Merge pull request #202 from nlamirault/feat/refactoring-iam

IAM: Refactoring buckets usage for Loki, Tempo and Mimir
nlamirault · Mar 11, 2024 · fab69a1 · fab69a1
2 parents bb39a80 + 72f7405
commit fab69a1
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 25 deletions.
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -16,22 +16,22 @@
 
 # Labels for action/labeler
 
-area/kubernetes:
-  - kubernetes/*
-  - kubernetes/**/*
-
-area/gcp:
-  - iac/gcp/*
-  - iac/gcp/**/*
+area/terraform:
+  - adot/*.tf
+  - amg/*.tf
+  - amp/*.tf
+  - cloudwatch/*.tf
+  - grafana/*.tf
+  - loki/*.tf
+  - mimir/*.tf
+  - mimir/*.tf
+  - prometheus/*.tf
+  - tempo/*.tf
 
 area/aws:
   - iac/aws/*
   - iac/aws/**/*
 
-area/azure:
-  - iac/azure/*
-  - iac/azure/**/*
-
 kind/documentation:
-  - docs/*
-  - docs/**/*
+  - README.md
+  - "**/*.md"
diff --git a/modules/loki/iam.tf b/modules/loki/iam.tf
@@ -26,10 +26,10 @@ data "aws_iam_policy_document" "bucket" {
     ]
 
     #tfsec:ignore:aws-iam-no-policy-wildcards
-    resources = [
-      module.buckets_data[*].s3_bucket_arn,
-      "${module.buckets_data[*].s3_bucket_arn}/*"
-    ]
+    resources = concat(
+      [for b in toset(local.buckets_names) : module.buckets_data[b].s3_bucket_arn],
+      [for b in toset(local.buckets_names) : format("%s/*", module.buckets_data[b].s3_bucket_arn)]
+    )
   }
 
   dynamic "statement" {

diff --git a/modules/mimir/iam.tf b/modules/mimir/iam.tf
@@ -26,10 +26,10 @@ data "aws_iam_policy_document" "bucket" {
     ]
 
     #tfsec:ignore:aws-iam-no-policy-wildcards
-    resources = [
-      module.buckets_data[*].s3_bucket_arn,
-      "${module.buckets_data[*].s3_bucket_arn}/*"
-    ]
+    resources = concat(
+      [for b in toset(local.buckets_names) : module.buckets_data[b].s3_bucket_arn],
+      [for b in toset(local.buckets_names) : format("%s/*", module.buckets_data[b].s3_bucket_arn)]
+    )
   }
 
   dynamic "statement" {

diff --git a/modules/tempo/iam.tf b/modules/tempo/iam.tf
@@ -28,10 +28,10 @@ data "aws_iam_policy_document" "bucket" {
     ]
 
     #tfsec:ignore:aws-iam-no-policy-wildcards
-    resources = [
-      module.buckets_data[*].s3_bucket_arn,
-      "${module.buckets_data[*].s3_bucket_arn}/*"
-    ]
+    resources = concat(
+      [for b in toset(local.buckets_names) : module.buckets_data[b].s3_bucket_arn],
+      [for b in toset(local.buckets_names) : format("%s/*", module.buckets_data[b].s3_bucket_arn)]
+    )
   }
 
   dynamic "statement" {