#------------------------------------------------------------------------------------------
# For feedmgmt
#------------------------------------------------------------------------------------------
data "aws_iam_policy_document" "mdr_feedmgmt_s3access" {
  statement {
    sid     = "S3BucketAccess"
    effect  = "Allow"
    actions = [
      "s3:GetObject",
      "s3:GetObjectVersion",
    ]
    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
    resources = [
      "arn:${local.aws_partition}:s3:::xdr-codebuild-artifacts/*",
    ]
  }
}

resource "aws_iam_policy" "mdr_feedmgmt_s3access" {
  name   = "mdr_feedmgmt_s3access"
  path   = "/user/"
  policy = data.aws_iam_policy_document.mdr_feedmgmt_s3access.json
}