From ee99ed62b5bcd4e659cbf26493ab9a31a3c9fd2d Mon Sep 17 00:00:00 2001 From: Jan David Date: Wed, 17 Jan 2024 11:42:13 +0100 Subject: [PATCH] Grant crates.io access to CDN logs We are working on using the logs from our CDNs to count crate downloads on crates.io. Whenever a log archive is uploaded to the bucket, a notification is sent to an SQS queue. crates.io then downloads the log, parses it, and updates the download counts. For this to work, crates.io needs access to the S3 bucket with the logs. This change grants read-only access to individual log archives. See https://github.com/rust-lang/simpleinfra/issues/372 for details. --- terragrunt/modules/crates-io/iam.tf | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/terragrunt/modules/crates-io/iam.tf b/terragrunt/modules/crates-io/iam.tf index 60f4beede..3c7c207bd 100644 --- a/terragrunt/modules/crates-io/iam.tf +++ b/terragrunt/modules/crates-io/iam.tf @@ -70,6 +70,33 @@ resource "aws_iam_user_policy_attachment" "heroku_static_write" { policy_arn = aws_iam_policy.static_write.arn } +resource "aws_iam_policy" "cdn_logs_read" { + name = "${var.iam_prefix}--cdn-logs-read" + description = "Read access to the S3 bucket with CDN logs" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "CDNLogsRead" + Effect = "Allow" + Action = [ + "s3:GetObject", + "s3:ListBucket", + ] + Resource = [ + "${aws_s3_bucket.logs.arn}/*", + ] + } + ] + }) +} + +resource "aws_iam_user_policy_attachment" "heroku_cdn_logs_read" { + user = aws_iam_user.heroku.name + policy_arn = aws_iam_policy.cdn_logs_read.arn +} + resource "aws_iam_role" "s3_replication" { name = "${var.iam_prefix}--s3-replication"