Merge pull request #532 from umccr/fix/data-archive-byob-policy

reisingerf · web-flow · commit d887aa134c3a · 2025-01-28T12:59:37.000+11:00
Fix minor bucket policy issues
diff --git a/terraform/stacks/unimelb/data_archive/byob_ica_v2.tf b/terraform/stacks/unimelb/data_archive/byob_ica_v2.tf
@@ -30,9 +30,6 @@ locals {
   # The role that the orcabus file manager uses to ingest events.
   orcabus_file_manager_ingest_role = "orcabus-file-manager-ingest-role"
   orcabus_data_mover_role = "orcabus-data-mover-role"
-
-  # S3 Stops Copy Share role
-  steps_s3_copy_restore_share_role = "umccr-wehi-data-sharing-role"  # FIXME to be changed it to a more permanent data sharing role in future
 }
 
 
@@ -891,51 +888,51 @@ data "aws_iam_policy_document" "development_data" {
     ])
   }
 
-  statement {
-    sid = "steps_s3_copy_restore_share_access_read"
-    principals {
-      type        = "AWS"
-      identifiers = sort([
-        "arn:aws:iam::${local.account_id_dev}:role/${local.steps_s3_copy_restore_share_role}",
-      ])
-    }
-    actions = sort([
-      "s3:ListBucket",
-      "s3:ListBucketMultipartUploads",
-      "s3:ListMultipartUploadParts",
-      "s3:AbortMultipartUpload",
-      "s3:GetObject",
-      "s3:GetObjectTagging",
-      "s3:GetObjectVersionTagging",
-      "s3:GetObjectVersionTagging",
-      "s3:GetObjectAttributes"
-    ])
-    resources = sort([
-      aws_s3_bucket.development_data.arn,
-      "${aws_s3_bucket.development_data.arn}/*",
-    ])
-  }
-
-  statement {
-    sid = "steps_s3_copy_restore_share_access_write"
-    principals {
-      type        = "AWS"
-      identifiers = sort([
-        "arn:aws:iam::${local.account_id_dev}:role/${local.steps_s3_copy_restore_share_role}",
-      ])
-    }
-    actions = sort([
-      "s3:AbortMultipartUpload",
-      "s3:PutObject",
-      "s3:PutObjectTagging",
-      "s3:PutObjectVersionTagging",
-      "s3:DeleteObject"
-    ])
-    resources = sort([
-      aws_s3_bucket.development_data.arn,
-      "${aws_s3_bucket.development_data.arn}/${local.icav2_prefix}${local.icav2_development_project_name}/${local.restored_data_prefix}*",
-    ])
-  }
+  # statement {
+  #   sid = "steps_s3_copy_restore_share_access_read"
+  #   principals {
+  #     type        = "AWS"
+  #     identifiers = sort([
+  #       "arn:aws:iam::${local.account_id_dev}:role/${local.steps_s3_copy_restore_share_role}",
+  #     ])
+  #   }
+  #   actions = sort([
+  #     "s3:ListBucket",
+  #     "s3:ListBucketMultipartUploads",
+  #     "s3:ListMultipartUploadParts",
+  #     "s3:AbortMultipartUpload",
+  #     "s3:GetObject",
+  #     "s3:GetObjectTagging",
+  #     "s3:GetObjectVersionTagging",
+  #     "s3:GetObjectVersionTagging",
+  #     "s3:GetObjectAttributes"
+  #   ])
+  #   resources = sort([
+  #     aws_s3_bucket.development_data.arn,
+  #     "${aws_s3_bucket.development_data.arn}/*",
+  #   ])
+  # }
+
+  # statement {
+  #   sid = "steps_s3_copy_restore_share_access_write"
+  #   principals {
+  #     type        = "AWS"
+  #     identifiers = sort([
+  #       "arn:aws:iam::${local.account_id_dev}:role/${local.steps_s3_copy_restore_share_role}",
+  #     ])
+  #   }
+  #   actions = sort([
+  #     "s3:AbortMultipartUpload",
+  #     "s3:PutObject",
+  #     "s3:PutObjectTagging",
+  #     "s3:PutObjectVersionTagging",
+  #     "s3:DeleteObject"
+  #   ])
+  #   resources = sort([
+  #     aws_s3_bucket.development_data.arn,
+  #     "${aws_s3_bucket.development_data.arn}/${local.icav2_prefix}${local.icav2_development_project_name}/${local.restored_data_prefix}*",
+  #   ])
+  # }
 
   statement {
     sid = "AccessPointDelegation"
