Merge branch 'main' into rev/treasury_email

usdigitalresponse · Sep 10, 2024 · e94a087 · e94a087
2 parents b56eb3f + a59f6e7
commit e94a087
Showing 1 changed file with 27 additions and 8 deletions.
diff --git a/terraform/treasury_generation_lambda_functions.tf b/terraform/treasury_generation_lambda_functions.tf
@@ -27,10 +27,16 @@ module "lambda_function-subrecipientTreasuryReportGen" {
         "s3:ListBucket"
       ]
       resources = [
-        # This allows the function to check whether subrecipient data-file exists in the path.
-        # Path: /{organization_id}/{reporting_period_id}/*
-        "${module.reporting_data_bucket.bucket_arn}/*/*/*",
+        "${module.reporting_data_bucket.bucket_arn}",
       ]
+      # Path: /{organization_id}/{reporting_period_id}/*
+      condition = {
+        string_like_condition = {
+          test     = "StringLike"
+          variable = "s3:prefix"
+          values   = ["*/*/*"]
+        }
+      }
     }
     AllowDownloadSubrecipientsFile = {
       effect = "Allow"
@@ -183,10 +189,16 @@ module "lambda_function-treasuryProjectFileGeneration" {
         "s3:ListBucket"
       ]
       resources = [
-        # This allows the function to check whether objects exist in the path.
-        # Path: treasuryreports/{organization_id}/{reporting_period_id}/*
-        "${module.reporting_data_bucket.bucket_arn}/treasuryreports/*/*/*",
+        "${module.reporting_data_bucket.bucket_arn}",
       ]
+      # Path: treasuryreports/{organization_id}/{reporting_period_id}/*
+      condition = {
+        string_like_condition = {
+          test     = "StringLike"
+          variable = "s3:prefix"
+          values   = ["treasuryreports/*/*/*"]
+        }
+      }
     }
     AllowUploadCSVReport = {
       effect = "Allow"
@@ -286,9 +298,16 @@ module "lambda_function-cpfCreateArchive" {
         "s3:ListBucket"
       ]
       resources = [
-        # Path: treasuryreports/{organization_id}/{reporting_period_id}/*
-        "${module.reporting_data_bucket.bucket_arn}/treasuryreports/*/*/*",
+        "${module.reporting_data_bucket.bucket_arn}",
       ]
+      # Path: treasuryreports/{organization_id}/{reporting_period_id}/*
+      condition = {
+        string_like_condition = {
+          test     = "StringLike"
+          variable = "s3:prefix"
+          values   = ["treasuryreports/*/*/*"]
+        }
+      }
     }
     AllowDownloadExcelObjects = {
       effect = "Allow"