From 483ea83090a75a6b60d8c543dbf707adf06d7ef8 Mon Sep 17 00:00:00 2001
From: Riley Snyder <riley.snyder@harness.io>
Date: Wed, 21 May 2025 08:54:26 -0500
Subject: [PATCH] separate out bucket permissions

---
 main.tf | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/main.tf b/main.tf
index f05b9f7..fa36dbc 100644
--- a/main.tf
+++ b/main.tf
@@ -89,18 +89,30 @@ resource "aws_iam_role_policy_attachment" "harness_ce_eventsmonitoring" {
 
 data "aws_iam_policy_document" "harness_billingmonitoring" {
   statement {
-    sid = "readBillingBucket"
+    sid = "getBillingBucket"
 
     effect = "Allow"
 
     actions = [
       "s3:GetBucketLocation",
-      "s3:ListBucket",
-      "s3:GetObject"
+      "s3:ListBucket"
     ]
 
     resources = [
       var.s3_bucket_arn,
+    ]
+  }
+
+statement {
+    sid = "readBillingObjects"
+
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject"
+    ]
+
+    resources = [
       "${var.s3_bucket_arn}/*"
     ]
   }
@@ -117,7 +129,7 @@ data "aws_iam_policy_document" "harness_billingmonitoring" {
     ]
 
     resources = [
-      "arn:aws:s3:::${var.s3_bucket_name}*",
+      "arn:aws:s3:::${var.s3_bucket_name}",
       "arn:aws:s3:::${var.s3_bucket_name}/*"
     ]
   }