From feccdfa337cc73a927330ec62d16d1c0d4ef4e24 Mon Sep 17 00:00:00 2001
From: Thomas Sibley <tsibley@fredhutch.org>
Date: Mon, 3 Jun 2024 11:36:06 -0700
Subject: [PATCH] =?UTF-8?q?Allow=20pathogen=20workflows=20to=20perform=20C?=
 =?UTF-8?q?loudFront=20invalidations=E2=80=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

…for the {data,staging}.nextstrain.org distributions.

This is a more tightly scoped policy than the policy often used,
"AllowCloudfrontInvalidations".  I think that policy is too broad but
don't want to change it directly out of concerns for off-target effects.
---
 .../aws-iam-policy-NextstrainPathogen@.tf        | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/env/production/aws-iam-policy-NextstrainPathogen@.tf b/env/production/aws-iam-policy-NextstrainPathogen@.tf
index 384dc9c..e65f299 100644
--- a/env/production/aws-iam-policy-NextstrainPathogen@.tf
+++ b/env/production/aws-iam-policy-NextstrainPathogen@.tf
@@ -70,6 +70,22 @@ resource "aws_iam_policy" "NextstrainPathogen" {
           "arn:aws:s3:::nextstrain-staging/files/datasets/${each.key}/*",
         ],
       },
+      {
+        "Sid": "CloudFront",
+        "Effect": "Allow",
+        "Action": [
+          "cloudfront:ListDistributions",
+          "cloudfront:CreateInvalidation",
+          "cloudfront:GetInvalidation",
+        ],
+        # XXX TODO: Import CloudFront resources into Terraform and pull their
+        # IDs dynamically instead of hardcoding them here.
+        #   -trs, 31 May 2024
+        "Resource": [
+          "arn:aws:cloudfront:::distribution/E3LB0EWZKCCV",   # data.nextstrain.org
+          "arn:aws:cloudfront:::distribution/E3L83FTHWUN0BV", # staging.nextstrain.org
+        ],
+      }
     ]
   })
 }