Skip to content

Commit

Permalink
Grant crates.io access to CDN logs
Browse files Browse the repository at this point in the history
We are working on using the logs from our CDNs to count crate downloads
on crates.io. Whenever a log archive is uploaded to the bucket, a
notification is sent to an SQS queue. crates.io then downloads the log,
parses it, and updates the download counts.

For this to work, crates.io needs access to the S3 bucket with the logs.
This change grants read-only access to individual log archives.

See #372 for details.
  • Loading branch information
jdno committed Jan 29, 2024
1 parent 8f23675 commit ee99ed6
Showing 1 changed file with 27 additions and 0 deletions.
27 changes: 27 additions & 0 deletions terragrunt/modules/crates-io/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,33 @@ resource "aws_iam_user_policy_attachment" "heroku_static_write" {
policy_arn = aws_iam_policy.static_write.arn
}

resource "aws_iam_policy" "cdn_logs_read" {
name = "${var.iam_prefix}--cdn-logs-read"
description = "Read access to the S3 bucket with CDN logs"

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "CDNLogsRead"
Effect = "Allow"
Action = [
"s3:GetObject",
"s3:ListBucket",
]
Resource = [
"${aws_s3_bucket.logs.arn}/*",
]
}
]
})
}

resource "aws_iam_user_policy_attachment" "heroku_cdn_logs_read" {
user = aws_iam_user.heroku.name
policy_arn = aws_iam_policy.cdn_logs_read.arn
}

resource "aws_iam_role" "s3_replication" {
name = "${var.iam_prefix}--s3-replication"

Expand Down

0 comments on commit ee99ed6

Please sign in to comment.