style(data-migrate): make bucket permissions clearer

umccr · Nov 28, 2024 · 106c227 · 106c227
1 parent d2db1a7
commit 106c227
Showing 1 changed file with 27 additions and 9 deletions.
diff --git a/config/stacks/dataMigrate.ts b/config/stacks/dataMigrate.ts
@@ -1,25 +1,43 @@
 import {
   AppStage,
-  vpcProps,
-  oncoanalyserBucket,
-  icav2PipelineCacheBucket,
   dataMoverRoleName,
+  fileManagerInventoryBucket,
   icav2ArchiveAnalysisBucket,
   icav2ArchiveFastqBucket,
-  fileManagerInventoryBucket,
+  icav2PipelineCacheBucket,
   logsApiGatewayConfig,
+  oncoanalyserBucket,
+  vpcProps,
 } from '../constants';
 import { DataMigrateStackProps } from '../../lib/workload/stateless/stacks/data-migrate/deploy/stack';
 
 export const getDataMigrateStackProps = (stage: AppStage): DataMigrateStackProps => {
-  // For dev/staging we can write to any bucket that is also readable.
-  let writeToBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+  let readFromBuckets = [];
+  let deleteFromBuckets = [];
+  let writeToBuckets = [];
   switch (stage) {
     case AppStage.BETA:
+      // For dev/staging we can write to and read from the same set of buckets.
+      readFromBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+      deleteFromBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+
       // For dev additionally, write to the filemanager inventory bucket for testing.
-      writeToBuckets.push(fileManagerInventoryBucket[stage]);
+      writeToBuckets = [
+        oncoanalyserBucket[stage],
+        icav2PipelineCacheBucket[stage],
+        fileManagerInventoryBucket[stage],
+      ];
+      break;
+    case AppStage.GAMMA:
+      readFromBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+      deleteFromBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+
+      writeToBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
       break;
     case AppStage.PROD:
+      readFromBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+      deleteFromBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+
       // For prod, we only allow writing to the archive buckets, nothing else.
       writeToBuckets = [icav2ArchiveAnalysisBucket[stage], icav2ArchiveFastqBucket[stage]];
       break;
@@ -28,8 +46,8 @@ export const getDataMigrateStackProps = (stage: AppStage): DataMigrateStackProps
   return {
     vpcProps,
     dataMoverRoleName,
-    deleteFromBuckets: [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]],
-    readFromBuckets: [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]],
+    deleteFromBuckets,
+    readFromBuckets,
     writeToBuckets,
     logRetention: logsApiGatewayConfig[stage].retention,
   };