removed S3 access, create s3 buckets

ministryofjustice · Dec 12, 2023 · befea35 · befea35
1 parent 3540875
commit befea35
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 35 deletions.
diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json
@@ -12,7 +12,8 @@
       "db_instance_identifier": "chaps-dev-instance",
       "friendly_name": "Chaps development",
       "container_instance_type": "windows",
-      "container_version": "preproduction"
+      "container_version": "preproduction",
+      "s3_bucket_name": "chaps-dev-bucket"
     },
     "preproduction": {
       "db_enabled": true,
@@ -26,7 +27,8 @@
       "container_instance_type": "windows",
       "container_version": "preproduction",
       "region": "eu-west-2",
-      "docker_image_tag": "preproduction"
+      "docker_image_tag": "preproduction",
+      "s3_bucket_name": "chaps-staging-bucket"
     },
     "production": {
       "db_enabled": true,
@@ -40,7 +42,8 @@
       "container_instance_type": "windows",
       "container_version": "production",
       "region": "eu-west-2",
-      "docker_image_tag": "production"
+      "docker_image_tag": "production",
+      "s3_bucket_name": "chaps-production-bucket"
     }
   }
 }
diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf
@@ -14,13 +14,6 @@ resource "aws_db_instance" "database" {
 
 }
 
-resource "aws_db_instance_role_association" "rds_s3_role_association" {
-	db_instance_identifier 	= aws_db_instance.database.identifier
-	feature_name 						= "S3_INTEGRATION"
-	role_arn               = "arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess"
-}
-
-
 resource "aws_security_group" "db" {
 	name 				= "db"
 	description = "Allow DB inbound traffic"
@@ -40,29 +33,6 @@ resource "aws_security_group" "db" {
   }
 }
 
-resource "aws_iam_policy" "rds_s3_access_policy" {
-	name = "RDS-S3-Access-Policy"
-	description = "Allows mod platform RDS access to tp-dbbackups bucket"
-	policy = jsonencode({
-		Version = "2012-10-17",
-		Statement = [
-			{
-				Effect = "Allow",
-				Action = [
-					"s3:GetObject",
-					"s3:ListBucket"
-				],
-				Resource = [
-					"arn:aws:s3:::tp-dbbackups/*",
-					"arn:aws:s3:::tp-dbbackups"
-				]
-			}
-		]
-	})
-}
-
-
-
 data "aws_secretsmanager_secret" "db_password" {
   name = aws_secretsmanager_secret.chaps_secret.name
 }
@@ -96,5 +66,4 @@ data "aws_iam_policy_document" "rds-kms" {
       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
   }
-}
-
+}
diff --git a/terraform/environments/cdpt-chaps/s3 b/terraform/environments/cdpt-chaps/s3
@@ -0,0 +1,4 @@
+resource "aws_s3_bucket" "chaps-db-backup-bucket" {
+	bucket = local.app_data.accounts[local.environment].s3_bucket_name
+	acl = "private"
+}