Add IAM policy for uploading to archive bucket

victorlin · victorlin · commit 63ca6e00cf05 · 2026-06-10T16:49:13.000-07:00
To be used for automated archiving.
diff --git a/env/production/aws-iam-policy-NextstrainArchiveUpload.tf b/env/production/aws-iam-policy-NextstrainArchiveUpload.tf
@@ -0,0 +1,33 @@
+resource "aws_iam_policy" "NextstrainArchiveUpload" {
+  name        = "NextstrainArchiveUpload"
+  description = "Provides permissions to upload to the nextstrain-archive bucket"
+
+  policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "ListBucket",
+        "Effect": "Allow",
+        "Action": "s3:ListBucket",
+        "Resource": "arn:aws:s3:::nextstrain-archive"
+      },
+      {
+        "Sid": "PutObjectIfAbsent",
+        "Effect": "Allow",
+        "Action": "s3:PutObject",
+        "Resource": "arn:aws:s3:::nextstrain-archive/*",
+        "Condition": {
+          "Null": {
+            "s3:if-none-match": "false"
+          }
+        }
+      },
+      {
+        "Sid": "AbortMultipartUpload",
+        "Effect": "Allow",
+        "Action": "s3:AbortMultipartUpload",
+        "Resource": "arn:aws:s3:::nextstrain-archive/*"
+      }
+    ]
+  })
+}
