From b7ee95f7bde0fa89c2827b365c1b2af17491bd49 Mon Sep 17 00:00:00 2001
From: Rohan Weeden <reweeden@alaska.edu>
Date: Thu, 27 Jul 2023 11:59:26 -0400
Subject: [PATCH 1/2] Add distribution bucket policy resources

---
 CHANGELOG.md                       |  4 +++
 daac/distribution_bucket_policy.tf | 41 ++++++++++++++++++++++++++++++
 daac/variables.tf                  |  5 ++++
 3 files changed, 50 insertions(+)
 create mode 100644 daac/distribution_bucket_policy.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0a03e65c..f07123f4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,10 @@
 
 # CHANGELOG
 
+## Unreleased
+
+* Add terraform resources to create bucket policies allowing CloudFront OAI's
+read access to distribution buckets.
 
 ## v17.0.0.0
 * Upgrade to [Cumulus v17.0.0](https://github.com/nasa/cumulus/releases/tag/v17.0.0)
diff --git a/daac/distribution_bucket_policy.tf b/daac/distribution_bucket_policy.tf
new file mode 100644
index 00000000..aa5b40a8
--- /dev/null
+++ b/daac/distribution_bucket_policy.tf
@@ -0,0 +1,41 @@
+data "aws_cloudfront_origin_access_identity" "distribution_cloudfront_oai" {
+  for_each = toset(values(var.distribution_bucket_oais))
+
+  id = each.key
+}
+
+data "aws_iam_policy_document" "distribution_bucket_policy_document" {
+  for_each = var.distribution_bucket_oais
+
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["arn:aws:s3:::${local.prefix}-${each.key}/*"]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        data.aws_cloudfront_origin_access_identity.distribution_cloudfront_oai[each.value].iam_arn
+      ]
+    }
+  }
+
+  # Need ListBucket permissions so that missing keys will return 404 errors instead of 403
+  statement {
+    actions   = ["s3:ListBucket"]
+    resources = ["arn:aws:s3:::${local.prefix}-${each.key}"]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        data.aws_cloudfront_origin_access_identity.distribution_cloudfront_oai[each.value].iam_arn
+      ]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "distribution_bucket_policy" {
+  for_each = var.distribution_bucket_oais
+
+  bucket = "${local.prefix}-${each.key}"
+  policy = try(data.aws_iam_policy_document.distribution_bucket_policy_document[each.key].json, null)
+}
diff --git a/daac/variables.tf b/daac/variables.tf
index 064a9d16..b0a0838b 100644
--- a/daac/variables.tf
+++ b/daac/variables.tf
@@ -36,6 +36,11 @@ variable "partner_bucket_names" {
   default = []
 }
 
+variable "distribution_bucket_oais" {
+  type    = map(any)
+  default = {}
+}
+
 variable "s3_replicator_target_bucket" {
   type    = string
   default = null

From 9eefee302fd7dde1bec12e4410a454edc211fbf0 Mon Sep 17 00:00:00 2001
From: "Lindsley, Chris" <lindsleycj@ornl.gov>
Date: Wed, 23 Aug 2023 05:12:18 -0400
Subject: [PATCH 2/2] update CHANGELOG

---
 CHANGELOG.md | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f07123f4..c86d7a86 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,15 +1,12 @@
 
 # CHANGELOG
 
-## Unreleased
-
-* Add terraform resources to create bucket policies allowing CloudFront OAI's
-read access to distribution buckets.
-
 ## v17.0.0.0
 * Upgrade to [Cumulus v17.0.0](https://github.com/nasa/cumulus/releases/tag/v17.0.0)
 * Upgrade terraform modules to use AWS provider version 5.0
 * Remove data-migration1 from repo
+* Add terraform resources to create bucket policies allowing CloudFront OAI's
+read access to distribution buckets.
 
 ## v16.0.0.0