Fix CloudFront permissions policy

The cloudfront:ListDistributions action doesn't allow limiting by distribution: it only supports all or nothing. I misread the table of resource keys supported by actions. orz The actions that do support limiting by distribution require an explicit account id in the ARN. It can't be blank like S3; it must be an actual account id or a wildcard. ¹ <https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudfront.html#amazoncloudfront-ListDistributions> Related-to: <nextstrain/zika#59 (comment)>
nextstrain · Jun 3, 2024 · f7373a6 · f7373a6
1 parent 8dbbceb
commit f7373a6
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/env/production/aws-iam-policy-NextstrainPathogen@.tf b/env/production/aws-iam-policy-NextstrainPathogen@.tf
@@ -71,19 +71,26 @@ resource "aws_iam_policy" "NextstrainPathogen" {
         ],
       },
       {
-        "Sid": "CloudFront",
+        "Sid": "CloudFrontList",
         "Effect": "Allow",
         "Action": [
           "cloudfront:ListDistributions",
+        ],
+        "Resource": "*",
+      },
+      {
+        "Sid": "CloudFrontReadWrite",
+        "Effect": "Allow",
+        "Action": [
           "cloudfront:CreateInvalidation",
           "cloudfront:GetInvalidation",
         ],
         # XXX TODO: Import CloudFront resources into Terraform and pull their
         # IDs dynamically instead of hardcoding them here.
         #   -trs, 31 May 2024
         "Resource": [
-          "arn:aws:cloudfront:::distribution/E3LB0EWZKCCV",   # data.nextstrain.org
-          "arn:aws:cloudfront:::distribution/E3L83FTHWUN0BV", # staging.nextstrain.org
+          "arn:aws:cloudfront::827581582529:distribution/E3LB0EWZKCCV",   # data.nextstrain.org
+          "arn:aws:cloudfront::827581582529:distribution/E3L83FTHWUN0BV", # staging.nextstrain.org
         ],
       }
     ]