DPR2-165: Attach s3 access policies

terraform/environments/digital-prison-reporting/main.tf

@@ -861,8 +861,8 @@ module "dms_fake_data_ingestor" {
 # DMS Nomis Data Collector
 module "dms_nomis_ingestor_s3_target" {
   source                       = "./modules/dms_s3"
-  setup_dms_instance           = false
-  enable_replication_task      = false
+  setup_dms_instance           = true
+  enable_replication_task      = true
   name                         = "${local.project}-dms-nomis-ingestor-s3-target-${local.env}"
   vpc_cidr                     = [data.aws_vpc.shared.cidr_block]
   source_engine_name           = "oracle"
@@ -872,7 +872,7 @@ module "dms_nomis_ingestor_s3_target" {
   source_address               = jsondecode(data.aws_secretsmanager_secret_version.nomis.secret_string)["endpoint"]
   source_db_port               = jsondecode(data.aws_secretsmanager_secret_version.nomis.secret_string)["port"]
   vpc                          = data.aws_vpc.shared.id
-  kinesis_stream_policy        = module.kinesis_stream_ingestor.kinesis_stream_iam_policy_admin_arn
+  s3_write_policy              = module.s3_dms_raw_bucket.bucket_arn
   project_id                   = local.project
   env                          = local.environment
   dms_source_name              = "oracle"

terraform/environments/digital-prison-reporting/modules/dms_s3/iam.tf

@@ -17,10 +17,6 @@ resource "aws_iam_role" "dms-s3-role" {
   ]
 }
 EOF
-
-  tags = {
-    Jira = "DPR2-165"
-  }
 }
 
 # Attach s3 target operation policy to the role
@@ -35,19 +31,16 @@ resource "aws_iam_role_policy" "dms-s3-target-policy" {
         {
             "Effect": "Allow",
             "Action": [
-                "s3:PutObject",
-                "s3:DeleteObject",
-                "s3:PutObjectTagging"
+                "s3:*",
+                "kms:*"
             ],
-            "Resource": [
-                "arn:aws:s3::*:dpr-*/*",
-                "arn:aws:s3::*:dpr-*"
-            ]
+            "Resource": "*"
         },
         {
             "Effect": "Allow",
             "Action": [
-                "s3:ListBucket"
+                "s3:*",
+                "kms:*"
             ],
             "Resource": "*"
         }
@@ -56,6 +49,12 @@ resource "aws_iam_role_policy" "dms-s3-target-policy" {
 EOF
 }
 
+#DMS Role with s3 Write Access
+resource "aws_iam_role_policy_attachment" "dms-kinesis-attachment" {
+  role       = aws_iam_role.dms-s3-role.name
+  policy_arn = var.s3_write_policy
+}
+
 #DMS Operation s3 target role
 resource "aws_iam_role" "dms-operator-s3-target-role" {
   name = "dms-${var.short_name}-operator-s3-target-role"
@@ -128,4 +127,10 @@ resource "aws_iam_role_policy" "dms-operator-s3-policy" {
     ]
 }
 EOF
+}
+
+#DMS Role with s3 Write Access
+resource "aws_iam_role_policy_attachment" "dms-operator-s3-attachment" {
+  role       = aws_iam_role.dms-operator-s3-target-role.name
+  policy_arn = var.s3_write_policy
 }

terraform/environments/digital-prison-reporting/modules/dms_s3/variables.tf

@@ -56,6 +56,8 @@ variable "migration_type" {
   description = "DMS Migration Type"
 }
 
+variable "s3_write_policy" {}
+
 variable "availability_zones" {
   default = [
     {
@@ -75,8 +77,6 @@ variable "source_address" {}
 
 variable "vpc" {}
 
-variable "kinesis_stream_policy" {}
-
 variable "availability_zone" {
   default = null
 }
@@ -141,11 +141,6 @@ variable "target_db_port" {
   default     = 5432
 }
 
-variable "target_engine" {
-  default     = "kinesis"
-  description = "Engine type, example values mysql, postgres"
-}
-
 variable "target_engine_version" {
   description = "Engine version"
   default     = "9.3.14"
@@ -184,11 +179,6 @@ variable "target_storage_encrypted" {
 #  description = "Username to access the target database"
 #}
 
-variable "kinesis_settings" {
-  type        = map(any)
-  description = "Configuration block for Kinesis settings"
-  default     = null
-}
 #--------------------------------------------------------------
 # DMS source config
 #--------------------------------------------------------------