Merge pull request #3954 from ministryofjustice/performance-hub/iam-u…

…ploads Add IAM user for uploads and remove cicduser
ministryofjustice · Nov 13, 2023 · 29c5245 · 29c5245
2 parents 2b4d344 + f0c81d3
commit 29c5245
Show file tree

Hide file tree

Showing 3 changed files with 114 additions and 20 deletions.
diff --git a/terraform/environments/performance-hub/database.tf b/terraform/environments/performance-hub/database.tf
@@ -313,7 +313,7 @@ data "aws_iam_policy_document" "rds-kms" {
 
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cicd-member-user"]
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
   }
 }
diff --git a/terraform/environments/performance-hub/iam.tf b/terraform/environments/performance-hub/iam.tf
@@ -0,0 +1,95 @@
+#------------------------------------------------------------------------------
+# IAM for S3 data movement operations to and from the Analytical Platform (AP)
+# 
+#------------------------------------------------------------------------------
+
+
+# S3 bucket access policy for AP landing bucket (data pushed from 
+# Performance Hub to a bucket in the AP account - hence hard-coded bucket name)
+# Legacy account was arn:aws:iam::677012035582:policy/read-ap-ppas
+resource "aws_iam_policy" "s3_ap_landing_policy" {
+  name   = "${local.application_name}-s3-ap-landing-policy"
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "MOJAnalyticalPlatformListBucket",
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket",
+                "s3:GetBucketLocation"
+            ],
+            "Resource": "arn:aws:s3:::hmpps-performance-hub-landing"
+        },
+        {
+            "Sid": "MOJAnalyticalPlatformWriteBucket",
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:PutObjectAcl",
+                "s3:GetObject"
+            ],
+            "Resource": "arn:aws:s3:::hmpps-performance-hub-landing/*"
+        }
+    ]
+}
+EOF
+}
+
+# resource "aws_iam_role" "s3_ap_landing_role" {
+#   name               = "${local.application_name}-s3-ap-landing-role"
+#   assume_role_policy = data.aws_iam_policy_document.s3-access-policy.json
+#   tags = merge(
+#     local.tags,
+#     {
+#       Name = "${local.application_name}-s3-ap-landing-role"
+#     }
+#   )
+# }
+
+# resource "aws_iam_role_policy_attachment" "s3_ap_landing_attachment" {
+#   role       = aws_iam_role.s3_ap_landing_role.name
+#   policy_arn = aws_iam_policy.s3_ap_landing_policy.arn
+# }
+
+# S3 bucket access policy for Performance Hub landing bucket (data pushed from 
+# AP to a bucket in this account)
+# Legacy account was arn:aws:iam::677012035582:policy/land-data-access-policy
+resource "aws_iam_policy" "s3_hub_Landing_policy" {
+  name   = "${local.application_name}-s3-hub-landing-policy"
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "HubLandBucketLevel",
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "${module.ap_landing_bucket.bucket.arn}"
+            ]
+        },
+        {
+            "Sid": "HubLandObjectLevel",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObjectAcl",
+                "s3:GetObject",
+                "s3:DeleteObject"
+            ],
+            "Resource": [
+                "${module.ap_landing_bucket.bucket.arn}/*"
+            ]
+        }
+    ]
+}
+EOF
+}
+
+# IAM user for uploads & content bucket
+# resource "aws_iam_user" "uploaduser" {
+#     name = "uploaduser"
+# }
diff --git a/terraform/environments/performance-hub/s3.tf b/terraform/environments/performance-hub/s3.tf
@@ -61,24 +61,23 @@ resource "aws_s3_bucket_versioning" "upload_files" {
   }
 }
 
-resource "aws_s3_bucket_policy" "upload_files_policy" {
-  bucket = aws_s3_bucket.upload_files.id
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "upload_bucket_policy"
-    Statement = [
-      {
-        Effect    = "Allow"
-        Principal = { AWS = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cicd-member-user"] }
-        Action    = "s3:*"
-        Resource = [
-          aws_s3_bucket.upload_files.arn,
-          "${aws_s3_bucket.upload_files.arn}/*",
-        ]
-      },
-    ]
-  })
-}
+# resource "aws_s3_bucket_policy" "upload_files_policy" {
+#   bucket = aws_s3_bucket.upload_files.id
+#   policy = jsonencode({
+#     Version = "2012-10-17"
+#     Id      = "upload_bucket_policy"
+#     Statement = [
+#       {
+#         Effect    = "Allow"
+#         actions = ["s3:GetObject","s3:PutObject","s3:ListBucket"]
+#         Resource = [
+#           aws_s3_bucket.upload_files.arn,
+#           "${aws_s3_bucket.upload_files.arn}/*",
+#         ]
+#       },
+#     ]
+#   })
+# }
 
 resource "aws_iam_role" "s3_uploads_role" {
   name               = "${local.application_name}-s3-uploads-role"
@@ -242,7 +241,7 @@ data "aws_iam_policy_document" "s3-kms" {
 
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cicd-member-user"]
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
   }
 }