add permission needed by datadog for cache bucket

[bwmetcalf]

what

We are seeing security signals from Datadog indicating s3:ListBucket is needed by the role accessing the cache bucket created by module "tags_cache_s3_bucket" {}.

User: arn:aws:sts::*********:assumed-role/dev-global-datadog-logs/dev-global-datadog-logs is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::dev-global-datadog-logs-cache" because no identity-based policy allows the s3:ListBucket action

why

Ensure Datadog has permissions needed.

[bwmetcalf]

@Gowiem @nitrocode Could one of you take a look at this MR? Thanks!

[Gowiem]

/terratest

[bwmetcalf]

hi @Gowiem, thanks for thereview. It turns out datadog is now complaining about not being able to tag:GetResources so I've added this as well.

[bwmetcalf]

@Gowiem Any chance you could review this again. I added a new permission that datadog requires.

[nitrocode]

Is this the correct statement block to add this? From the problem statement, it doesn't seem like it's related to a forwarder, is it ?

[nitrocode]

It's interesting that this is also included in a statement block above if s3_logs_enabled is true. I wonder if this would be better to add to the new statement block for tag:GetResources ?

cc @Gowiem

[bwmetcalf]

The s3:ListBucket error we were getting was reported against the cache bucket, but given that the tag:GetResources applies to all resources it would work in either place, I think.

My fork with these changes seems to have addressed the issue, so I believe the resulting permissions are what we want. The updated permissions where applied to the IAM role in question.

[bwmetcalf]

I'll go through our use case again with this additional context and provide an update. Thanks for the feedback.