From 8dd98270d4e2bc0175c2ec12f08132eb93525200 Mon Sep 17 00:00:00 2001
From: Nathan Dister <nathan.dister@adhocteam.us>
Date: Thu, 6 Feb 2020 09:28:36 -0500
Subject: [PATCH] Fix issues with root ARN, cannot use ARN of group for key
 policy, reverting to list of users (#212)

---
 ops/terraform/modules/resources/s3_pii/main.tf |  4 ++--
 ops/terraform/modules/stateful/main.tf         | 14 ++------------
 2 files changed, 4 insertions(+), 14 deletions(-)

diff --git a/ops/terraform/modules/resources/s3_pii/main.tf b/ops/terraform/modules/resources/s3_pii/main.tf
index f57b9efc82..e785958984 100644
--- a/ops/terraform/modules/resources/s3_pii/main.tf
+++ b/ops/terraform/modules/resources/s3_pii/main.tf
@@ -18,7 +18,7 @@ resource "aws_kms_key" "pii_bucket_key" {
     name   = var.pii_bucket_config.name
     admins = formatlist("%s", var.pii_bucket_config.admin_arns)
     roles  = formatlist("%s", concat(var.pii_bucket_config.read_arns, var.pii_bucket_config.write_arns))
-    root   = data.aws_caller_identity.current.account_id
+    root   = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
   })
 }
 
@@ -84,6 +84,6 @@ resource "aws_s3_bucket_policy" "pii_bucket_policy" {
     admins      = formatlist("%s", var.pii_bucket_config.admin_arns)
     readers     = formatlist("%s", var.pii_bucket_config.read_arns)
     writers     = formatlist("%s", var.pii_bucket_config.write_arns)
-    root        = data.aws_caller_identity.current.account_id
+    root        = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
   })
 }
\ No newline at end of file
diff --git a/ops/terraform/modules/stateful/main.tf b/ops/terraform/modules/stateful/main.tf
index 8d19ac37e4..9ab81315d4 100644
--- a/ops/terraform/modules/stateful/main.tf
+++ b/ops/terraform/modules/stateful/main.tf
@@ -508,18 +508,8 @@ resource "aws_iam_user_policy_attachment" "etl_rw_s3" {
   policy_arn = aws_iam_policy.etl_rw_s3.arn
 }
 
-# Admin group, S3 bucket, policy, and KMS key for medicare opt out data
+# S3 bucket, policy, and KMS key for medicare opt out data
 #
-resource "aws_iam_group" "medicare_opt_out_admins" {
-  name = "bfd-${var.env_config.env}-medicare-opt-out-admins-group"
-}
-
-resource "aws_iam_group_membership" "medicare_opt_out_admins" {
-  name  = "bfd-${var.env_config.env}-medicare-opt-out-admins-membership"
-  group = aws_iam_group.medicare_opt_out_admins.name
-  users = var.medicare_opt_out_config.admin_users
-}
-
 module "medicare_opt_out" {
   source            = "../resources/s3_pii"
   env_config        = local.env_config
@@ -529,7 +519,7 @@ module "medicare_opt_out" {
     log_bucket      = module.logs.id
     read_arns       = var.medicare_opt_out_config.read_roles
     write_arns      = var.medicare_opt_out_config.write_roles
-    admin_arns      = [aws_iam_group.medicare_opt_out_admins.arn]
+    admin_arns      = var.medicare_opt_out_config.admin_users
   }
 }