S3 Read-Only Access

module "s3_readonly_policy" {
  source  = "registry.patterneddesigns.ca/governance/access-policy/aws"
  version = "2.1.0"

  policy_name = "s3-readonly-access"
  policy_type = "iam"

  allowed_services = ["s3"]

  denied_actions = [
    "s3:PutObject",
    "s3:DeleteObject",
    "s3:PutBucketPolicy",
    "s3:DeleteBucket"
  ]

  resource_restrictions = {
    s3 = [
      "arn:aws:s3:::company-reports-*",
      "arn:aws:s3:::company-reports-*/*"
    ]
  }
}

# Attach to a role
resource "aws_iam_role_policy_attachment" "analyst" {
  role       = aws_iam_role.data_analyst.name
  policy_arn = module.s3_readonly_policy.policy_arn
}