Combine policies for system bucket

Combine separate policies for the system bucket into a single policy.
The separate policies were causing the last policy to "win," thus
clobbering any previously set policies.

app/stacks/cumulus/iam.tf

@@ -16,24 +16,6 @@ locals {
   default_elb_account_id = "797873946194"
 }
 
-# <% if !in_sandbox? then %>
-data "aws_iam_policy_document" "allow_s3_access_logging" {
-  statement {
-    sid    = "AllowS3AccessLogging"
-    effect = "Allow"
-    principals {
-      type        = "Service"
-      identifiers = ["logging.s3.amazonaws.com"]
-    }
-    actions = [
-      "s3:PutObject",
-      "s3:PutObjectAcl"
-    ]
-    resources = ["arn:aws:s3:::${var.system_bucket}/*"]
-  }
-}
-# <% end %>
-
 #-------------------------------------------------------------------------------
 # Additional permissions required in order to allow Step Functions to include
 # Distributed Map states.  This is what allows us to sidestep the 25,000 event-
@@ -75,14 +57,28 @@ resource "aws_iam_role_policy_attachment" "allow_sfn_distributed_maps" {
 }
 
 #-------------------------------------------------------------------------------
-# Additional policy required on the system bucket as per ORCA v8.0.0.
+# Additional policy for system bucket
 #
 # See also:
 # - https://github.com/nasa/cumulus-orca/releases/tag/v8.0.0
 # - https://nasa.github.io/cumulus-orca/docs/developer/deployment-guide/deployment-s3-bucket#bucket-policy-for-load-balancer-server-access-logging
 #-------------------------------------------------------------------------------
 
-data "aws_iam_policy_document" "allow_load_balancer_s3_write_access" {
+data "aws_iam_policy_document" "system_bucket" {
+  statement {
+    sid    = "AllowS3AccessLogging"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+    actions = [
+      "s3:PutObject",
+      "s3:PutObjectAcl"
+    ]
+    resources = ["arn:aws:s3:::${var.system_bucket}/*"]
+  }
+
   statement {
     effect  = "Allow"
     actions = ["s3:PutObject"]
@@ -99,7 +95,7 @@ data "aws_iam_policy_document" "allow_load_balancer_s3_write_access" {
 }
 
 # Attach policy above to the system bucket
-resource "null_resource" "allow_load_balancer_s3_write_access" {
+resource "null_resource" "attach_system_bucket_policy" {
   triggers = {
     buckets = var.system_bucket
   }
@@ -113,7 +109,7 @@ resource "null_resource" "allow_load_balancer_s3_write_access" {
     command     = <<-COMMAND
       aws s3api put-bucket-policy \
         --bucket ${var.system_bucket} \
-        --policy '${data.aws_iam_policy_document.allow_load_balancer_s3_write_access.json}'
+        --policy '${data.aws_iam_policy_document.system_bucket.json}'
     COMMAND
   }
 }

app/stacks/cumulus/main.tf

@@ -73,27 +73,6 @@ data "archive_file" "lambda" {
 # RESOURCES
 #-------------------------------------------------------------------------------
 
-# <% if !in_sandbox? then %>
-resource "null_resource" "allow_s3_access_logging" {
-  triggers = {
-    buckets = var.system_bucket
-  }
-
-  # Since we do not have Terraform configured to manage our buckets, we cannot
-  # ask Terraform to put any policies on the buckets, so we're calling out to
-  # the AWS CLI to put the desired policy on our "system" (internal) bucket to
-  # allow S3 access logs to be written to it.
-  provisioner "local-exec" {
-    interpreter = ["bash", "-c"]
-    command     = <<-COMMAND
-      aws s3api put-bucket-policy \
-        --bucket ${var.system_bucket} \
-        --policy '${data.aws_iam_policy_document.allow_s3_access_logging.json}'
-    COMMAND
-  }
-}
-# <% end %>
-
 # <% if !in_sandbox? then %>
 resource "null_resource" "put_bucket_logging" {
   for_each = toset(concat(local.protected_bucket_names, local.public_bucket_names))