diff --git a/infrastructure/policies.tf b/infrastructure/policies.tf index 2a752d11f..1f6df002e 100644 --- a/infrastructure/policies.tf +++ b/infrastructure/policies.tf @@ -67,3 +67,83 @@ resource "aws_iam_policy" "administrator_permission_restrictions" { Workspace = "core" } } + +resource "aws_iam_policy" "production_support" { + count = local.is_production ? 1 : 0 + name = "ProductionSupport" + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "AllowListBucketsForConsole", + Effect = "Allow", + Action = [ + "s3:ListAllMyBuckets", + "s3:GetBucketLocation" + ], + Resource = [ + "arn:aws:s3:::*" + ] + }, + { + Sid = "AllowListRootFoldersInProdStagingBulkStore", + Effect = "Allow", + Action = [ + "s3:ListBucket" + ], + Resource = [ + "arn:aws:s3:::prod-staging-bulk-store" + ] + Condition = { + StringEquals = { + "s3:delimiter" = "/" + } + StringEqualsIfExists = { + "s3:prefix" = "" + } + } + }, + { + Sid = "AllowCreateRootFoldersOnlyInProdStagingBulkStore", + Effect = "Allow" + Action = "s3:PutObject" + Resource = "arn:aws:s3:::prod-staging-bulk-store/*" + Condition = { + StringLike = { + "s3:prefix" = "[^/]+/" + } + } + }, + { + Sid = "ExplicitDenyObjectAccessInProdStagingBulkStore", + Effect = "Deny", + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:GetObjectAcl", + "s3:GetObjectTagging" + ], + Resource = [ + "arn:aws:s3:::prod-staging-bulk-store/*" + ] + }, + { + Sid = "AWSTransferFamilyManager", + Effect = "Allow", + Action = [ + "transfer:CreateUser", + "transfer:Describe*", + "transfer:List*", + "transfer:TestIdentityProvider", + ], + Resource = [ + "arn:aws:transfer:eu-west-2:${data.aws_caller_identity.current.account_id}:*" + ] + } + ] + }) + tags = { + Name = "ProductionSupport" + Workspace = "core" + } +}