feat(syncer): account access control for distribution cache bucket (#585

)
philips-labs · Mar 9, 2021 · 05c1c11 · 05c1c11
1 parent 76c3d9b
commit 05c1c11
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf
@@ -123,10 +123,13 @@ resource "aws_s3_bucket_notification" "on_deploy" {
   depends_on = [aws_lambda_permission.on_deploy]
 }
 
+data "aws_caller_identity" "current" {}
+
 resource "aws_lambda_permission" "on_deploy" {
-  statement_id  = "AllowExecutionFromS3Bucket"
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.syncer.arn
-  principal     = "s3.amazonaws.com"
-  source_arn    = aws_s3_bucket.action_dist.arn
+  statement_id   = "AllowExecutionFromS3Bucket"
+  action         = "lambda:InvokeFunction"
+  function_name  = aws_lambda_function.syncer.arn
+  principal      = "s3.amazonaws.com"
+  source_account = data.aws_caller_identity.current.account_id
+  source_arn     = aws_s3_bucket.action_dist.arn
 }