Merge pull request #29222 from ministryofjustice/fix-audit-dev-permis…

…sions Fix Athena permission for audit in dev
ministryofjustice · Jan 30, 2025 · 6561c3c · 6561c3c
2 parents cb1756a + 664afc5
commit 6561c3c
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 16 deletions.
diff --git a/...spaces/live.cloud-platform.service.justice.gov.uk/hmpps-audit-dev/resources/athena-iam.tf b/...spaces/live.cloud-platform.service.justice.gov.uk/hmpps-audit-dev/resources/athena-iam.tf
@@ -37,20 +37,15 @@ data "aws_iam_policy_document" "athena" {
     ]
 
     resources = [
-      aws_athena_workgroup.queries.arn,
-      "${aws_athena_workgroup.queries.arn}/*",
+      "arn:aws:athena:eu-west-2:*:workgroup/${aws_athena_workgroup.queries.name}",
+      "arn:aws:athena:eu-west-2:*:workgroup/${aws_athena_workgroup.queries.name}/*",
+      "arn:aws:athena:eu-west-2:*:query/*",
       "arn:aws:glue:eu-west-2:*:catalog",
       "arn:aws:glue:eu-west-2:*:database/${aws_athena_database.audit_database.id}",
-      "arn:aws:glue:eu-west-2:*:database/${aws_athena_database.audit_database.id}/*",
       "arn:aws:glue:eu-west-2:*:table/${aws_athena_database.audit_database.id}",
       "arn:aws:glue:eu-west-2:*:table/${aws_athena_database.audit_database.id}/*",
       module.s3.bucket_arn,
       "${module.s3.bucket_arn}/*",
-
-      "arn:aws:athena:*:*:workgroup/hmpps_audit_${var.environment-name}",
-      "arn:aws:glue:eu-west-2:*:database/audit_${var.environment-name}",
-      "arn:aws:s3:::${module.s3.bucket_name}",
-      "arn:aws:s3:::${module.s3.bucket_name}/*"
     ]
   }
 }

diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-audit-dev/resources/irsa.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-audit-dev/resources/irsa.tf
@@ -80,21 +80,16 @@ data "aws_iam_policy_document" "document" {
       "glue:DeleteTable",
     ]
     resources = [
-      aws_athena_workgroup.queries.arn,
-      "${aws_athena_workgroup.queries.arn}/*",
+      "arn:aws:athena:eu-west-2:*:workgroup/${aws_athena_workgroup.queries.name}",
+      "arn:aws:athena:eu-west-2:*:workgroup/${aws_athena_workgroup.queries.name}/*",
+      "arn:aws:athena:eu-west-2:*:query/*",
       "arn:aws:glue:eu-west-2:*:catalog",
       "arn:aws:glue:eu-west-2:*:database/${aws_athena_database.audit_database.id}",
-      "arn:aws:glue:eu-west-2:*:database/${aws_athena_database.audit_database.id}/*",
       "arn:aws:glue:eu-west-2:*:table/${aws_athena_database.audit_database.id}",
       "arn:aws:glue:eu-west-2:*:table/${aws_athena_database.audit_database.id}/*",
       module.s3.bucket_arn,
       "${module.s3.bucket_arn}/*",
 
-      "arn:aws:athena:*:*:workgroup/hmpps_audit_${var.environment-name}",
-      "arn:aws:glue:eu-west-2:*:database/audit_${var.environment-name}",
-      "arn:aws:s3:::${module.s3.bucket_name}",
-      "arn:aws:s3:::${module.s3.bucket_name}/*"
-
     ]
   }
 }