Merge pull request #175 from dandi/embargoed-object-tags-2

Add bucket policy statement for embargoed objects
dandi · Apr 3, 2024 · afb577d · afb577d
2 parents 791ff4e + 6c4cad1
commit afb577d
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/terraform/modules/dandiset_bucket/main.tf b/terraform/modules/dandiset_bucket/main.tf
@@ -167,6 +167,33 @@ data "aws_iam_policy_document" "dandiset_bucket_policy" {
     }
   }
 
+  # Disallow access to embargoed objects, unless using the heroku user arn
+  dynamic "statement" {
+    for_each = var.public ? [1] : []
+
+    content {
+      effect = "Deny"
+      principals {
+        identifiers = ["*"]
+        type        = "*"
+      }
+      actions = ["s3:*"]
+      resources = [
+        "${aws_s3_bucket.dandiset_bucket.arn}/*",
+      ]
+      condition {
+        test     = "StringEquals"
+        variable = "s3:ExistingObjectTag/embargoed"
+        values   = ["true"]
+      }
+      condition {
+        test     = "ArnNotEquals"
+        variable = "aws:PrincipalArn"
+        values   = [var.heroku_user.arn]
+      }
+    }
+  }
+
   dynamic "statement" {
     for_each = var.allow_cross_account_heroku_put_object ? [1] : []