fix: correct permissions for write (#5)

nathanhruby · web-flow · commit 24f06ee42f85 · 2024-01-31T16:10:55.000-07:00
* fix: correct permissions for write

* ci: fix checkov wanring on actions
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -9,6 +9,8 @@ on:
 env:
   TERRAFORM_DOCS_VERSION: v0.16.0
 
+permissions: read-all
+
 jobs:
   collectInputs:
     name: Collect workflow inputs
diff --git a/.github/workflows/semantic-releaser.yml b/.github/workflows/semantic-releaser.yml
@@ -8,6 +8,8 @@ on:
       - '**.tf'
       - '!examples/**.tf'
 
+permissions: read-all
+
 jobs:
   release:
     name: Release
diff --git a/main.tf b/main.tf
@@ -91,7 +91,7 @@ data "aws_iam_policy_document" "bucket" {
       "s3:PutObject",
     ]
 
-    resources = [for o in var.account_trails : "${local.bucket_arn}/AWSLogs/${o.account}"]
+    resources = [for o in var.account_trails : "${local.bucket_arn}/AWSLogs/${o.account}/*"]
 
     condition {
       test     = "StringEquals"

Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ data "aws_iam_policy_document" "bucket" {`
`91`	`91`	`"s3:PutObject",`
`92`	`92`	`]`
`93`	`93`
`94`		`- resources = [for o in var.account_trails : "${local.bucket_arn}/AWSLogs/${o.account}"]`
	`94`	`+ resources = [for o in var.account_trails : "${local.bucket_arn}/AWSLogs/${o.account}/*"]`
`95`	`95`
`96`	`96`	`condition {`
`97`	`97`	`test = "StringEquals"`