From 43d1c7448b18e0710e6b4d190f8896dfcca1478e Mon Sep 17 00:00:00 2001 From: jamesstottmoj Date: Wed, 2 Oct 2024 08:45:54 +0100 Subject: [PATCH 1/8] Fixed some spelling errors. Added textract policy for apps --- .../tooling-integration-iam-policies.tf | 2 +- .../tooling-integration-iam-policies.tf | 59 ++++++++++++++++++- 2 files changed, 59 insertions(+), 2 deletions(-) diff --git a/terraform/aws/analytical-platform-data-production/tooling-iam/tooling-integration-iam-policies.tf b/terraform/aws/analytical-platform-data-production/tooling-iam/tooling-integration-iam-policies.tf index b077de0177..6cca2dc5bb 100644 --- a/terraform/aws/analytical-platform-data-production/tooling-iam/tooling-integration-iam-policies.tf +++ b/terraform/aws/analytical-platform-data-production/tooling-iam/tooling-integration-iam-policies.tf @@ -3,7 +3,7 @@ data "aws_iam_policy_document" "bedrock_integration" { #checkov:skip=CKV_AWS_111: This is a service policy #checkov:skip=CKV_AWS_356: Needs to access multiple resources statement { - sid = "AnalyticalPlatformBedrockIntegrtion" + sid = "AnalyticalPlatformBedrockIntegration" effect = "Allow" actions = [ "bedrock:ListFoundationModels", diff --git a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf index 8b0f86b5e7..625f4ffb64 100644 --- a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf +++ b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf @@ -3,7 +3,7 @@ data "aws_iam_policy_document" "bedrock_integration" { #checkov:skip=CKV_AWS_111: This is a service policy #checkov:skip=CKV_AWS_356: Needs to access multiple resources statement { - sid = "AnalyticalPlatformBedrockIntegrtion" + sid = "AnalyticalPlatformBedrockIntegration" effect = "Allow" actions = [ @@ -68,8 +68,65 @@ data "aws_iam_policy_document" "bedrock_integration" { } } +#tfsec:ignore:aws-iam-no-policy-wildcards +data "aws_iam_policy_document" "textract_integration" { + #checkov:skip=CKV_AWS_111: This is a service policy + #checkov:skip=CKV_AWS_356: Needs to access multiple resources + statement { + sid = "AnalyticalPlatformTextractIntegration" + effect = "Allow" + + actions = [ + "textract:AnalyzeDocument", + "textract:DetectDocumentText", + "textract:GetDocumentAnalysis", + "textract:GetLendingAnalysis", + "textract:ListAdapterVersions", + "textract:AnalyzeExpense", + "textract:GetAdapter", + "textract:GetDocumentTextDetection", + "textract:GetLendingAnalysisSummary", + "textract:ListTagsForResource", + "textract:AnalyzeID", + "textract:GetAdapterVersion", + "textract:GetExpenseAnalysis", + "textract:ListAdapters", + "textract:CreateAdapter", + "textract:DeleteAdapterVersion", + "textract:StartExpenseAnalysis", + "textract:CreateAdapterResource", + "textract:StartDocumentAnalysis", + "textract:StartLendingAnalysis", + "textract:DeleteAdapter", + "textract:StartDocumentTextDetection", + "textract:UpdateAdapter", + "textract:TagResource", + "textract:UntagResource", + ] + + resources = ["*"] + condition { + test = "StringEquals" + variable = "aws:RequestedRegion" + values = [ + "eu-central-1", + "eu-west-1", + "eu-west-2", + "eu-west-3", + "us-east-1" + ] + } + } +} + resource "aws_iam_policy" "bedrock_integration" { name = "analytical-platform-bedrock-integration" description = "Permissions needed to allow access to Bedrock in Frankfurt from tooling." policy = data.aws_iam_policy_document.bedrock_integration.json } + +resource "aws_iam_policy" "textract_integration" { + name = "analytical-platform-textract-integration" + description = "Permissions needed to allow access to Textract in Frankfurt from tooling." + policy = data.aws_iam_policy_document.textract_integration.json +} \ No newline at end of file From a2b67588f4f93f628ddea3a47ad24e69d7264a27 Mon Sep 17 00:00:00 2001 From: jamesstottmoj Date: Wed, 2 Oct 2024 08:53:29 +0100 Subject: [PATCH 2/8] added newline at end of file --- .../cluster/tooling-integration-iam-policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf index 625f4ffb64..0058d6c224 100644 --- a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf +++ b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf @@ -129,4 +129,4 @@ resource "aws_iam_policy" "textract_integration" { name = "analytical-platform-textract-integration" description = "Permissions needed to allow access to Textract in Frankfurt from tooling." policy = data.aws_iam_policy_document.textract_integration.json -} \ No newline at end of file +} From da4f754157900fded0c2a03349eeed37607b7fd3 Mon Sep 17 00:00:00 2001 From: jamesstottmoj Date: Wed, 2 Oct 2024 08:59:26 +0100 Subject: [PATCH 3/8] attempting to fix build and test documentation step --- .../documentation/platform/infrastructure/terraform.