From 1b7777eb1cf9b336073c4bb449411c1680ae36ba Mon Sep 17 00:00:00 2001
From: Anthony Fitzroy <anthony.fitzroy@justice.gov.uk>
Date: Tue, 4 Jun 2024 11:09:23 +0000
Subject: [PATCH 1/3] Add IRSA to airflow dev environment

---
 .../airflow/iam-policies.tf                   | 26 +++++++++++++++++++
 .../airflow/iam-roles.tf                      | 23 ++++++++++++++++
 .../airflow/kubernetes-service-accounts.tf    |  9 +++++++
 3 files changed, 58 insertions(+)
 create mode 100644 terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf

diff --git a/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf b/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf
index 8c85a537ae..afb1b64272 100644
--- a/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf
+++ b/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf
@@ -261,6 +261,32 @@ data "aws_iam_policy_document" "airflow_dev_eks_assume_role_policy" {
 
 }
 
+##### Airflow Dev IRSA
+data "aws_iam_policy_document" "airflow_dev_monitoring_inline_role_policy" {
+  statement {
+    sid    = ""
+    effect = "Allow"
+    resources = [
+      "arn:aws:iam::${var.account_ids["analytical-platform-data-production"]}:airflow-monitoring/airflow-scheduling-testing/*",
+      "arn:aws:iam::${var.account_ids["analytical-platform-data-production"]}:airflow-monitoring/"
+    ]
+    actions = ["s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:DeleteObject"]
+  }
+
+}
+
+module "airflow_dev_monitoring_iam_policy" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "5.39.1"
+
+  name = "airflow_dev_monitoring"
+
+  policy = data.aws_iam_policy_document.airflow_dev_monitoring_inline_role_policy.json
+}
+
+
 ############################ AIRFLOW PRODUCTION INFRASTRUCTURE
 
 data "aws_iam_policy_document" "airflow_prod_execution_assume_role_policy" {
diff --git a/terraform/aws/analytical-platform-data-production/airflow/iam-roles.tf b/terraform/aws/analytical-platform-data-production/airflow/iam-roles.tf
index a0fb5b855a..7bc4bc4eb2 100644
--- a/terraform/aws/analytical-platform-data-production/airflow/iam-roles.tf
+++ b/terraform/aws/analytical-platform-data-production/airflow/iam-roles.tf
@@ -86,6 +86,29 @@ resource "aws_iam_role" "airflow_dev_eks_role" {
   ]
 }
 
+#### Airflow Dev IRSA
+module "airflow_dev_monitoring_iam_role" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.39.1"
+
+  create_role = true
+
+  role_name = "airflow-monitoring-dev"
+
+  role_policy_arns = {
+    policy = module.airflow_dev_monitoring_iam_policy.arn
+  }
+
+  oidc_providers = {
+    one = {
+      provider_arn               = resource.aws_iam_openid_connect_provider.analytical_platform_development.arn
+      namespace_service_accounts = ["airflow:airflow"]
+    }
+  }
+}
+
 ####################################################################################
 ######################### AIRFLOW PRODUCTION INFRASTRUCTURE ########################
 ####################################################################################
diff --git a/terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf
new file mode 100644
index 0000000000..5e757c7c3e
--- /dev/null
+++ b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf
@@ -0,0 +1,9 @@
+resource "kubernetes_service_account" "airflow" {
+  metadata {
+    namespace = kubernetes_namespace.dev_airflow.metadata[0].name
+    name      = "airflow"
+    annotations = {
+      "eks.amazonaws.com/role-arn" = "arn:aws:iam::593291632749:role/airflow_monitoring_dev"
+    }
+  }
+}

From e6e147421b954e316951466ddd57b9f9ba6dc4a8 Mon Sep 17 00:00:00 2001
From: Anthony Fitzroy <anthony.fitzroy@justice.gov.uk>
Date: Tue, 4 Jun 2024 13:29:36 +0000
Subject: [PATCH 2/3] fixed s3 arns and removed hard-coding

