fix: fix deny exception policy #272
Conversation
| @@ -85,7 +85,36 @@ | |||
| %{endif} | |||
| %{endfor ~} | |||
| %{endif} | |||
| %{if deny_global_write_access == "true" && producer_roles != "" } | |||
| %{if deny_exception_iamroles != "" } | |||
There was a problem hiding this comment.
I believe roles have access by default if it is from the same account, right?
| %{endif} | ||
| %{if length(var.system_schema_producer_iamroles) > 0} | ||
| { | ||
| "Sid": "system schema customer account permissions", |
There was a problem hiding this comment.
Why do we need this section specifically for system bucket?
There was a problem hiding this comment.
the producer iam role does not apply to system buckets and s3 access log, as well as s3 inventory buckets
| @@ -26,8 +26,7 @@ locals { | |||
| governance_iamroles = join("\",\"", var.apiary_governance_iamroles) | |||
| consumer_prefix_roles = lookup(var.apiary_consumer_prefix_iamroles, schema["schema_name"], {}) | |||
| common_producer_iamroles = join("\",\"", var.apiary_common_producer_iamroles) | |||
| deny_global_write_access = lookup(schema, "deny_global_write_access", var.deny_global_write_access) | |||
| producer_roles = lookup(schema, "producer_roles", var.producer_roles) | |||
| deny_exception_iamroles = lookup(schema, "deny_exception_iamroles", "") == "" ? "" : join("\",\"", compact(concat(split(",", schema["deny_exception_iamroles"]), var.apiary_managed_service_iamroles, var.apiary_governance_iamroles))) | |||
There was a problem hiding this comment.
I am not sure about this anymore.
If you add apiary_governance_iamroles and apiary_managed_service_iamroles by default, this means that all buckets will restrict writing from now on. Because in many clauses deny_exception_iamroles != 0
Before, with my last update, only 1 bucket was affected, and the rest of buckets were with same functionality, but now with these changes, you are forcing all buckets to be restricted.
Is that correct?
There was a problem hiding this comment.
Nope, there is a condition, add it to default only when deny_exception_iamroles is not null, which mean you have deny exception defined. once you have it then add governace and egdl managed service roles as default.
📝 Description
Fixed
apiary_governance_iamrolesinto deny exception policy.apiary_managed_service_iamrolesto handle tagging service IAM roles in deny exception policy.system_schema_producer_iamrolesto support system schema producer IAM roles.🔗 Related Issues