feat(syncer): account access control for distribution cache bucket (#585)

rlove · npalm · commit 05c1c11a6797 · 2021-03-09T10:17:29.000+01:00
diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf
@@ -123,10 +123,13 @@ resource "aws_s3_bucket_notification" "on_deploy" {
   depends_on = [aws_lambda_permission.on_deploy]
 }
 
+data "aws_caller_identity" "current" {}
+
 resource "aws_lambda_permission" "on_deploy" {
-  statement_id  = "AllowExecutionFromS3Bucket"
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.syncer.arn
-  principal     = "s3.amazonaws.com"
-  source_arn    = aws_s3_bucket.action_dist.arn
+  statement_id   = "AllowExecutionFromS3Bucket"
+  action         = "lambda:InvokeFunction"
+  function_name  = aws_lambda_function.syncer.arn
+  principal      = "s3.amazonaws.com"
+  source_account = data.aws_caller_identity.current.account_id
+  source_arn     = aws_s3_bucket.action_dist.arn
 }
