From 106c227f6548e6e03d21cf178764eaf83b9b12fe Mon Sep 17 00:00:00 2001
From: Marko Malenic <mmalenic1@gmail.com>
Date: Thu, 28 Nov 2024 16:45:51 +1100
Subject: [PATCH] style(data-migrate): make bucket permissions clearer

---
 config/stacks/dataMigrate.ts | 36 +++++++++++++++++++++++++++---------
 1 file changed, 27 insertions(+), 9 deletions(-)

diff --git a/config/stacks/dataMigrate.ts b/config/stacks/dataMigrate.ts
index 97918abac..d3036a22f 100644
--- a/config/stacks/dataMigrate.ts
+++ b/config/stacks/dataMigrate.ts
@@ -1,25 +1,43 @@
 import {
   AppStage,
-  vpcProps,
-  oncoanalyserBucket,
-  icav2PipelineCacheBucket,
   dataMoverRoleName,
+  fileManagerInventoryBucket,
   icav2ArchiveAnalysisBucket,
   icav2ArchiveFastqBucket,
-  fileManagerInventoryBucket,
+  icav2PipelineCacheBucket,
   logsApiGatewayConfig,
+  oncoanalyserBucket,
+  vpcProps,
 } from '../constants';
 import { DataMigrateStackProps } from '../../lib/workload/stateless/stacks/data-migrate/deploy/stack';
 
 export const getDataMigrateStackProps = (stage: AppStage): DataMigrateStackProps => {
-  // For dev/staging we can write to any bucket that is also readable.
-  let writeToBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+  let readFromBuckets = [];
+  let deleteFromBuckets = [];
+  let writeToBuckets = [];
   switch (stage) {
     case AppStage.BETA:
+      // For dev/staging we can write to and read from the same set of buckets.
+      readFromBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+      deleteFromBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+
       // For dev additionally, write to the filemanager inventory bucket for testing.
-      writeToBuckets.push(fileManagerInventoryBucket[stage]);
+      writeToBuckets = [
+        oncoanalyserBucket[stage],
+        icav2PipelineCacheBucket[stage],
+        fileManagerInventoryBucket[stage],
+      ];
+      break;
+    case AppStage.GAMMA:
+      readFromBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+      deleteFromBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+
+      writeToBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
       break;
     case AppStage.PROD:
+      readFromBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+      deleteFromBuckets = [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]];
+
       // For prod, we only allow writing to the archive buckets, nothing else.
       writeToBuckets = [icav2ArchiveAnalysisBucket[stage], icav2ArchiveFastqBucket[stage]];
       break;
@@ -28,8 +46,8 @@ export const getDataMigrateStackProps = (stage: AppStage): DataMigrateStackProps
   return {
     vpcProps,
     dataMoverRoleName,
-    deleteFromBuckets: [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]],
-    readFromBuckets: [oncoanalyserBucket[stage], icav2PipelineCacheBucket[stage]],
+    deleteFromBuckets,
+    readFromBuckets,
     writeToBuckets,
     logRetention: logsApiGatewayConfig[stage].retention,
   };