From 61716c412ea7cfdcd7261aeb53abcb1c5f52371c Mon Sep 17 00:00:00 2001 From: Rio Knightley <128376976+RioKnightleyNHS@users.noreply.github.com> Date: Tue, 10 Sep 2024 12:16:57 +0100 Subject: [PATCH] PRMDR 786 - Fix cloudfront lambda exec conflict --- infrastructure/modules/lambda_edge/main.tf | 5 ++--- infrastructure/modules/s3/README.md | 2 +- infrastructure/modules/s3/main.tf | 4 ---- infrastructure/modules/s3/output.tf | 3 --- 4 files changed, 3 insertions(+), 11 deletions(-) diff --git a/infrastructure/modules/lambda_edge/main.tf b/infrastructure/modules/lambda_edge/main.tf index ab257722..fa920d74 100644 --- a/infrastructure/modules/lambda_edge/main.tf +++ b/infrastructure/modules/lambda_edge/main.tf @@ -32,9 +32,8 @@ data "archive_file" "lambda" { output_path = "placeholder_lambda_payload.zip" } -# Define the IAM role for the Lambda function with the combined assume role policy resource "aws_iam_role" "lambda_exec_role" { - name = "lambda_edge_exec_role" + name = "${terraform.workspace}_lambda_edge_exec_role" assume_role_policy = data.aws_iam_policy_document.assume_role.json } @@ -79,7 +78,7 @@ data "aws_iam_policy_document" "lambda_policy" { resource "aws_iam_role_policy" "lambda_exec_policy" { - name = "lambda_edge_exec_policy" + name = "${terraform.workspace}_lambda_edge_exec_policy" role = aws_iam_role.lambda_exec_role.id policy = data.aws_iam_policy_document.lambda_policy.json } diff --git a/infrastructure/modules/s3/README.md b/infrastructure/modules/s3/README.md index 74bd6311..c635f744 100644 --- a/infrastructure/modules/s3/README.md +++ b/infrastructure/modules/s3/README.md @@ -50,4 +50,4 @@ No modules. | [bucket\_domain\_name](#output\_bucket\_domain\_name) | n/a | | [bucket\_id](#output\_bucket\_id) | n/a | | [s3\_list\_object\_policy](#output\_s3\_list\_object\_policy) | n/a | -| [s3\_object\_access\_policy](#output\_s3\_object\_access\_policy) | Outputs | +| [s3\_object\_access\_policy](#output\_s3\_object\_access\_policy) | n/a | diff --git a/infrastructure/modules/s3/main.tf b/infrastructure/modules/s3/main.tf index bfd53a40..52345891 100644 --- a/infrastructure/modules/s3/main.tf +++ b/infrastructure/modules/s3/main.tf @@ -37,7 +37,6 @@ data "aws_iam_policy_document" "s3_defaut_policy" { } data "aws_iam_policy_document" "s3_cloudfront_policy" { - # Deny any requests that are not using HTTPS statement { effect = "Deny" @@ -61,7 +60,6 @@ data "aws_iam_policy_document" "s3_cloudfront_policy" { } } - # Allow CloudFront to access the S3 bucket statement { effect = "Allow" @@ -78,7 +76,6 @@ data "aws_iam_policy_document" "s3_cloudfront_policy" { "${aws_s3_bucket.bucket.arn}/*", ] - # Ensure the request is coming from the correct CloudFront distribution condition { test = "StringEquals" variable = "AWS:SourceArn" @@ -98,7 +95,6 @@ resource "aws_s3_bucket_acl" "bucket_acl" { depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership] } -# Resource to avoid error "AccessControlListNotSupported: The bucket does not allow ACLs" resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" { bucket = aws_s3_bucket.bucket.id rule { diff --git a/infrastructure/modules/s3/output.tf b/infrastructure/modules/s3/output.tf index 19ed4f1d..ff1a354e 100644 --- a/infrastructure/modules/s3/output.tf +++ b/infrastructure/modules/s3/output.tf @@ -1,6 +1,3 @@ - - -# Outputs output "s3_object_access_policy" { value = aws_iam_policy.s3_document_data_policy.arn }