fix: Add IAM policy for access to the exports bucket.

Author: jamesiarmes

.github/actions/setup-opentofu/action.yaml

@@ -24,6 +24,8 @@ runs:
       run: tofu version
     - name: Set optional variables
       shell: bash
+      env:
+        TF_VAR_REGION: ${{ env.AWS_REGION }}
       # For any of the defined variables that have a value set into TF_VAR_*
       # (all uppercase), we set the corresponding TF_VAR_* (lowercase) variable
       # that OpenTofu expects.
@@ -34,7 +36,7 @@ runs:
           "database_skip_final_snapshot" "deletion_protection"
           "deployment_environments" "environment" "export_expiration"
           "image_tags_mutable" "key_recovery_period" "log_level" "program"
-          "project" "repository"
+          "project" "region" "repository"
         )
         for var in ${variables[@]}; do
           name="TF_VAR_$(echo $var | tr '[:lower:]' '[:upper:]')"

.github/workflows/deploy.yaml

@@ -66,6 +66,7 @@ jobs:
     needs: plan
     environment: ${{ inputs.environment || 'development' }}
     env:
+      AWS_REGION: ${{ secrets.AWS_REGION }}
       TF_VAR_image_tag: ${{ inputs.image_tag || github.sha }}
       # Set required variables.
       TF_VAR_repo_oidc_arn: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}

.github/workflows/launch-tools.yaml

@@ -26,6 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment }}
     env:
+      AWS_REGION: ${{ secrets.AWS_REGION }}
       # Set required variables.
       TF_VAR_repo_oidc_arn: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
       TF_VAR_vpc_cidr: ${{ secrets.TF_VAR_VPC_CIDR }}

tofu/modules/system/templates/exports-access-policy.yaml.tftpl

@@ -12,4 +12,4 @@ Statement:
     Action:
       - s3:PutObject
     Resource:
-      - "${bucket_arn}:*"
+      - "${bucket_arn}/*"