Fixing broken cloudwatch log permissions

terraform/lambda.tf

@@ -33,11 +33,10 @@ EOF
 # -----------------------------------------------------------------------------------------------------------
 # IAM Role for Log Parsing Lambda
 
-data "aws_iam_policy_document" "s3_bucket_readonly" {
+data "aws_iam_policy_document" "s3_bucket_access" {
   statement {
     actions = [
-      "s3:Get*",
+      "s3:*",
-      "s3:List*",
     ]
 
     resources = [
@@ -80,6 +79,7 @@ resource "aws_iam_role_policy_attachment" "ipixel_parser" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+
 resource "aws_iam_role_policy" "ipixel_parser_cloudwatch_log_group" {
   name   = "cloudwatch-log-group"
   role   = aws_iam_role.ipixel_parser.name
@@ -89,5 +89,5 @@ resource "aws_iam_role_policy" "ipixel_parser_cloudwatch_log_group" {
 resource "aws_iam_role_policy" "lambda_s3_bucket_readonly" {
   name   = "s3-bucket-readonly"
   role   = aws_iam_role.ipixel_parser.name
-  policy = data.aws_iam_policy_document.s3_bucket_readonly.json
+  policy = data.aws_iam_policy_document.s3_bucket_access.json
 }

terraform/tracking.tf

@@ -30,9 +30,25 @@ resource "aws_s3_bucket_object" "ipixel" {
   content_type = "image/gif"
 }
 
+data "aws_canonical_user_id" "current" {}
+
 resource "aws_s3_bucket" "ipixel_logs" {
   bucket = "${var.site}-analytics"
 
+  grant {
+    id          = data.aws_canonical_user_id.current.id
+    permissions = ["FULL_CONTROL"]
+    type        = "CanonicalUser"
+  }
+
+  grant {
+    # Grant CloudFront awslogsdelivery logs access to your Amazon S3 Bucket
+    # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership
+    id          = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0"
+    permissions = ["FULL_CONTROL"]
+    type        = "CanonicalUser"
+  }
+
   lifecycle_rule {
     id      = "logfiles"
     enabled = true