add permissions access policy

guardian · Sep 2, 2024 · 310073b · 310073b
1 parent 9dba939
commit 310073b
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/cdk/lib/__snapshots__/wires-feeds.test.ts.snap b/cdk/lib/__snapshots__/wires-feeds.test.ts.snap
@@ -13,6 +13,8 @@ exports[`The WiresFeeds stack matches the snapshot 1`] = `
       "GuSecurityGroup",
       "GuDatabase",
       "GuParameter",
+      "GuParameter",
+      "GuGetS3ObjectsPolicy",
       "GuGetS3ObjectsPolicy",
       "GuSubnetListParameter",
       "GuPlayApp",
@@ -68,6 +70,11 @@ exports[`The WiresFeeds stack matches the snapshot 1`] = `
       "Description": "Bucket name for pan-domain auth settings",
       "Type": "AWS::SSM::Parameter::Value<String>",
     },
+    "PermissionsBucket": {
+      "Default": "/TEST/editorial-feeds/wires-feeds/permissions-bucket",
+      "Description": "Bucket name for permissions data",
+      "Type": "AWS::SSM::Parameter::Value<String>",
+    },
     "VpcId": {
       "Default": "/account/vpc/primary/id",
       "Description": "Virtual Private Cloud to run EC2 instances within. Should NOT be the account default VPC.",
@@ -1542,6 +1549,38 @@ exports[`The WiresFeeds stack matches the snapshot 1`] = `
       },
       "Type": "AWS::IAM::Policy",
     },
+    "PermissionsCachePolicyEB49F1A4": {
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "s3:GetObject",
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::Join": [
+                  "",
+                  [
+                    "arn:aws:s3:::",
+                    {
+                      "Ref": "PermissionsBucket",
+                    },
+                    "/TEST/*",
+                  ],
+                ],
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "PermissionsCachePolicyEB49F1A4",
+        "Roles": [
+          {
+            "Ref": "InstanceRoleWiresfeeds49C69F29",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
     "SsmSshPolicy4CFC977E": {
       "Properties": {
         "PolicyDocument": {

diff --git a/cdk/lib/wires-feeds.ts b/cdk/lib/wires-feeds.ts
@@ -160,6 +160,13 @@ export class WiresFeeds extends GuStack {
 			},
 		);
 
+		const permissionsBucketName = new GuParameter(this, 'PermissionsBucket', {
+			description: 'Bucket name for permissions data',
+			fromSSM: true,
+			default: `/${stageStackApp}/permissions-bucket`,
+			type: 'String',
+		});
+
 		const alarmSnsTopic = new Topic(this, `${app}-email-alarm-topic`);
 
 		const scaling = {
@@ -203,6 +210,10 @@ export class WiresFeeds extends GuStack {
 					new GuGetS3ObjectsPolicy(this, 'PandaAuthPolicy', {
 						bucketName: panDomainSettingsBucket.valueAsString,
 					}),
+					new GuGetS3ObjectsPolicy(this, 'PermissionsCachePolicy', {
+						bucketName: permissionsBucketName.valueAsString,
+						paths: [`${this.stage}/*`],
+					}),
 				],
 			},
 		});