Fixing mojap-metadata-dev action and adding List Bucket policies (#4522)

* list perms for em * replacing old oasis arn
ministryofjustice · Jun 12, 2024 · 419039f · 419039f
1 parent 64223b2
commit 419039f
Showing 1 changed file with 42 additions and 3 deletions.
diff --git a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/locals.tf b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/locals.tf
@@ -836,6 +836,17 @@ locals {
                 "arn:aws:s3:::mojap-land/bold/essex-police/*"
               ]
             },
+            {
+              Sid    = "ListBucketAccessElectronicMonitoringService"
+              Effect = "Allow"
+              Principal = {
+                AWS = "arn:aws:iam::976799291502:role/send_table_to_ap"
+              }
+              Action = "s3:ListBucket"
+              Resource = [
+                "arn:aws:s3:::mojap-land",
+              ]
+            },
             {
               Sid    = "WriteOnlyAccessElectronicMonitoringService"
               Effect = "Allow"
@@ -848,7 +859,6 @@ locals {
                 "s3:PutObjectAcl"
               ]
               Resource = [
-                "arn:aws:s3:::mojap-land",
                 "arn:aws:s3:::mojap-land/electronic_monitoring/load/*"
               ]
             }
@@ -1077,6 +1087,17 @@ locals {
                 "arn:aws:s3:::mojap-land-dev/bold/essex-police/*"
               ]
             },
+            {
+              Sid    = "ListBucketAccessElectronicMonitoringService"
+              Effect = "Allow"
+              Principal = {
+                AWS = "arn:aws:iam::800964199911:role/send_table_to_ap"
+              }
+              Action = "s3:ListBucket"
+              Resource = [
+                "arn:aws:s3:::mojap-land",
+              ]
+            },
             {
               Sid    = "WriteOnlyAccessElectronicMonitoringService"
               Effect = "Allow"
@@ -1699,7 +1720,7 @@ locals {
               Action = "s3:GetObject"
               Effect = "Allow"
               Principal = {
-                AWS = "AROASYCVJWSNFCCBEO2AN"
+                AWS = "arn:aws:iam::189157455002:role/oasys-lambda-copy-object-dev"
               }
               Resource = "arn:aws:s3:::mojap-metadata-dev/oasys/*"
               Sid      = "ReadOnlyAccess-mojap-metadata-dev-oasys"
@@ -1709,13 +1730,22 @@ locals {
               Effect = "Allow"
               Principal = {
                 AWS = [
-                  "AROASYCVJWSNFCCBEO2AN",
+                  "arn:aws:iam::189157455002:role/oasys-lambda-copy-object-dev",
                   "AROASYCVJWSNN3REJ3AFS",
                 ]
               }
               Resource = "arn:aws:s3:::mojap-metadata-dev"
               Sid      = "ListBucketAccess-mojap-metadata-dev"
             },
+            {
+              Action = "s3:ListBucket"
+              Effect = "Allow"
+              Principal = {
+                AWS = "arn:aws:iam::800964199911:role/send_metadata_to_ap"
+              }
+              Resource = "arn:aws:s3:::mojap-metadata-dev"
+              Sid      = "ListAccess-mojap-metadata-dev-electronic-monitoring"
+            },
             {
               Action = [
                 "s3:PutObject",
@@ -1902,6 +1932,15 @@ locals {
               Resource = "arn:aws:s3:::mojap-metadata-prod"
               Sid      = "ListBucketAccess-mojap-metadata-prod"
             },
+            {
+              Action = "s3:ListBucket"
+              Effect = "Allow"
+              Principal = {
+                AWS = "arn:aws:iam::976799291502:role/send_metadata_to_ap"
+              }
+              Resource = "arn:aws:s3:::mojap-metadata-prod"
+              Sid      = "ListAccess-mojap-metadata-prod-electronic-monitoring"
+            },
             {
               Action = [
                 "s3:PutObject",