OPS-6322 More strict access policy for S3 data source (#7)

data.tf

@@ -95,8 +95,10 @@ data "aws_iam_policy_document" "knowledgebase_permissions" {
   }
   statement {
     actions = ["s3:GetObject"]
-    resources = [
+    resources = var.s3_configuration.inclusion_prefixes == null ? [
       "${var.s3_configuration.bucket_arn}/*"
+      ] : [for prefix in var.s3_configuration.inclusion_prefixes :
+      "${var.s3_configuration.bucket_arn}/${prefix}*"
     ]
     condition {
       test     = "StringEquals"

variables.tf

@@ -54,6 +54,11 @@ variable "s3_configuration" {
     bucket_owner_account_id = optional(string)
     inclusion_prefixes      = optional(set(string))
   })
+
+  validation {
+    condition     = var.s3_configuration.inclusion_prefixes == null ? true : length(var.s3_configuration.inclusion_prefixes) == 1
+    error_message = "For now s3 data source support only one prefix."
+  }
 }
 
 variable "oss_collection_name" {