add a policy change to allow data workspace users to get objects from…

… notebooks S3 bucket add a policy change to allow gitlab runner to put objects into notebooks S3 bucket
uktrade · Nov 12, 2024 · bda7983 · bda7983
1 parent 45b0ba2
commit bda7983
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/infra/ecs_main_gitlab.tf b/infra/ecs_main_gitlab.tf
@@ -955,6 +955,17 @@ data "aws_iam_policy_document" "gitlab_runner" {
       "${aws_ecr_repository.user_provided.arn}",
     ]
   }
+
+  # Allow put object for private packages
+  statement {
+    actions = [
+      "s3:PutObject",
+      "s3:PutObjectAcl"
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.notebooks.id}/shared/*"
+    ]
+  }
 }
 
 resource "aws_iam_policy_attachment" "gitlab_runner" {

diff --git a/infra/s3_notebooks.tf b/infra/s3_notebooks.tf
@@ -57,4 +57,24 @@ data "aws_iam_policy_document" "notebooks" {
       ]
     }
   }
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    actions = [
+      "s3:GetObject",
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.notebooks.id}/shared/*",
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceVpce"
+      values = [
+        aws_vpc_endpoint.s3.id
+      ]
+    }
+  }
 }