Fix CI S3 permissions for pr-intent bucket reads

Terraform refresh calls GetAccelerateConfiguration (and other non-GetBucket* APIs). Grant s3:Get*/s3:Put* on the pr-intent bucket ARN so fleet deploy tofu apply can refresh bucket config.
2026-02-15 18:08:05 -08:00 · 2026-02-15 18:08:05 -08:00 · 0f7e6570eb
commit 0f7e6570eb
parent ce846a36dc
1 changed files with 5 additions and 2 deletions
--- a/infra/opentofu/aws/main.tf
+++ b/infra/opentofu/aws/main.tf
@ -139,8 +139,11 @@ data "aws_iam_policy_document" "ami_importer" {
  statement {
    sid = "PrIntentBucketManage"
    actions = [
-      "s3:GetBucket*",
-      "s3:PutBucket*",
+      # S3 bucket-level config APIs are unfortunately a mix of GetBucket* and Get*.
+      # Use broad prefixes here; the resource is the bucket ARN so this does not grant
+      # object read/write on this bucket.
+      "s3:Get*",
+      "s3:Put*",
      "s3:DeleteBucketPolicy",
      "s3:ListBucket"
    ]