From ef71895c9dd233b8d8f9adf239282acf37063432 Mon Sep 17 00:00:00 2001
From: Jacob Nesbitt <jjnesbitt2@gmail.com>
Date: Mon, 29 Apr 2024 12:56:26 -0400
Subject: [PATCH] Add `s3:PutObjectTagging` permission to sponsored bucket

---
 terraform/modules/dandiset_bucket/main.tf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/terraform/modules/dandiset_bucket/main.tf b/terraform/modules/dandiset_bucket/main.tf
index 7707db6..1ef7067 100644
--- a/terraform/modules/dandiset_bucket/main.tf
+++ b/terraform/modules/dandiset_bucket/main.tf
@@ -265,6 +265,23 @@ data "aws_iam_policy_document" "dandiset_bucket_policy" {
     }
   }
 
+  dynamic "statement" {
+    for_each = var.allow_cross_account_heroku_put_object ? [1] : []
+    content {
+      resources = [
+        "${aws_s3_bucket.dandiset_bucket.arn}",
+        "${aws_s3_bucket.dandiset_bucket.arn}/*",
+      ]
+
+      actions = ["s3:PutObjectTagging"]
+
+      principals {
+        type        = "AWS"
+        identifiers = [var.heroku_user.arn]
+      }
+    }
+  }
+
   dynamic "statement" {
     for_each = var.trailing_delete ? [1] : []