First I confirmed that without assuming the AssessmentImagesBucketFullAccess role I could not access the bucket contents when on the VPN. Once the changes in https://github.com/cisagov/cool-sharedservices-networking/pull/47 were applied I was able to apply the Terraform here to add the bucket policy. I manually added the appropriate routes to the S3 service to my VPN configuration and connected. Once connected I was able to confirm the ability to list the bucket contents and get an object. I also confirmed that I could not put an object.
✅ Checklist
[x] This PR has an informative and human-readable title.
[x] Changes are limited to a single goal - eschew scope creep!
[x] All relevant type-of-change labels have been added.
🗣 Description
This PR adds a bucket policy to permit read access for anyone accessing the bucket over the COOL VPN (through the SharedServices VPC).
💠Motivation and context
This is the last piece of https://github.com/cisagov/cool-system/issues/176 and will allow any COOL users to retrieve assessment images over the VPN.
🧪 Testing
First I confirmed that without assuming the
AssessmentImagesBucketFullAccess
role I could not access the bucket contents when on the VPN. Once the changes in https://github.com/cisagov/cool-sharedservices-networking/pull/47 were applied I was able to apply the Terraform here to add the bucket policy. I manually added the appropriate routes to the S3 service to my VPN configuration and connected. Once connected I was able to confirm the ability to list the bucket contents and get an object. I also confirmed that I could not put an object.✅ Checklist