Revert bucket policies for Discourse

2017-05-30 11:44:56 +01:00 · 2017-05-30 11:44:56 +01:00 · a9bef7fd97
--- a/discourse.tf
+++ b/discourse.tf
@ -8,8 +8,6 @@ module "discourse-production" {
    elasticache_subnet_group            = "${aws_elasticache_subnet_group.elasticache-production-subnet-group.name}"
    fqdn                                = "discourse.mozilla-community.org"
    ssl_certificate                     = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
-    aws_account_id                      = "${var.aws_account_id}"
-    InfosecSecurityAuditRole_uid        = "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}"
 }

 module "discourse-staging" {
@ -22,6 +20,4 @@ module "discourse-staging" {
    elasticache_subnet_group            = "${aws_elasticache_subnet_group.elasticache-staging-subnet-group.name}"
    fqdn                                = "discourse.staging.paas.mozilla.community"
    ssl_certificate                     = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
-    aws_account_id                      = "${var.aws_account_id}"
-    InfosecSecurityAuditRole_uid        = "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}"
 }
--- a/modules/discourse/main.tf
+++ b/modules/discourse/main.tf
@ -5,8 +5,6 @@ variable "service_security_group_id" {}
 variable "environment" {}
 variable "fqdn" {}
 variable "ssl_certificate" {}
-variable "aws_account_id" {}
-variable "InfosecSecurityAuditRole_uid" {}

 resource "aws_security_group" "discourse-redis-sg" {
    name                     = "discourse-redis-shared-sg"
@ -71,58 +69,6 @@ resource "aws_s3_bucket" "discourse-content" {
    }
 }

-data "aws_iam_policy_document" "discourse-content-policy" {
-  statement {
-    sid = "1"
-    effect = "Allow"
-    actions = [
-      "s3:*",
-    ]
-    principals = {
-        type = "AWS"
-        identifiers = [
-            "arn:aws:iam::${var.aws_account_id}:user/discourse-${var.environment}-ses-s3",
-        ]
-    }
-    resources = [
-      "${aws_s3_bucket.discourse-content.arn}",
-      "${aws_s3_bucket.discourse-content.arn}/*",
-    ]
-  }
-
-  statement {
-    effect = "Deny"
-    actions = [
-      "s3:*",
-    ]
-
-    principals {
-        type = "AWS"
-        identifiers = ["*"]
-    }
-
-    condition {
-        test = "StringNotLike"
-        variable = "aws:userId"
-        values = [
-            "${var.InfosecSecurityAuditRole_uid}:*",
-            "${var.aws_account_id}"
-        ]
-    }
-
-    resources = [
-      "${aws_s3_bucket.discourse-content.arn}",
-      "${aws_s3_bucket.discourse-content.arn}/*",
-    ]
-  }
-}
-
-
-resource "aws_s3_bucket_policy" "discourse-content-policy-attachment" {
-  bucket = "${aws_s3_bucket.discourse-content.id}"
-  policy = "${data.aws_iam_policy_document.discourse-content-policy.json}"
-}
-
 module "discourse-cdn" {
  source              = "git://github.com/mozilla/partinfra-terraform-cloudfrontssl.git"