From 0f7e6570ebf050cc41228fa5277faac06fc6807a Mon Sep 17 00:00:00 2001
From: joshp123 <joshp123@users.noreply.github.com>
Date: Sun, 15 Feb 2026 18:08:05 -0800
Subject: [PATCH] Fix CI S3 permissions for pr-intent bucket reads

Terraform refresh calls GetAccelerateConfiguration (and other non-GetBucket* APIs). Grant s3:Get*/s3:Put* on the pr-intent bucket ARN so fleet deploy tofu apply can refresh bucket config.
---
 infra/opentofu/aws/main.tf | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/infra/opentofu/aws/main.tf b/infra/opentofu/aws/main.tf
index 6de7c63..bdfbd83 100644
--- a/infra/opentofu/aws/main.tf
+++ b/infra/opentofu/aws/main.tf
@@ -139,8 +139,11 @@ data "aws_iam_policy_document" "ami_importer" {
   statement {
     sid = "PrIntentBucketManage"
     actions = [
-      "s3:GetBucket*",
-      "s3:PutBucket*",
+      # S3 bucket-level config APIs are unfortunately a mix of GetBucket* and Get*.
+      # Use broad prefixes here; the resource is the bucket ARN so this does not grant
+      # object read/write on this bucket.
+      "s3:Get*",
+      "s3:Put*",
       "s3:DeleteBucketPolicy",
       "s3:ListBucket"
     ]