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/documentation/platform/infrastructure/terraform.html.md.erb b/source/documentation/platform/infrastructure/terraform.html.md.erb index 756d8bc00c..d1662641d9 100644 --- a/source/documentation/platform/infrastructure/terraform.html.md.erb +++ b/source/documentation/platform/infrastructure/terraform.html.md.erb @@ -199,7 +199,7 @@ To create a new Terraform component, you will need to: ## Static Analysis Static analysis was introduced in [#866](https://github.com/ministryofjustice/data-platform/pull/866), however the components that make up Analytical Platform -have not been remediated yet, this is addressed in [#886](https://github.com/ministryofjustice/data-platform/issues/886) +have not been remediated yet, this is addressed in [#886](https://github.com/ministryofjustice/analytical-platform/issues/886) If you are working on a component that has not yet been addressed, you will need to add the label `override-static-analysis` to your pull request From 67d3a4b98d74fd5af5bef1716adae4b759c6dcd7 Mon Sep 17 00:00:00 2001 From: James Stott <158563996+jamesstottmoj@users.noreply.github.com> Date: Wed, 2 Oct 2024 14:21:42 +0100 Subject: [PATCH 4/8] Update terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf remove frankfurt in description Co-authored-by: Jacob Woffenden --- .../cluster/tooling-integration-iam-policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf index 0058d6c224..6de6e70ce8 100644 --- a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf +++ b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf @@ -127,6 +127,6 @@ resource "aws_iam_policy" "bedrock_integration" { resource "aws_iam_policy" "textract_integration" { name = "analytical-platform-textract-integration" - description = "Permissions needed to allow access to Textract in Frankfurt from tooling." + description = "Permissions needed to allow access to Textract from tooling." policy = data.aws_iam_policy_document.textract_integration.json } From 25e0e4179cbbd10b526c8c8fb913d8109c374871 Mon Sep 17 00:00:00 2001 From: jamesstottmoj Date: Wed, 2 Oct 2024 14:26:29 +0100 Subject: [PATCH 5/8] removed Frankfurt from description --- .../cluster/tooling-integration-iam-policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf index 6de6e70ce8..b2f9ac6c25 100644 --- a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf +++ b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf @@ -121,7 +121,7 @@ data "aws_iam_policy_document" "textract_integration" { resource "aws_iam_policy" "bedrock_integration" { name = "analytical-platform-bedrock-integration" - description = "Permissions needed to allow access to Bedrock in Frankfurt from tooling." + description = "Permissions needed to allow access to Bedrock from tooling." policy = data.aws_iam_policy_document.bedrock_integration.json } From 9ba4677d64adf271323e90ff10870e9749d99413 Mon Sep 17 00:00:00 2001 From: jamesstottmoj Date: Thu, 3 Oct 2024 08:57:23 +0100 Subject: [PATCH 6/8] Limit textract to London and Ireland --- .../cluster/tooling-integration-iam-policies.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf index b2f9ac6c25..7507934454 100644 --- a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf +++ b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf @@ -109,11 +109,8 @@ data "aws_iam_policy_document" "textract_integration" { test = "StringEquals" variable = "aws:RequestedRegion" values = [ - "eu-central-1", "eu-west-1", "eu-west-2", - "eu-west-3", - "us-east-1" ] } } From 44787a48610fb8bd8ca64ad7d0fa32aca2184ee6 Mon Sep 17 00:00:00 2001 From: jamesstottmoj Date: Thu, 3 Oct 2024 10:08:31 +0100 Subject: [PATCH 7/8] Added dbeaver to ignorelist --- .lycheeignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.lycheeignore b/.lycheeignore index ef60f4ec5b..3ee99bd411 100644 --- a/.lycheeignore +++ b/.lycheeignore @@ -14,3 +14,4 @@ https://github.com/moj-analytical-services/create-a-derived-table https://github.com/ministryofjustice/analytics-platform-helm-charts/tree/main/charts/jupyter-lab-datascience-notebook https://github.com/ministryofjustice/analytics-platform-helm-charts/tree/main/charts/jupyter-lab-all-spark https://github.com/ministryofjustice/analytics-platform-helm-charts/tree/main/charts/jupyter-lab +https://dbeaver.io/download/ From a7e168eb3be9780dfe92f397f615a460fb40bbd6 Mon Sep 17 00:00:00 2001 From: jamesstottmoj Date: Thu, 3 Oct 2024 11:05:40 +0100 Subject: [PATCH 8/8] Revert change to description --- .../cluster/tooling-integration-iam-policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf index 7507934454..75132ea4ba 100644 --- a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf +++ b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf @@ -118,7 +118,7 @@ data "aws_iam_policy_document" "textract_integration" { resource "aws_iam_policy" "bedrock_integration" { name = "analytical-platform-bedrock-integration" - description = "Permissions needed to allow access to Bedrock from tooling." + description = "Permissions needed to allow access to Bedrock in Frankfurt from tooling." policy = data.aws_iam_policy_document.bedrock_integration.json }