CCM-11586: refine logging bucket policies

masl2 · masl2 · commit 108dfc193430 · 2025-08-20T15:32:08.000+01:00
diff --git a/infrastructure/terraform/components/api/s3_bucket_logging.tf b/infrastructure/terraform/components/api/s3_bucket_logging.tf
@@ -44,5 +44,5 @@ resource "aws_s3_bucket_logging" "truststore" {
   bucket = aws_s3_bucket.truststore.id
 
   target_bucket = aws_s3_bucket.logging.bucket
-  target_prefix = "truststore/${aws_s3_bucket.truststore.bucket}/"
+  target_prefix = "${aws_s3_bucket.truststore.bucket}/"
 }
diff --git a/infrastructure/terraform/components/api/s3_bucket_policy_logging.tf b/infrastructure/terraform/components/api/s3_bucket_policy_logging.tf
@@ -25,4 +25,20 @@ data "aws_iam_policy_document" "logging" {
       ]
     }
   }
+
+  statement {
+      sid    = "s3-log-delivery"
+      effect = "Allow"
+
+      principals {
+        type        = "Service"
+        identifiers = ["logging.s3.amazonaws.com"]
+      }
+
+      actions = ["s3:PutObject"]
+
+      resources = [
+        "${aws_s3_bucket.logging.arn}/*",
+      ]
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -44,5 +44,5 @@ resource "aws_s3_bucket_logging" "truststore" {`
`44`	`44`	`bucket = aws_s3_bucket.truststore.id`
`45`	`45`
`46`	`46`	`target_bucket = aws_s3_bucket.logging.bucket`
`47`		`- target_prefix = "truststore/${aws_s3_bucket.truststore.bucket}/"`
	`47`	`+ target_prefix = "${aws_s3_bucket.truststore.bucket}/"`
`48`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,4 +25,20 @@ data "aws_iam_policy_document" "logging" {`
`25`	`25`	`]`
`26`	`26`	`}`
`27`	`27`	`}`
	`28`	`+`
	`29`	`+ statement {`
	`30`	`+ sid = "s3-log-delivery"`
	`31`	`+ effect = "Allow"`
	`32`	`+`
	`33`	`+ principals {`
	`34`	`+ type = "Service"`
	`35`	`+ identifiers = ["logging.s3.amazonaws.com"]`
	`36`	`+ }`
	`37`	`+`
	`38`	`+ actions = ["s3:PutObject"]`
	`39`	`+`
	`40`	`+ resources = [`
	`41`	`+ "${aws_s3_bucket.logging.arn}/*",`
	`42`	`+ ]`
	`43`	`+ }`
`28`	`44`	`}`