56 @@ resource "aws_iam_user_policy" "policy" {
   user   = aws_iam_user.user.name
 }
 
-resource "aws_s3_bucket_public_access_block" "block_public_access" {
-  count  = var.enable_allow_block_pub_access ? 1 : 0
-  bucket = aws_s3_bucket.bucket.id
+# Short-lived credentials (IRSA)
+data "aws_iam_policy_document" "irsa" {
+  version = "2012-10-17"
+  statement {
+    sid    = "AllowBucketActions"
+    effect = "Allow"
+    actions = [
+      "s3:GetBucketLocation",
+      "s3:GetBucketPolicy",
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads",
+      "s3:ListBucketVersions",
+    ]
+    resources = [local.s3_bucket_arn] # todo: fix
+  }
 
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
+  statement {
+    sid    = "AllowObjectActions"
+    effect = "Allow"
+    actions = [
+      "s3:AbortMultipartUpload",
+      "s3:DeleteObject",
+      "s3:DeleteObjectTagging",
+      "s3:DeleteObjectVersion",
+      "s3:DeleteObjectVersionTagging",
+      "s3:GetObject",
+      "s3:GetObjectAcl",
+      "s3:GetObjectTagging",
+      "s3:GetObjectTorrent",
+      "s3:GetObjectVersion",
+      "s3:GetObjectVersionAcl",
+      "s3:GetObjectVersionTagging",
+      "s3:GetObjectVersionTorrent",
+      "s3:ListMultipartUploadParts",
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:PutObjectTagging",
+      "s3:PutObjectVersionAcl",
+      "s3:PutObjectVersionTagging",
+      "s3:RestoreObject",
+    ]
+    resources = [
+      "${local.s3_bucket_arn}/*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "irsa" {
+  name   = "cloud-platform-s3-${random_id.id.hex}"
+  path   = "/cloud-platform/s3/"
+  policy = data.aws_iam_policy_document.irsa.json
+  tags   = local.default_tags
 }
diff --git a/outputs.tf b/outputs.tf
index 73bf2db..46e7f6f 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -20,3 +20,6 @@ output "bucket_name" {
   value       = aws_s3_bucket.bucket.id
 }
 
+output "irsa_policy_arn" {
+  value = aws_iam_policy.irsa.arn
+}