---
 .../airflow/iam-policies.tf                                   | 4 ++--
 .../airflow/kubernetes-service-accounts.tf                    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf b/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf
index afb1b64272..589a30b838 100644
--- a/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf
+++ b/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf
@@ -267,8 +267,8 @@ data "aws_iam_policy_document" "airflow_dev_monitoring_inline_role_policy" {
     sid    = ""
     effect = "Allow"
     resources = [
-      "arn:aws:iam::${var.account_ids["analytical-platform-data-production"]}:airflow-monitoring/airflow-scheduling-testing/*",
-      "arn:aws:iam::${var.account_ids["analytical-platform-data-production"]}:airflow-monitoring/"
+      "arn:aws:s3:::airflow-monitoring/airflow-scheduling-testing/*",
+      "arn:aws:s3:::airflow-monitoring/"
     ]
     actions = ["s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:DeleteObject"]
   }
diff --git a/terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf
index 5e757c7c3e..aef4adb283 100644
--- a/terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf
+++ b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-service-accounts.tf
@@ -3,7 +3,7 @@ resource "kubernetes_service_account" "airflow" {
     namespace = kubernetes_namespace.dev_airflow.metadata[0].name
     name      = "airflow"
     annotations = {
-      "eks.amazonaws.com/role-arn" = "arn:aws:iam::593291632749:role/airflow_monitoring_dev"
+      "eks.amazonaws.com/role-arn" = module.airflow_dev_monitoring_iam_role.iam_role_arn
     }
   }
 }

From f2154409f40ffe4f5c3d88119aac8e2eb3b8a6c6 Mon Sep 17 00:00:00 2001
From: Anthony Fitzroy <anthony.fitzroy@justice.gov.uk>
Date: Tue, 4 Jun 2024 15:04:35 +0000
Subject: [PATCH 3/3] update policy statements, split out namespaces

---
 .../airflow/eks.tf                            | 58 -------------------
 .../airflow/iam-policies.tf                   | 30 ++++++++--
 .../airflow/kubernetes-namespaces.tf          | 58 +++++++++++++++++++
 3 files changed, 82 insertions(+), 64 deletions(-)
 create mode 100644 terraform/aws/analytical-platform-data-production/airflow/kubernetes-namespaces.tf

diff --git a/terraform/aws/analytical-platform-data-production/airflow/eks.tf b/terraform/aws/analytical-platform-data-production/airflow/eks.tf
index 81222f364f..59c3c0d8c2 100644
--- a/terraform/aws/analytical-platform-data-production/airflow/eks.tf
+++ b/terraform/aws/analytical-platform-data-production/airflow/eks.tf
@@ -145,19 +145,6 @@ resource "aws_eks_node_group" "new_dev_node_group_high_memory" {
   }
 }
 
-resource "kubernetes_namespace" "dev_kube2iam" {
-  provider = kubernetes.dev-airflow-cluster
-  metadata {
-    annotations = {
-      "iam.amazonaws.com/allowed-roles" = jsonencode(["*"])
-    }
-    labels = {
-      "app.kubernetes.io/managed-by" = "terraform"
-    }
-    name = "kube2iam-system"
-  }
-  timeouts {}
-}
 
 resource "kubernetes_config_map" "dev_aws_auth_configmap" {
   provider = kubernetes.dev-airflow-cluster
@@ -175,51 +162,6 @@ resource "kubernetes_config_map" "dev_aws_auth_configmap" {
 
