Merge pull request #1795 from alphagov/sengi/timelock

Fix, clean up & update database backups bucket TF.

terraform/projects/infra-database-backups-bucket/.terraform-version

@@ -0,0 +1 @@
+1.6.2

terraform/projects/infra-database-backups-bucket/bucket_policy.tf

@@ -1,36 +1,19 @@
-/**
-* ## Project: database-backups-bucket
-*
-* Create a policy that allows listing and reading of the database-backups bucket.
-*
-*/
-
-resource "aws_s3_bucket_policy" "database_backups_cross_account_access" {
-  bucket = "${aws_s3_bucket.database_backups.id}"
-  policy = "${data.aws_iam_policy_document.database_backups_cross_account_access.json}"
+resource "aws_s3_bucket_policy" "cross_account_access" {
+  bucket = aws_s3_bucket.main.id
+  policy = data.aws_iam_policy_document.cross_account_access.json
 }
 
-data "aws_iam_policy_document" "database_backups_cross_account_access" {
+data "aws_iam_policy_document" "cross_account_access" {
   statement {
-    sid    = "CrossAccountPermissions"
-    effect = "Allow"
-
     principals {
       type = "AWS"
-
       identifiers = [
-        "arn:aws:iam::210287912431:root",
-        "arn:aws:iam::696911096973:root",
-        "arn:aws:iam::172025368201:root",
-        "arn:aws:iam::291968922021:root",
+        "210287912431", # integration
+        "696911096973", # staging
+        "172025368201", # production
       ]
     }
-
-    actions = ["s3:Get*", "s3:List*"]
-
-    resources = [
-      "arn:aws:s3:::${aws_s3_bucket.database_backups.id}",
-      "arn:aws:s3:::${aws_s3_bucket.database_backups.id}/*",
-    ]
+    actions   = ["s3:Get*", "s3:List*"]
+    resources = [aws_s3_bucket.main.arn, "${aws_s3_bucket.main.arn}/*"]
   }
 }