From 742976fb60343bf21256a7d043865025fc13e6cd Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 12 Oct 2023 17:47:46 +0100 Subject: [PATCH] Delius core ldap data refresh s3 (#3642) * Update ldap_datasync.tf * Update ldap_datasync.tf * Update ldap_datasync.tf * Update ldap_datasync.tf * typo * Update ldap_datasync.tf * Update ldap_datasync.tf * Update ldap_datasync.tf * Update ldap_datasync.tf --- .../ldap_datasync.tf | 83 +++++++++++++++++++ 1 file changed, 83 insertions(+) diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf index 4ed9da1e439..2eb2773a0bc 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf @@ -55,4 +55,87 @@ data "aws_iam_policy_document" "ldap_datasync_role_access" { ] resources = ["*"] } + statement { + sid = "allowAccessForDataSync" + effect = "Allow" + actions = ["s3:*"] + resources = [ + "${module.s3_bucket_ldap_data_refresh.bucket.arn}", + "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*", + ] + } +} + +locals { + delius_core_accounts = { for k, v in nonsensitive(var.platform_vars.environment_management.account_ids) : k => v if startswith(k, "delius-core") } + ldap_refresh_bucket_policies = [for account_name, account_id in local.delius_core_accounts : + { + effect = "Allow" + actions = ["s3:*"] + resources = [ + "${module.s3_bucket_ldap_data_refresh.bucket.arn}", + "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*", + ] + principals = { + type = "AWS" + identifiers = ["*"] + } + conditions = [ + { + test = "ArnLike" + values = ["arn:aws:iam::${account_id}:role/ldap-data-refresh-role-*"] + variable = "aws:PrincipalARN" + } + ] + } + ] + +} + + +module "s3_bucket_ldap_data_refresh" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0" + bucket_name = "${var.env_name}-ldap-data-refresh-incoming" + versioning_enabled = false + ownership_controls = "BucketOwnerEnforced" + replication_enabled = false + custom_kms_key = var.account_config.general_shared_kms_key_arn + bucket_policy_v2 = local.ldap_refresh_bucket_policies + + providers = { + aws.bucket-replication = aws.bucket-replication + } + + tags = local.tags } + +#resource "aws_s3_bucket_public_access_block" "s3_bucket_ldap_data_refresh" { +# bucket = module.s3_bucket_ldap_data_refresh.bucket.id +# block_public_acls = false +# block_public_policy = false +# ignore_public_acls = false +# restrict_public_buckets = false +#} + + +#data "aws_iam_policy_document" "datasync_s3_ldap_refresh_access" { +# for_each = { for k, v in nonsensitive(var.platform_vars.environment_management.account_ids) : k => v if startswith(k, "delius-core") } +# statement { +# sid = "allowAccessForDataSync_${each.key}" +# effect = "Allow" +# actions = ["s3:*"] +# resources = [ +# "${module.s3_bucket_ldap_data_refresh.bucket.arn}", +# "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*", +# ] +# principals { +# type = "AWS" +# identifiers = ["*"] +# } +# condition { +# test = "ArnLike" +# values = ["arn:aws:iam::${each.value}:role/ldap-data-refresh-role-*"] +# variable = "aws:PrincipalARN" +# } +# } +#}