From 4e8f13b66aab3494ddc1496bdc95f4fecb6ec0d4 Mon Sep 17 00:00:00 2001
From: AJ Steers <aj.steers@slalom.com>
Date: Mon, 28 Sep 2020 09:36:35 -0700
Subject: [PATCH] fix data-lake-users global_reader role

---
 catalog/aws/data-lake-users/iam.tf | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/catalog/aws/data-lake-users/iam.tf b/catalog/aws/data-lake-users/iam.tf
index 6c2d1de3..de29f190 100644
--- a/catalog/aws/data-lake-users/iam.tf
+++ b/catalog/aws/data-lake-users/iam.tf
@@ -52,11 +52,11 @@ resource "aws_iam_policy" "group_s3_permission" {
       "Resource": ["arn:aws:s3:::*"]
     },
     {
-      "Sid": "AllowRootAndHomeListingOfCompanyBucket",
+      "Sid": "AllowListingRoot",
       "Action": ["s3:ListBucket"],
       "Effect": "Allow",
       "Resource": ["arn:aws:s3:::${var.data_bucket}"],
-      "Condition":{"StringEquals":{"s3:prefix":["","home/","data/"],"s3:delimiter":["/"]}}
+      "Condition":{"StringEquals":{"s3:prefix":[""],"s3:delimiter":["/"]}}
     },
     {
       "Sid": "AllowListingOfUserFolder",
@@ -94,9 +94,19 @@ resource "aws_iam_policy" "group_s3_permission" {
       "Resource": [
         "arn:aws:s3:::${var.data_bucket}${grant.path}*"
       ]
+    },
+    {
+      "Sid": "AllowS3ListingON${replace(replace(replace(grant.path, "/", ""), "-", ""), "_", "")}",
+      "Action": ["s3:ListBucket"],
+      "Resource": ["arn:aws:s3:::${var.data_bucket}"],
+      ${grant.path == "" ? "" : <<EOF
+"Condition":{"StringEquals":{"s3:prefix":["${grant.path}"],"s3:delimiter":["/"]}},
+EOF
+  }
+      "Effect": "Allow"
     }
 EOF2
-  ]
+]
 )}
   ]
 }