fix: Add IAM policy for access to the exports bucket.

Author: jamesiarmes

tofu/modules/system/ecs.tf

@@ -123,7 +123,7 @@ module "consumer" {
 
 module "exporter" {
   source     = "../ephemeral_service"
-  depends_on = [aws_iam_policy.queue, aws_iam_policy.secrets]
+  depends_on = [aws_iam_policy.exports, aws_iam_policy.secrets]
 
   project                = var.project
   environment            = var.environment
@@ -135,7 +135,7 @@ module "exporter" {
   logging_key_id         = var.logging_key_arn
   otel_ssm_parameter_arn = module.otel_config.ssm_parameter_arn
   execution_policies     = [aws_iam_policy.secrets.arn]
-  task_policies          = [aws_iam_policy.queue.arn]
+  task_policies          = [aws_iam_policy.exports.arn]
   dockerfile             = "Dockerfile.exporter"
   docker_context         = "${path.module}/../../../"
 

tofu/modules/system/iam.tf

@@ -1,3 +1,19 @@
+resource "aws_iam_policy" "exports" {
+  name_prefix = "${local.prefix}-exports-access-"
+  description = "Allow access to the S3 bucket for Senzing exports."
+
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/exports-access-policy.yaml.tftpl", {
+    bucket_arn = module.s3.arn
+    kms_arn = aws_kms_key.queue.arn
+  })))
+
+  tags = var.tags
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
 resource "aws_iam_policy" "queue" {
   name_prefix = "${local.prefix}-queue-access-"
   description = "Allow access to the SQS queues for Senzing."

tofu/modules/system/templates/exports-access-policy.yaml.tftpl

@@ -0,0 +1,15 @@
+Version: '2012-10-17'
+Statement:
+  - Sid: KeyAccess
+    Effect: Allow
+    Action:
+      - kms:Decrypt
+      - kms:GenerateDataKey
+    Resource:
+      - "${kms_arn}"
+  - Sid: S3Access
+    Effect: Allow
+    Action:
+      - s3:PutObject
+    Resource:
+      - "${bucket_arn}"