From 61716c412ea7cfdcd7261aeb53abcb1c5f52371c Mon Sep 17 00:00:00 2001
From: Rio Knightley <128376976+RioKnightleyNHS@users.noreply.github.com>
Date: Tue, 10 Sep 2024 12:16:57 +0100
Subject: [PATCH] PRMDR 786 - Fix cloudfront lambda exec conflict
---
infrastructure/modules/lambda_edge/main.tf | 5 ++---
infrastructure/modules/s3/README.md | 2 +-
infrastructure/modules/s3/main.tf | 4 ----
infrastructure/modules/s3/output.tf | 3 ---
4 files changed, 3 insertions(+), 11 deletions(-)
diff --git a/infrastructure/modules/lambda_edge/main.tf b/infrastructure/modules/lambda_edge/main.tf
index ab257722..fa920d74 100644
--- a/infrastructure/modules/lambda_edge/main.tf
+++ b/infrastructure/modules/lambda_edge/main.tf
@@ -32,9 +32,8 @@ data "archive_file" "lambda" {
output_path = "placeholder_lambda_payload.zip"
}
-# Define the IAM role for the Lambda function with the combined assume role policy
resource "aws_iam_role" "lambda_exec_role" {
- name = "lambda_edge_exec_role"
+ name = "${terraform.workspace}_lambda_edge_exec_role"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
@@ -79,7 +78,7 @@ data "aws_iam_policy_document" "lambda_policy" {
resource "aws_iam_role_policy" "lambda_exec_policy" {
- name = "lambda_edge_exec_policy"
+ name = "${terraform.workspace}_lambda_edge_exec_policy"
role = aws_iam_role.lambda_exec_role.id
policy = data.aws_iam_policy_document.lambda_policy.json
}
diff --git a/infrastructure/modules/s3/README.md b/infrastructure/modules/s3/README.md
index 74bd6311..c635f744 100644
--- a/infrastructure/modules/s3/README.md
+++ b/infrastructure/modules/s3/README.md
@@ -50,4 +50,4 @@ No modules.
| [bucket\_domain\_name](#output\_bucket\_domain\_name) | n/a |
| [bucket\_id](#output\_bucket\_id) | n/a |
| [s3\_list\_object\_policy](#output\_s3\_list\_object\_policy) | n/a |
-| [s3\_object\_access\_policy](#output\_s3\_object\_access\_policy) | Outputs |
+| [s3\_object\_access\_policy](#output\_s3\_object\_access\_policy) | n/a |
diff --git a/infrastructure/modules/s3/main.tf b/infrastructure/modules/s3/main.tf
index bfd53a40..52345891 100644
--- a/infrastructure/modules/s3/main.tf
+++ b/infrastructure/modules/s3/main.tf
@@ -37,7 +37,6 @@ data "aws_iam_policy_document" "s3_defaut_policy" {
}
data "aws_iam_policy_document" "s3_cloudfront_policy" {
- # Deny any requests that are not using HTTPS
statement {
effect = "Deny"
@@ -61,7 +60,6 @@ data "aws_iam_policy_document" "s3_cloudfront_policy" {
}
}
- # Allow CloudFront to access the S3 bucket
statement {
effect = "Allow"
@@ -78,7 +76,6 @@ data "aws_iam_policy_document" "s3_cloudfront_policy" {
"${aws_s3_bucket.bucket.arn}/*",
]
- # Ensure the request is coming from the correct CloudFront distribution
condition {
test = "StringEquals"
variable = "AWS:SourceArn"
@@ -98,7 +95,6 @@ resource "aws_s3_bucket_acl" "bucket_acl" {
depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership]
}
-# Resource to avoid error "AccessControlListNotSupported: The bucket does not allow ACLs"
resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" {
bucket = aws_s3_bucket.bucket.id
rule {
diff --git a/infrastructure/modules/s3/output.tf b/infrastructure/modules/s3/output.tf
index 19ed4f1d..ff1a354e 100644
--- a/infrastructure/modules/s3/output.tf
+++ b/infrastructure/modules/s3/output.tf
@@ -1,6 +1,3 @@
-
-
-# Outputs
output "s3_object_access_policy" {
value = aws_iam_policy.s3_document_data_policy.arn
}