feat: Allow GetObjectAcl on S3 to s3-access-role

Author: Mykhailo Babych

main.tf

@@ -139,6 +139,17 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     actions   = ["s3:DeleteObject"]
     resources = ["arn:aws:s3:::${each.value}/*"]
   }
+
+  statement {
+    sid    = "AllowGetObjectAclForGitlabRole"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [module.gitlab_role.iam_role_arn]
+    }
+    actions   = ["s3:GetObjectAcl"]
+    resources = ["arn:aws:s3:::${each.value}/*"]
+  }
 }
 
 module "s3_bucket" {