fix: Add IAM policy for access to the exports bucket.

jamesiarmes · jamesiarmes · commit 97d7c939a61a · 2025-10-03T15:01:42.000-04:00
diff --git a/tofu/config/service/main.tf b/tofu/config/service/main.tf
@@ -35,6 +35,7 @@ module "system" {
   deletion_protection                = var.deletion_protection
   image_tag                          = local.image_tag
   image_tags_mutable                 = var.image_tags_mutable
+  log_level                          = var.log_level
 
   consumer_container_count = var.consumer_container_count
   consumer_cpu             = var.consumer_cpu
diff --git a/tofu/modules/ephemeral_service/docker.tf b/tofu/modules/ephemeral_service/docker.tf
@@ -11,8 +11,8 @@ resource "docker_image" "container" {
     ]
 
     auth_config {
-      host_name  = data.aws_ecr_authorization_token.token.proxy_endpoint
-      password = data.aws_ecr_authorization_token.token.password
+      host_name = data.aws_ecr_authorization_token.token.proxy_endpoint
+      password  = data.aws_ecr_authorization_token.token.password
       user_name = data.aws_ecr_authorization_token.token.user_name
     }
   }
diff --git a/tofu/modules/system/ecs.tf b/tofu/modules/system/ecs.tf
@@ -123,7 +123,7 @@ module "consumer" {
 
 module "exporter" {
   source     = "../ephemeral_service"
-  depends_on = [aws_iam_policy.queue, aws_iam_policy.secrets]
+  depends_on = [aws_iam_policy.exports, aws_iam_policy.secrets]
 
   project                = var.project
   environment            = var.environment
@@ -135,7 +135,7 @@ module "exporter" {
   logging_key_id         = var.logging_key_arn
   otel_ssm_parameter_arn = module.otel_config.ssm_parameter_arn
   execution_policies     = [aws_iam_policy.secrets.arn]
-  task_policies          = [aws_iam_policy.queue.arn]
+  task_policies          = [aws_iam_policy.exports.arn]
   dockerfile             = "Dockerfile.exporter"
   docker_context         = "${path.module}/../../../"
 
diff --git a/tofu/modules/system/iam.tf b/tofu/modules/system/iam.tf
@@ -1,3 +1,19 @@
+resource "aws_iam_policy" "exports" {
+  name_prefix = "${local.prefix}-exports-access-"
+  description = "Allow access to the S3 bucket for Senzing exports."
+
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/exports-access-policy.yaml.tftpl", {
+    bucket_arn = module.s3.arn
+    kms_arn    = aws_kms_key.queue.arn
+  })))
+
+  tags = var.tags
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
 resource "aws_iam_policy" "queue" {
   name_prefix = "${local.prefix}-queue-access-"
   description = "Allow access to the SQS queues for Senzing."
diff --git a/tofu/modules/system/templates/exports-access-policy.yaml.tftpl b/tofu/modules/system/templates/exports-access-policy.yaml.tftpl
@@ -0,0 +1,15 @@
+Version: '2012-10-17'
+Statement:
+  - Sid: KeyAccess
+    Effect: Allow
+    Action:
+      - kms:Decrypt
+      - kms:GenerateDataKey
+    Resource:
+      - "${kms_arn}"
+  - Sid: S3Access
+    Effect: Allow
+    Action:
+      - s3:PutObject
+    Resource:
+      - "${bucket_arn}:*"

Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,8 @@ resource "docker_image" "container" {`
`11`	`11`	`]`
`12`	`12`
`13`	`13`	`auth_config {`
`14`		`- host_name = data.aws_ecr_authorization_token.token.proxy_endpoint`
`15`		`- password = data.aws_ecr_authorization_token.token.password`
	`14`	`+ host_name = data.aws_ecr_authorization_token.token.proxy_endpoint`
	`15`	`+ password = data.aws_ecr_authorization_token.token.password`
`16`	`16`	`user_name = data.aws_ecr_authorization_token.token.user_name`
`17`	`17`	`}`
`18`	`18`	`}`