From eccb66deafc6c34b479c2caab3c98cefc1ddd1b5 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Sat, 11 Nov 2023 19:51:58 +0200
Subject: [PATCH] terraform-iam: fix listing for nix-cache-logs and others
 (hopefully)

This adds support for the ListObjects[V2] actions, which should allow
listing the contents in there.
---
 terraform-iam/archeologist.tf | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/terraform-iam/archeologist.tf b/terraform-iam/archeologist.tf
index ce8d2591..9e6388aa 100644
--- a/terraform-iam/archeologist.tf
+++ b/terraform-iam/archeologist.tf
@@ -8,9 +8,13 @@ resource "aws_s3_bucket" "archeologist" {
 
 data "aws_iam_policy_document" "archaeologist" {
   statement {
-    sid = "NixCacheInventoryReadOnly"
+    # Read-only access and listing permissions
+    # To the cache and releases inventories,
+    # as well as the bucket where cache bucket logs end up in.
+    sid = "NixCacheLogsInventoryReadOnly"
 
     actions = [
+      "s3:List*",
       "s3:Get*"
     ]
 
@@ -33,12 +37,15 @@ data "aws_iam_policy_document" "archaeologist" {
 
     resources = [
       "arn:aws:s3:::nix-cache-log",
-      "arn:aws:s3:::nix-cache-log/*"
+      "arn:aws:s3:::nix-cache-log/*",
+      "arn:aws:s3:::nix-releases-inventory220231029182031496800000001",
+      "arn:aws:s3:::nix-releases-inventory220231029182031496800000001/*",
     ]
   }
 
   statement {
-    sid = "NixArcheologistReadWrite"
+    # Full access to the Archaeologist bucket
+    sid = "NixArchaeologistReadWrite"
 
     actions = [
       "s3:*"