Use inline policy

ministryofjustice · Nov 17, 2023 · 325be8b · 325be8b
1 parent 3650254
commit 325be8b
Showing 1 changed file with 43 additions and 24 deletions.
diff --git a/terraform/environments/performance-hub/iam.tf b/terraform/environments/performance-hub/iam.tf
@@ -7,39 +7,62 @@
 # S3 bucket access policy for AP landing bucket (data pushed from 
 # Performance Hub to a bucket in the AP account - hence hard-coded bucket name)
 # Legacy account was arn:aws:iam::677012035582:policy/read-ap-ppas
-resource "aws_iam_policy" "s3_ap_landing_policy" {
-  name   = "${local.application_name}-s3-ap-landing-policy"
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-    "Statement": [
+# resource "aws_iam_policy" "s3_ap_landing_policy" {
+#   name   = "${local.application_name}-s3-ap-landing-policy"
+#   policy = <<EOF
+# {
+#   "Version": "2012-10-17",
+#     "Statement": [
+#         {
+#             "Sid": "MOJAnalyticalPlatformListBucket",
+#             "Effect": "Allow",
+#             "Action": [
+#                 "s3:ListBucket",
+#                 "s3:GetBucketLocation"
+#             ],
+#             "Resource": "arn:aws:s3:::hmpps-performance-hub-landing"
+#         },
+#         {
+#             "Sid": "MOJAnalyticalPlatformWriteBucket",
+#             "Effect": "Allow",
+#             "Action": [
+#                 "s3:PutObject",
+#                 "s3:PutObjectAcl",
+#                 "s3:GetObject"
+#             ],
+#             "Resource": "arn:aws:s3:::hmpps-performance-hub-landing/*"
+#         }
+#     ]
+# }
+# EOF
+# }
+
+resource "aws_iam_role" "s3_ap_landing_role" {
+  name               = "${local.application_name}-s3-ap-landing-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
         {
-            "Sid": "MOJAnalyticalPlatformListBucket",
-            "Effect": "Allow",
-            "Action": [
+            Sid: "MOJAnalyticalPlatformListBucket",
+            Effect: "Allow",
+            Action: [
                 "s3:ListBucket",
                 "s3:GetBucketLocation"
             ],
             "Resource": "arn:aws:s3:::hmpps-performance-hub-landing"
         },
         {
-            "Sid": "MOJAnalyticalPlatformWriteBucket",
-            "Effect": "Allow",
-            "Action": [
+            Sid: "MOJAnalyticalPlatformWriteBucket",
+            Effect: "Allow",
+            Action: [
                 "s3:PutObject",
                 "s3:PutObjectAcl",
                 "s3:GetObject"
             ],
-            "Resource": "arn:aws:s3:::hmpps-performance-hub-landing/*"
+            Resource: "arn:aws:s3:::hmpps-performance-hub-landing/*"
         }
     ]
-}
-EOF
-}
-
-resource "aws_iam_role" "s3_ap_landing_role" {
-  name               = "${local.application_name}-s3-ap-landing-role"
-  assume_role_policy = data.aws_iam_policy.s3_ap_landing_policy
+  })
   tags = merge(
     local.tags,
     {
@@ -48,10 +71,6 @@ resource "aws_iam_role" "s3_ap_landing_role" {
   )
 }
 
-resource "aws_iam_role_policy_attachment" "s3_ap_landing_attachment" {
-  role       = aws_iam_role.s3_ap_landing_role.name
-  policy_arn = aws_iam_policy.s3_ap_landing_policy.arn
-}
 
 # S3 bucket access policy for Performance Hub landing bucket (data pushed from 
 # AP to a bucket in this account)