let other AWS accounts grant access to workflow S3

wellcomecollection / goobi-infrastructure

Wellcome Collection digital workflow infrastructure

MIT License

0 stars 3 forks source link

let other AWS accounts grant access to workflow S3 #458

Closed agnesgaroux closed 9 months ago

agnesgaroux commented 9 months ago

TERRAFORM NOT APPLIED

What is this PR trying to achieve?

Allow other AWS account to grant access to these buckets, so an IAM user in say, digitisation account can access them

Who is this change for?

Digitisation staff, so that their AWS IAM user can access buckets across accounts. No need for multiple users and matching access keys

agnesgaroux commented 9 months ago

terraform plan output for staging

~ resource "aws_s3_bucket_policy" "workflow-stage-upload" {
        id     = "wellcomecollection-workflow-stage-upload"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ AWS = "arn:aws:iam::404315009621:role/digitisation-developer" -> [
                              + "arn:aws:iam::760097843905:root",
                              + "arn:aws:iam::653428163053:root",
                              + "arn:aws:iam::404315009621:root",
                              + "arn:aws:iam::404315009621:role/digitisation-developer",
                              + "arn:aws:iam::299497370133:root",
                            ]
                        }
                        # (4 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

agnesgaroux commented 9 months ago

terraform plan output prod

~ resource "aws_s3_bucket_policy" "workflow-upload" {
        id     = "wellcomecollection-workflow-upload"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ AWS = "arn:aws:iam::404315009621:role/digitisation-developer" -> [
                              + "arn:aws:iam::760097843905:root",
                              + "arn:aws:iam::653428163053:root",
                              + "arn:aws:iam::404315009621:root",
                              + "arn:aws:iam::404315009621:role/digitisation-developer",
                              + "arn:aws:iam::299497370133:root",
                            ]
                        }
                        # (4 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

mgeerdsen commented 9 months ago

This has just been applied successfully to both stage and prod.