Merge pull request #2202 from vrk-kpa/AV-2006_allow_cron_container_to…

…_upload_to_s3_bucket AV-2006: Allow cron container to upload files to s3
vrk-kpa · Apr 10, 2024 · ae63123 · ae63123
2 parents 6965635 + 2ff0291
commit ae63123
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/cdk/lib/ckan-stack.ts b/cdk/lib/ckan-stack.ts
@@ -361,6 +361,9 @@ export class CkanStack extends Stack {
       ckanContainerEnv['RECAPTCHA_PRIVATE_KEY'] = '';
     }
 
+    // implemented on following if-block and used later in another if block
+    let ckanTaskPolicyAllowCloudstorage;
+
     if (props.cloudstorageEnabled) {
       // get params
       const pCkanCloudstorageDriver = ssm.StringParameter.fromStringParameterAttributes(this, 'pCkanCloudstorageDriver', {
@@ -380,7 +383,7 @@ export class CkanStack extends Stack {
       ckanContainerEnv['CKAN_CLOUDSTORAGE_AWS_USE_BOTO3_SESSIONS'] = '1';
       ckanContainerEnv['CKAN_CLOUDSTORAGE_DRIVER_OPTIONS'] = '';
 
-      const ckanTaskExecPolicyAllowCloudstorage = new iam.PolicyStatement({
+      ckanTaskPolicyAllowCloudstorage = new iam.PolicyStatement({
         actions: ['*'],
         resources: [
           `arn:aws:s3:::${pCkanCloudstorageContainerName.stringValue}`,
@@ -389,7 +392,7 @@ export class CkanStack extends Stack {
         effect: iam.Effect.ALLOW,
       });
 
-      ckanTaskDef.addToTaskRolePolicy(ckanTaskExecPolicyAllowCloudstorage);
+      ckanTaskDef.addToTaskRolePolicy(ckanTaskPolicyAllowCloudstorage);
     } else {
       ckanContainerEnv['CKAN_CLOUDSTORAGE_ENABLED'] = 'false';
       ckanContainerEnv['CKAN_CLOUDSTORAGE_DRIVER'] = '';
@@ -573,6 +576,9 @@ export class CkanStack extends Stack {
       });
 
       ckanCronTaskDef.addToTaskRolePolicy(ckanTaskPolicyAllowExec);
+      if (props.cloudstorageEnabled) {
+        ckanCronTaskDef.addToTaskRolePolicy(ckanTaskPolicyAllowCloudstorage!)
+      }
 
       ckanCronTaskDef.addToExecutionRolePolicy(new PolicyStatement({
         effect: Effect.ALLOW,