Fix CI tofu permissions for pr-intent public bucket

Grant CI user bucket-management read/write actions (GetBucket*/PutBucket*) on the public PR-intent bucket so fleet deploy can run tofu apply without AccessDenied.
2026-02-15 17:52:21 -08:00 · 2026-02-15 17:52:21 -08:00 · 7dbedacdff
commit 7dbedacdff
parent 833264bbe3
1 changed files with 13 additions and 0 deletions
--- a/infra/opentofu/aws/main.tf
+++ b/infra/opentofu/aws/main.tf
@ -134,6 +134,19 @@ data "aws_iam_policy_document" "ami_importer" {
    resources = [aws_s3_bucket.image_bucket.arn]
  }

+  # Needed so CI can manage the public PR-intent bucket (read/update bucket policy,
+  # public access block, versioning, encryption, etc.) during tofu apply.
+  statement {
+    sid = "PrIntentBucketManage"
+    actions = [
+      "s3:GetBucket*",
+      "s3:PutBucket*",
+      "s3:DeleteBucketPolicy",
+      "s3:ListBucket"
+    ]
+    resources = [aws_s3_bucket.pr_intent_public.arn]
+  }
+
  statement {
    sid = "ObjectReadWrite"
    actions = [