limit the fme permission but add unrestricted access in raw zone (#1963)

Tian-2017 · web-flow · commit da014b92865a · 2024-11-04T16:04:39.000Z
diff --git a/terraform/core/23-FME-iam.tf b/terraform/core/23-FME-iam.tf
@@ -115,9 +115,7 @@ data "aws_iam_policy_document" "fme_access_to_s3" {
       "s3:GetObjectVersion",
     ]
     resources = [
-      "${module.raw_zone.bucket_arn}/*",
-      "${module.refined_zone.bucket_arn}/*",
-      "${module.trusted_zone.bucket_arn}/*",
+      "${module.raw_zone.bucket_arn}/unrestricted/*",
       "${module.athena_storage.bucket_arn}/primary/*"
     ]
   }
@@ -128,8 +126,7 @@ data "aws_iam_policy_document" "fme_access_to_s3" {
       "s3:PutObject"
     ]
     resources = [
-      "${module.refined_zone.bucket_arn}/*",
-      "${module.trusted_zone.bucket_arn}/*",
+      "${module.raw_zone.bucket_arn}/unrestricted/*",
       "${module.athena_storage.bucket_arn}/primary/*"
     ]
   }
@@ -144,8 +141,6 @@ data "aws_iam_policy_document" "fme_access_to_s3" {
     resources = [
       module.athena_storage.kms_key_arn,
       module.raw_zone.kms_key_arn,
-      module.refined_zone.kms_key_arn,
-      module.trusted_zone.kms_key_arn
     ]
   }
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -115,9 +115,7 @@ data "aws_iam_policy_document" "fme_access_to_s3" {`
`115`	`115`	`"s3:GetObjectVersion",`
`116`	`116`	`]`
`117`	`117`	`resources = [`
`118`		`- "${module.raw_zone.bucket_arn}/*",`
`119`		`- "${module.refined_zone.bucket_arn}/*",`
`120`		`- "${module.trusted_zone.bucket_arn}/*",`
	`118`	`+ "${module.raw_zone.bucket_arn}/unrestricted/*",`
`121`	`119`	`"${module.athena_storage.bucket_arn}/primary/*"`
`122`	`120`	`]`
`123`	`121`	`}`
`@@ -128,8 +126,7 @@ data "aws_iam_policy_document" "fme_access_to_s3" {`
`128`	`126`	`"s3:PutObject"`
`129`	`127`	`]`
`130`	`128`	`resources = [`
`131`		`- "${module.refined_zone.bucket_arn}/*",`
`132`		`- "${module.trusted_zone.bucket_arn}/*",`
	`129`	`+ "${module.raw_zone.bucket_arn}/unrestricted/*",`
`133`	`130`	`"${module.athena_storage.bucket_arn}/primary/*"`
`134`	`131`	`]`
`135`	`132`	`}`
`@@ -144,8 +141,6 @@ data "aws_iam_policy_document" "fme_access_to_s3" {`
`144`	`141`	`resources = [`
`145`	`142`	`module.athena_storage.kms_key_arn,`
`146`	`143`	`module.raw_zone.kms_key_arn,`
`147`		`- module.refined_zone.kms_key_arn,`
`148`		`- module.trusted_zone.kms_key_arn`
`149`	`144`	`]`
`150`	`145`	`}`
`151`		`-}`
	`146`	`+}`