From 1019326ebc378648e51ee54cf1c5024ab7460b85 Mon Sep 17 00:00:00 2001
From: Thomas Sibley <tsibley@fredhutch.org>
Date: Mon, 16 Oct 2023 12:39:47 -0700
Subject: [PATCH] aws/iam: Allow server to read
 s3://nextstrain-inventories/resources.json.gz

Based on changes @jameshadfield made in the AWS Console, but stripped
down to just the single object necessary by the current consuming code.

(Cherry-picked from d6198a4f4c71b68917dc23e31a474a8e0f7d4a87 so I can
temporarily deploy changes to testing for my branch without reverting
the changes in this commit.  I'd prefer to set up a separate
branch-specific Terraform config/environment, but that's not a workable
solution for this issue until IAM _users_ are also integrated into our
Terraform config.)
---
 .../NextstrainDotOrgServerInstance-testing.tftpl.json  | 10 ++++++++++
 .../policy/NextstrainDotOrgServerInstance.tftpl.json   | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/aws/iam/policy/NextstrainDotOrgServerInstance-testing.tftpl.json b/aws/iam/policy/NextstrainDotOrgServerInstance-testing.tftpl.json
index b6f210543..c7efe204e 100644
--- a/aws/iam/policy/NextstrainDotOrgServerInstance-testing.tftpl.json
+++ b/aws/iam/policy/NextstrainDotOrgServerInstance-testing.tftpl.json
@@ -55,6 +55,16 @@
       "Resource": [
         "arn:aws:cognito-idp:us-east-1:827581582529:userpool/${COGNITO_USER_POOL_ID}"
       ]
+    },
+    {
+      "Sid": "GetResourcesIndex",
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::nextstrain-inventories/resources.json.gz"
+      ]
     }
   ]
 }
diff --git a/aws/iam/policy/NextstrainDotOrgServerInstance.tftpl.json b/aws/iam/policy/NextstrainDotOrgServerInstance.tftpl.json
index 3d423d6b5..a3594d510 100644
--- a/aws/iam/policy/NextstrainDotOrgServerInstance.tftpl.json
+++ b/aws/iam/policy/NextstrainDotOrgServerInstance.tftpl.json
@@ -44,6 +44,16 @@
       "Resource": [
         "arn:aws:cognito-idp:us-east-1:827581582529:userpool/${COGNITO_USER_POOL_ID}"
       ]
+    },
+    {
+      "Sid": "GetResourcesIndex",
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::nextstrain-inventories/resources.json.gz"
+      ]
     }
   ]
 }