Merge pull request #183 from dandi/prod-bucket-put-object-tagging

Add `s3:PutObjectTagging` permission to sponsored bucket
dandi · Apr 29, 2024 · f82de1a · f82de1a
2 parents d12f963 + ef71895
commit f82de1a
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/terraform/modules/dandiset_bucket/main.tf b/terraform/modules/dandiset_bucket/main.tf
@@ -265,6 +265,23 @@ data "aws_iam_policy_document" "dandiset_bucket_policy" {
     }
   }
 
+  dynamic "statement" {
+    for_each = var.allow_cross_account_heroku_put_object ? [1] : []
+    content {
+      resources = [
+        "${aws_s3_bucket.dandiset_bucket.arn}",
+        "${aws_s3_bucket.dandiset_bucket.arn}/*",
+      ]
+
+      actions = ["s3:PutObjectTagging"]
+
+      principals {
+        type        = "AWS"
+        identifiers = [var.heroku_user.arn]
+      }
+    }
+  }
+
   dynamic "statement" {
     for_each = var.trailing_delete ? [1] : []