search

terraform-aws-modules / terraform-aws-datadog-forwarders

Terraform module to create resources on AWS to forward logs/metrics to Datadog 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/datadog-forwarders/aws
Apache License 2.0
56 stars 40 forks source link

S3 GetObject permission needs wildcard qualifier #39

Closed berniedurfee-renaissance closed 7 months ago

berniedurfee-renaissance commented 7 months ago

Shouldn't the GetObject permission be <bucket>/* rather than just <bucket>?

https://github.com/terraform-aws-modules/terraform-aws-datadog-forwarders/blob/3920c116373537a1168d93889a9deb864d856bf7/modules/log_forwarder/policy.tmpl#L41

berniedurfee-renaissance commented 7 months ago

Or is the expectation that the bucket ARN will contain the /* part? If so, maybe that should be clarified in the documentation? I assumed the bucket ARN was just the ARN to the bucket, not to the objects.

bryantbiggs commented 7 months ago

Or is the expectation that the bucket ARN will contain the /* part?

Correct - its up to users in terms of what level of access (via pathing/prefixing) they wish to provide permission on the forwarder

github-actions[bot] commented 6 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.