Merge pull request #6796 from ministryofjustice/spike-update-dms-for-…

…data-validation initial attempt to change DMS permissions
ministryofjustice · Jun 28, 2024 · d8a335a · d8a335a
2 parents 9e1bfcf + 37d63c3
commit d8a335a
Showing 1 changed file with 57 additions and 23 deletions.
diff --git a/terraform/environments/electronic-monitoring-data/dms_iam.tf b/terraform/environments/electronic-monitoring-data/dms_iam.tf
@@ -17,35 +17,69 @@ resource "aws_iam_role" "dms_endpoint_role" {
 # Define S3 IAM policy for DMS S3 Endpoint
 resource "aws_iam_policy" "dms_ep_s3_role_policy" {
   name = "dms-s3-target-ep-policy"
-
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
+  policy = jsonencode(
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+        	"Sid": "AthenaDMS",
+        	"Effect": "Allow",
+        	"Action": [
+        		"athena:StartQueryExecution",
+        		"athena:GetQueryExecution",
+        		"athena:CreateWorkGroup"
+        	],
+        	"Resource": "arn:aws:athena:eu-west-2:${local.env_account_id}:workgroup/dms_validation_workgroup_for_task_*"
+        },
+        {
+        	"Effect": "Allow",
+        	"Action": [
+        		"glue:CreateDatabase",
+        		"glue:DeleteDatabase",
+        		"glue:GetDatabase",
+        		"glue:GetTables",
+        		"glue:CreateTable",
+        		"glue:DeleteTable",
+        		"glue:GetTable"
+        	],
+        	"Resource": [
+        		"arn:aws:glue:eu-west-2:${local.env_account_id}:catalog",
+        		"arn:aws:glue:eu-west-2:${local.env_account_id}:database/aws_dms_s3_validation_*",
+        		"arn:aws:glue:eu-west-2:${local.env_account_id}:table/aws_dms_s3_validation_*/*",
+        		"arn:aws:glue:eu-west-2:${local.env_account_id}:userDefinedFunction/aws_dms_s3_validation_*/*"
+        	]
+        },
         {
-            "Sid": "DMSAccess",
-            "Effect": "Allow",
-            "Action": [
-                "s3:GetBucketLocation",
-                "s3:ListBucket"
-            ],
-            "Resource": "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}"
+        	"Action": [
+        		"s3:GetBucketLocation",
+        		"s3:ListBucket",
+        		"s3:ListBucketMultipartUploads",
+        		"s3:AbortMultipartUpload",
+        		"s3:ListMultipartUploadParts"
+        	],
+        	"Effect": "Allow",
+        	"Resource": "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",
+        	"Sid": "DMSAccess"
         },
         {
-            "Sid": "DMSObjectActions",
-            "Effect": "Allow",
-            "Action": [
-                "s3:PutObject",
-                "s3:GetObject",
-                "s3:DeleteObject"
-            ],
-            "Resource": "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}/*"
+        	"Action": [
+        		"s3:PutObject",
+        		"s3:GetObject",
+        		"s3:DeleteObject",
+        		"s3:ListBucketMultipartUploads",
+        		"s3:AbortMultipartUpload",
+        		"s3:ListMultipartUploadParts"
+        	],
+        	"Effect": "Allow",
+        	"Resource": "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}/*",
+        	"Sid": "DMSObjectActions"
         }
-    ]
-}
-EOF
+      ]
+    }
+  )
 }
 
+
 # Attach predefined IAM Policy to the Role for DMS S3 Endpoint
 resource "aws_iam_role_policy_attachment" "dms_ep_s3_role_policy_attachment" {
   role       = aws_iam_role.dms_endpoint_role.name