 }
 
-resource "kubernetes_namespace" "dev_airflow" {
-  provider = kubernetes.dev-airflow-cluster
-  metadata {
-
-    name = "airflow"
-    annotations = {
-      "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow_dev*"])
-    }
-    labels = {
-      "app.kubernetes.io/managed-by" = "Terraform"
-    }
-  }
-  timeouts {}
-}
-
-resource "kubernetes_namespace" "kyverno_dev" {
-  provider = kubernetes.dev-airflow-cluster
-  metadata {
-    name = "kyverno"
-    labels = {
-      "app.kubernetes.io/managed-by" = "Terraform"
-    }
-  }
-  timeouts {}
-}
-
-resource "kubernetes_namespace" "cluster_autoscaler_system" {
-  provider = kubernetes.dev-airflow-cluster
-  metadata {
-    name = "cluster-autoscaler-system"
-    annotations = {
-      "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow-dev-cluster-autoscaler-role"])
-    }
-    labels = {
-      "app.kubernetes.io/managed-by" = "Terraform"
-    }
-  }
-  timeouts {}
-}
-
-moved {
-  from = kubernetes_namespace.cluster-autoscaler-system
-  to   = kubernetes_namespace.cluster_autoscaler_system
-}
-
 ######################################
 ########### EKS PRODUCTION ###########
 ######################################
diff --git a/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf b/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf
index 589a30b838..45de78072d 100644
--- a/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf
+++ b/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf
@@ -264,15 +264,33 @@ data "aws_iam_policy_document" "airflow_dev_eks_assume_role_policy" {
 ##### Airflow Dev IRSA
 data "aws_iam_policy_document" "airflow_dev_monitoring_inline_role_policy" {
   statement {
-    sid    = ""
-    effect = "Allow"
-    resources = [
-      "arn:aws:s3:::airflow-monitoring/airflow-scheduling-testing/*",
-      "arn:aws:s3:::airflow-monitoring/"
+    sid = "readwrite"
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectAcl",
+      "s3:GetObjectVersion",
+      "s3:GetObjectTagging",
+      "s3:DeleteObject",
+      "s3:DeleteObjectVersion",
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:PutObjectTagging",
+      "s3:RestoreObject"
     ]
-    actions = ["s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:DeleteObject"]
+    effect    = "Allow"
+    resources = ["arn:aws:s3:::airflow-monitoring/airflow-scheduling-testing/*"]
   }
 
+  statement {
+    sid = "list"
+    actions = [
+      "s3:ListBucket",
+      "s3:ListAllMyBuckets",
+      "s3:GetBucketLocation"
+    ]
+    effect    = "Allow"
+    resources = ["arn:aws:s3:::airflow-monitoring/"]
+  }
 }
 
 module "airflow_dev_monitoring_iam_policy" {
diff --git a/terraform/aws/analytical-platform-data-production/airflow/kubernetes-namespaces.tf b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-namespaces.tf
new file mode 100644
index 0000000000..83082520d3
--- /dev/null
+++ b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-namespaces.tf
@@ -0,0 +1,58 @@
+resource "kubernetes_namespace" "dev_kube2iam" {
+  provider = kubernetes.dev-airflow-cluster
+  metadata {
+    annotations = {
+      "iam.amazonaws.com/allowed-roles" = jsonencode(["*"])
+    }
+    labels = {
+      "app.kubernetes.io/managed-by" = "terraform"
+    }
+    name = "kube2iam-system"
+  }
+  timeouts {}
+}
+
+resource "kubernetes_namespace" "dev_airflow" {
+  provider = kubernetes.dev-airflow-cluster
+  metadata {
+
+    name = "airflow"
+    annotations = {
+      "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow_dev*"])
+    }
+    labels = {
+      "app.kubernetes.io/managed-by" = "Terraform"
+    }
+  }
+  timeouts {}
+}
+
+resource "kubernetes_namespace" "kyverno_dev" {
+  provider = kubernetes.dev-airflow-cluster
+  metadata {
+    name = "kyverno"
+    labels = {
+      "app.kubernetes.io/managed-by" = "Terraform"
+    }
+  }
+  timeouts {}
+}
+
+resource "kubernetes_namespace" "cluster_autoscaler_system" {
+  provider = kubernetes.dev-airflow-cluster
+  metadata {
+    name = "cluster-autoscaler-system"
+    annotations = {
+      "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow-dev-cluster-autoscaler-role"])
+    }
+    labels = {
+      "app.kubernetes.io/managed-by" = "Terraform"
+    }
+  }
+  timeouts {}
+}
+
+moved {
+  from = kubernetes_namespace.cluster-autoscaler-system
+  to   = kubernetes_namespace.cluster_autoscaler_system
+}