Adding KMS policy to try to solve access errors

Backed off AWS v.4 terraform provider

tag v4.0.7

base/codebuild_ecr_base/kms.tf

@@ -20,6 +20,7 @@ data "aws_iam_policy_document" "codebuild_kms_key_encryption_policy" {
     principals {
       type = "AWS"
       identifiers = [ 
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_feedmgmt_readonly",
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
         "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
         ]

base/codebuild_ecr_base/s3.tf

@@ -1,24 +1,24 @@
 #S3 bucket for codebuild output
-resource "aws_s3_bucket" "artifacts" {
-  bucket        = "xdr-codebuild-artifacts"
-  force_destroy = true
-}
+#resource "aws_s3_bucket" "artifacts" {
+# bucket        = "xdr-codebuild-artifacts"
+#  force_destroy = true
+#}
 
-resource "aws_s3_bucket_acl" "s3_acl_artifacts" {
-  bucket = aws_s3_bucket.artifacts.id
-  acl    = "private"
-}
+#resource "aws_s3_bucket_acl" "s3_acl_artifacts" {
+#  bucket = aws_s3_bucket.artifacts.id
+#  acl    = "private"
+#}
 
-resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_artifacts" {
-  bucket = aws_s3_bucket.artifacts.id
-  
-  rule {
-    apply_server_side_encryption_by_default {
-      kms_master_key_id = aws_kms_key.s3_codebuild_artifacts.arn
-      sse_algorithm     = "aws:kms"
-      }
-    }
-}
+#resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_artifacts" {
+#  bucket = aws_s3_bucket.artifacts.id
+#  
+#  rule {
+#    apply_server_side_encryption_by_default {
+#      kms_master_key_id = aws_kms_key.s3_codebuild_artifacts.arn
+#      sse_algorithm     = "aws:kms"
+#      }
+#    }
+#}
 
 resource "aws_s3_bucket_policy" "artifacts" {
   bucket = aws_s3_bucket.artifacts.id
@@ -39,7 +39,7 @@ data "aws_iam_policy_document" "artifacts" {
 }
 
 //AWS Provider outdated arguments <4.4.0
-/*resource "aws_s3_bucket" "artifacts" {
+resource "aws_s3_bucket" "artifacts" {
   bucket        = "xdr-codebuild-artifacts"
   force_destroy = true
   acl           = "private"
@@ -53,4 +53,4 @@ data "aws_iam_policy_document" "artifacts" {
     }
   }
 }
-*/
+

submodules/iam/common_services_roles/role-mdr_feedmgmt_readonly.tf

@@ -20,3 +20,7 @@ resource "aws_iam_role_policy_attachment" "mdr_feedmgmt_readonly_ViewOnlyAccess"
   policy_arn = "arn:${local.aws_partition}:iam::aws:policy/job-function/ViewOnlyAccess"
 }
 
+resource "aws_iam_role_policy_attachment" "mdr_feedmgmt_readonly_s3access" {
+  role       = module.role-mdr_engineer_readonly.name
+  policy_arn = module.standard_iam_policies.arns["mdr_feedmgmt_s3access"]
+}

submodules/iam/standard_iam_policies/policy-mdr_feedmgmt.tf

@@ -8,7 +8,6 @@ data "aws_iam_policy_document" "mdr_feedmgmt_s3access" {
     actions = [
 			"s3:GetObject",
 			"s3:GetObjectVersion",
-			"s3:PutObject",
     ]
 
     resources = [