Merge pull request #202 from nlamirault/feat/refactoring-iam

nlamirault · web-flow · commit fab69a1b7efa · 2024-03-11T14:47:29.000+01:00
IAM: Refactoring buckets usage for Loki, Tempo and Mimir
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -16,22 +16,22 @@
 
 # Labels for action/labeler
 
-area/kubernetes:
-  - kubernetes/*
-  - kubernetes/**/*
-
-area/gcp:
-  - iac/gcp/*
-  - iac/gcp/**/*
+area/terraform:
+  - adot/*.tf
+  - amg/*.tf
+  - amp/*.tf
+  - cloudwatch/*.tf
+  - grafana/*.tf
+  - loki/*.tf
+  - mimir/*.tf
+  - mimir/*.tf
+  - prometheus/*.tf
+  - tempo/*.tf
 
 area/aws:
   - iac/aws/*
   - iac/aws/**/*
 
-area/azure:
-  - iac/azure/*
-  - iac/azure/**/*
-
 kind/documentation:
-  - docs/*
-  - docs/**/*
+  - README.md
+  - "**/*.md"
diff --git a/modules/loki/iam.tf b/modules/loki/iam.tf
@@ -26,10 +26,10 @@ data "aws_iam_policy_document" "bucket" {
     ]
 
     #tfsec:ignore:aws-iam-no-policy-wildcards
-    resources = [
-      module.buckets_data[*].s3_bucket_arn,
-      "${module.buckets_data[*].s3_bucket_arn}/*"
-    ]
+    resources = concat(
+      [for b in toset(local.buckets_names) : module.buckets_data[b].s3_bucket_arn],
+      [for b in toset(local.buckets_names) : format("%s/*", module.buckets_data[b].s3_bucket_arn)]
+    )
   }
 
   dynamic "statement" {
diff --git a/modules/mimir/iam.tf b/modules/mimir/iam.tf
@@ -26,10 +26,10 @@ data "aws_iam_policy_document" "bucket" {
     ]
 
     #tfsec:ignore:aws-iam-no-policy-wildcards
-    resources = [
-      module.buckets_data[*].s3_bucket_arn,
-      "${module.buckets_data[*].s3_bucket_arn}/*"
-    ]
+    resources = concat(
+      [for b in toset(local.buckets_names) : module.buckets_data[b].s3_bucket_arn],
+      [for b in toset(local.buckets_names) : format("%s/*", module.buckets_data[b].s3_bucket_arn)]
+    )
   }
 
   dynamic "statement" {
diff --git a/modules/tempo/iam.tf b/modules/tempo/iam.tf
@@ -28,10 +28,10 @@ data "aws_iam_policy_document" "bucket" {
     ]
 
     #tfsec:ignore:aws-iam-no-policy-wildcards
-    resources = [
-      module.buckets_data[*].s3_bucket_arn,
-      "${module.buckets_data[*].s3_bucket_arn}/*"
-    ]
+    resources = concat(
+      [for b in toset(local.buckets_names) : module.buckets_data[b].s3_bucket_arn],
+      [for b in toset(local.buckets_names) : format("%s/*", module.buckets_data[b].s3_bucket_arn)]
+    )
   }
 
   dynamic "statement" {

Original file line number	Diff line number	Diff line change
`@@ -26,10 +26,10 @@ data "aws_iam_policy_document" "bucket" {`
`26`	`26`	`]`
`27`	`27`
`28`	`28`	`#tfsec:ignore:aws-iam-no-policy-wildcards`
`29`		`- resources = [`
`30`		`- module.buckets_data[*].s3_bucket_arn,`
`31`		`- "${module.buckets_data[].s3_bucket_arn}/"`
`32`		`- ]`
	`29`	`+ resources = concat(`
	`30`	`+ [for b in toset(local.buckets_names) : module.buckets_data[b].s3_bucket_arn],`
	`31`	`+ [for b in toset(local.buckets_names) : format("%s/*", module.buckets_data[b].s3_bucket_arn)]`
	`32`	`+ )`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`dynamic "statement" {`
Original file line number	Diff line number	Diff line change
`@@ -28,10 +28,10 @@ data "aws_iam_policy_document" "bucket" {`
`28`	`28`	`]`
`29`	`29`
`30`	`30`	`#tfsec:ignore:aws-iam-no-policy-wildcards`
`31`		`- resources = [`
`32`		`- module.buckets_data[*].s3_bucket_arn,`
`33`		`- "${module.buckets_data[].s3_bucket_arn}/"`
`34`		`- ]`
	`31`	`+ resources = concat(`
	`32`	`+ [for b in toset(local.buckets_names) : module.buckets_data[b].s3_bucket_arn],`
	`33`	`+ [for b in toset(local.buckets_names) : format("%s/*", module.buckets_data[b].s3_bucket_arn)]`
	`34`	`+ )`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`dynamic "statement" {`