Merge pull request #150 from dandi/remove-acl-logging-buckets

dandi · May 22, 2023 · 4a08940 · 4a08940
2 parents 5e0ac52 + f699536
commit 4a08940
Showing 1 changed file with 27 additions and 17 deletions.
diff --git a/terraform/modules/dandiset_bucket/main.tf b/terraform/modules/dandiset_bucket/main.tf
@@ -4,6 +4,8 @@ data "aws_caller_identity" "sponsored_account" {
   provider = aws
 }
 
+data "aws_caller_identity" "current" {}
+
 resource "aws_s3_bucket" "dandiset_bucket" {
 
   bucket = var.bucket_name
@@ -61,23 +63,7 @@ resource "aws_s3_bucket_ownership_controls" "dandiset_bucket" {
 resource "aws_s3_bucket" "log_bucket" {
   bucket = var.log_bucket_name
 
-  # TODO: replace the ACL configuration with a bucket policy
-  # See https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
-  grant {
-    type = "Group"
-    uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
-    permissions = [
-      "READ_ACP",
-      "WRITE",
-    ]
-  }
-  grant {
-    type = "CanonicalUser"
-    id   = data.aws_canonical_user_id.log_bucket_owner_account.id
-    permissions = [
-      "FULL_CONTROL",
-    ]
-  }
+
 
   lifecycle {
     prevent_destroy = true
@@ -110,6 +96,30 @@ data "aws_iam_policy_document" "dandiset_log_bucket_policy" {
       identifiers = [var.heroku_user.arn]
     }
   }
+
+  statement {
+    sid       = "S3ServerAccessLogsPolicy"
+    effect    = "Allow"
+    resources = ["${aws_s3_bucket.log_bucket.arn}/*"]
+    actions   = ["s3:PutObject"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = [aws_s3_bucket.dandiset_bucket.arn]
+    }
+
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+  }
 }
 
 resource "aws_s3_bucket_policy" "dandiset_log_bucket_policy" {