CSR shared bucket permission fixes (#6704)

ministryofjustice · Jun 21, 2024 · 28efedb · 28efedb
1 parent 4124615
commit 28efedb
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 26 deletions.
diff --git a/terraform/modules/baseline_presets/iam_policies.tf b/terraform/modules/baseline_presets/iam_policies.tf
@@ -206,27 +206,27 @@ locals {
         {
           effect = "Allow"
           actions = [
-              "s3:GetBucketLocation",
-              "s3:GetObject",
-              "s3:ListBucket",
-              "s3:PutObject",
-              "s3:GetBucketAcl"
+            "s3:GetBucketLocation",
+            "s3:GetObject",
+            "s3:ListBucket",
+            "s3:PutObject",
+            "s3:GetBucketAcl"
           ],
           resources = [
-              "arn:aws:s3:::*",
-              "arn:aws:s3:::*/*",
-              "arn:aws:s3:::*/*/*"
+            "arn:aws:s3:::*",
+            "arn:aws:s3:::*/*",
+            "arn:aws:s3:::*/*/*"
           ]
         },
         {
           effect = "Allow"
           actions = [
-              "ec2:ModifySnapshotAttribute",
-              "ec2:CopySnapshot",
-              "ec2:RegisterImage",
-              "ec2:Describe*"
+            "ec2:ModifySnapshotAttribute",
+            "ec2:CopySnapshot",
+            "ec2:RegisterImage",
+            "ec2:Describe*"
           ],
-          resources = [ "*" ]
+          resources = ["*"]
         },
         {
           effect = "Allow"
@@ -238,10 +238,10 @@ locals {
             "kms:GenerateDataKey*",
             "kms:ReEncrypt*"
           ],
-          resources = [ "*" ]
+          resources = ["*"]
         }
       ]
     }
-    
+
   }
 }
diff --git a/terraform/modules/baseline_presets/iam_policy_statements_ec2.tf b/terraform/modules/baseline_presets/iam_policy_statements_ec2.tf
@@ -114,13 +114,9 @@ locals {
           "s3:PutObject",
           "s3:PutObjectAcl",
         ]
-        resources = concat(var.environment.environment == "production" || var.environment.environment == "preproduction" ? [
-          "arn:aws:s3:::prodpreprod-${var.environment.application_name}-*/*",
-          "arn:aws:s3:::prodpreprod-${var.environment.application_name}-*"
-          ] : [
-          "arn:aws:s3:::devtest-${var.environment.application_name}-*/*",
-          "arn:aws:s3:::devtest-${var.environment.application_name}-*"
-          ], [
+        resources = [
+          "arn:aws:s3:::${local.shared_s3_name_prefix}*/*",
+          "arn:aws:s3:::${local.shared_s3_name_prefix}*",
           "arn:aws:s3:::ec2-image-builder-*/*",
           "arn:aws:s3:::ec2-image-builder-*",
           "arn:aws:s3:::*-software*/*",
@@ -129,7 +125,7 @@ locals {
           "arn:aws:s3:::mod-platform-image-artefact-bucket*",
           "arn:aws:s3:::modernisation-platform-software*/*",
           "arn:aws:s3:::modernisation-platform-software*"
-        ])
+        ]
       }
     ]
 

diff --git a/terraform/modules/baseline_presets/s3.tf b/terraform/modules/baseline_presets/s3.tf
@@ -1,5 +1,8 @@
 locals {
 
+  devtest_or_prodpreprod = var.environment.environment == "development" || var.environment.environment == "test" ? "devtest" : "prodpreprod"
+  shared_s3_name_prefix  = substr("${local.devtest_or_prodpreprod}-${var.environment.application_name}-", 0, 37)
+
   requested_s3_iam_policies = var.options.s3_iam_policies != null ? {
     for key, value in local.s3_iam_policies : key => value if contains(var.options.s3_iam_policies, key)
   } : local.s3_iam_policies
@@ -8,7 +11,7 @@ locals {
 
     # if enable_shared_s3 set, create a bucket in test and production which can be used by dev and test / preprod and prod respectively
     var.options.enable_shared_s3 && var.environment.environment == "production" ? {
-      (substr("prodpreprod-${var.environment.application_name}-", 0, 37)) = {
+      (local.shared_s3_name_prefix) = {
         bucket_policy_v2 = [
           local.s3_bucket_policies.ImageBuilderWriteAccessBucketPolicy,
           local.s3_bucket_policies.ProdPreprodEnvironmentsWriteAccessBucketPolicy
@@ -18,7 +21,7 @@ locals {
       }
     } : {},
     var.options.enable_shared_s3 && var.environment.environment == "test" ? {
-      (substr("devtest-${var.environment.application_name}-", 0, 37)) = {
+      (local.shared_s3_name_prefix) = {
         bucket_policy_v2 = [
           local.s3_bucket_policies.ImageBuilderWriteAccessBucketPolicy,
           local.s3_bucket_policies.DevTestEnvironmentsWriteAndDeleteAccessBucketPolicy

diff --git a/terraform/modules/baseline_presets/variables.tf b/terraform/modules/baseline_presets/variables.tf
@@ -1,4 +1,4 @@
- # tflint-ignore: terraform_typed_variables
+# tflint-ignore: terraform_typed_variables
 variable "environment" {
   # Not defining 'type' as it is defined in the output of the environment module
   description = "Standard environmental data resources from the environment module"