fix data-lake-users global_reader role

slalom · Sep 28, 2020 · 4e8f13b · 4e8f13b
1 parent 06f50c0
commit 4e8f13b
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/catalog/aws/data-lake-users/iam.tf b/catalog/aws/data-lake-users/iam.tf
@@ -52,11 +52,11 @@ resource "aws_iam_policy" "group_s3_permission" {
       "Resource": ["arn:aws:s3:::*"]
     },
     {
-      "Sid": "AllowRootAndHomeListingOfCompanyBucket",
+      "Sid": "AllowListingRoot",
       "Action": ["s3:ListBucket"],
       "Effect": "Allow",
       "Resource": ["arn:aws:s3:::${var.data_bucket}"],
-      "Condition":{"StringEquals":{"s3:prefix":["","home/","data/"],"s3:delimiter":["/"]}}
+      "Condition":{"StringEquals":{"s3:prefix":[""],"s3:delimiter":["/"]}}
     },
     {
       "Sid": "AllowListingOfUserFolder",
@@ -94,9 +94,19 @@ resource "aws_iam_policy" "group_s3_permission" {
       "Resource": [
         "arn:aws:s3:::${var.data_bucket}${grant.path}*"
       ]
+    },
+    {
+      "Sid": "AllowS3ListingON${replace(replace(replace(grant.path, "/", ""), "-", ""), "_", "")}",
+      "Action": ["s3:ListBucket"],
+      "Resource": ["arn:aws:s3:::${var.data_bucket}"],
+      ${grant.path == "" ? "" : <<EOF
+"Condition":{"StringEquals":{"s3:prefix":["${grant.path}"],"s3:delimiter":["/"]}},
+EOF
+  }
+      "Effect": "Allow"
     }
 EOF2
-  ]
+]
 )}
   ]
 }