From 18f0a216740b679cc795315c382b9c1a73be55cc Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 11 Oct 2023 13:23:11 +0100 Subject: [PATCH 1/9] Add ldap-data-refresh-role --- .../ldap_datasync.tf | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf index 86e5401208e..15c6e0889ea 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf @@ -21,4 +21,30 @@ resource "aws_datasync_task" "ldap_refresh_task" { source_location_arn = aws_datasync_location_efs.source.arn name = "ldap-datasync-task-push-from-${var.env_name}" -} \ No newline at end of file +} + +# iam role for aws backup to assume in the data-refresh pipeline using the aws backup start-restore-job cmd +resource "aws_iam_role" "ldap_datasync_role" { + count = var.ldap_config.efs_datasync_destination_arn != null ? 1 : 0 + name = "ldap-data-refresh-role" + assume_role_policy = data.aws_iam_policy_document.ldap_datasync_role.json +} + +data "aws_iam_policy_document" "ldap_datasync_role" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["datasync.amazonaws.com", "backup.amazonaws.com", "efs.amazonaws.com"] + } + } + statement { + effect = "Allow" + actions = [ + "backup:StartRestoreJob", + "backup:Get*", + "backup:List*" + ] + } +} From 51b599fa20136670c4c82b0a6de2dc07315cab54 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 11 Oct 2023 13:24:25 +0100 Subject: [PATCH 2/9] always create the role --- .../environment_all_components/ldap_datasync.tf | 1 - terraform/environments/nomis-data-hub/locals.tf | 16 ++++++++-------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf index 15c6e0889ea..5bb166ba215 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf @@ -25,7 +25,6 @@ resource "aws_datasync_task" "ldap_refresh_task" { # iam role for aws backup to assume in the data-refresh pipeline using the aws backup start-restore-job cmd resource "aws_iam_role" "ldap_datasync_role" { - count = var.ldap_config.efs_datasync_destination_arn != null ? 1 : 0 name = "ldap-data-refresh-role" assume_role_policy = data.aws_iam_policy_document.ldap_datasync_role.json } diff --git a/terraform/environments/nomis-data-hub/locals.tf b/terraform/environments/nomis-data-hub/locals.tf index 09aeaa03a8f..22ce3e32d2b 100644 --- a/terraform/environments/nomis-data-hub/locals.tf +++ b/terraform/environments/nomis-data-hub/locals.tf @@ -47,10 +47,10 @@ locals { }) user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_and_ansible tags = { - description = "RHEL7.9 NDH App" - component = "ndh" - server-type = "ndh-app" - monitored = false + description = "RHEL7.9 NDH App" + component = "ndh" + server-type = "ndh-app" + monitored = false instance-scheduling = "skip-scheduling" } } @@ -67,10 +67,10 @@ locals { }) user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_and_ansible tags = { - description = "RHEL7.9 NDH ems" - component = "ndh" - server-type = "ndh-ems" - monitored = false + description = "RHEL7.9 NDH ems" + component = "ndh" + server-type = "ndh-ems" + monitored = false instance-scheduling = "skip-scheduling" } } From 6d1d576072d2c83ef7a13635c3b5ee9d26871842 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 11 Oct 2023 13:29:03 +0100 Subject: [PATCH 3/9] add resource restriction --- .../modules/environment_all_components/ldap_datasync.tf | 1 + terraform/environments/delius-core/plan.json | 0 2 files changed, 1 insertion(+) delete mode 100644 terraform/environments/delius-core/plan.json diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf index 5bb166ba215..741c8bae286 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf @@ -45,5 +45,6 @@ data "aws_iam_policy_document" "ldap_datasync_role" { "backup:Get*", "backup:List*" ] + resources = ["arn:aws:backup:::*/*"] } } diff --git a/terraform/environments/delius-core/plan.json b/terraform/environments/delius-core/plan.json deleted file mode 100644 index e69de29bb2d..00000000000 From 53a58e355918f99a6011ba22b302b58dca7afc40 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 11 Oct 2023 15:02:15 +0100 Subject: [PATCH 4/9] Update ldap_datasync.tf --- .../modules/environment_all_components/ldap_datasync.tf | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf index 741c8bae286..c1f1ada124e 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf @@ -26,10 +26,10 @@ resource "aws_datasync_task" "ldap_refresh_task" { # iam role for aws backup to assume in the data-refresh pipeline using the aws backup start-restore-job cmd resource "aws_iam_role" "ldap_datasync_role" { name = "ldap-data-refresh-role" - assume_role_policy = data.aws_iam_policy_document.ldap_datasync_role.json + assume_role_policy = data.aws_iam_policy_document.ldap_datasync_role_assume.json } -data "aws_iam_policy_document" "ldap_datasync_role" { +data "aws_iam_policy_document" "ldap_datasync_role_assume" { statement { actions = ["sts:AssumeRole"] @@ -38,6 +38,9 @@ data "aws_iam_policy_document" "ldap_datasync_role" { identifiers = ["datasync.amazonaws.com", "backup.amazonaws.com", "efs.amazonaws.com"] } } +} + +data "aws_iam_policy_document" "ldap_datasync_role_access" { statement { effect = "Allow" actions = [ @@ -47,4 +50,4 @@ data "aws_iam_policy_document" "ldap_datasync_role" { ] resources = ["arn:aws:backup:::*/*"] } -} +} \ No newline at end of file From d9ea721b14ecfa467e642fc4e619766cab7e153a Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 11 Oct 2023 15:10:12 +0100 Subject: [PATCH 5/9] remove efs servicve --- .../modules/environment_all_components/ldap_datasync.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf index c1f1ada124e..11bf910db8a 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf @@ -35,7 +35,7 @@ data "aws_iam_policy_document" "ldap_datasync_role_assume" { principals { type = "Service" - identifiers = ["datasync.amazonaws.com", "backup.amazonaws.com", "efs.amazonaws.com"] + identifiers = ["datasync.amazonaws.com", "backup.amazonaws.com"] } } } From 8b73566e144281fdded89329a6c027ae97087cdd Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 11 Oct 2023 15:21:30 +0100 Subject: [PATCH 6/9] make unique role name --- .../modules/environment_all_components/ldap_datasync.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf index 11bf910db8a..0be032fa7c8 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf @@ -25,7 +25,7 @@ resource "aws_datasync_task" "ldap_refresh_task" { # iam role for aws backup to assume in the data-refresh pipeline using the aws backup start-restore-job cmd resource "aws_iam_role" "ldap_datasync_role" { - name = "ldap-data-refresh-role" + name = "ldap-data-refresh-role-${var.env_name}" assume_role_policy = data.aws_iam_policy_document.ldap_datasync_role_assume.json } From c037141bab40c56578bfaff337370a25e0aa2a11 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 11 Oct 2023 15:37:07 +0100 Subject: [PATCH 7/9] adjust policy for now --- .../modules/environment_all_components/ldap_datasync.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf index 0be032fa7c8..3389ac8b052 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf @@ -44,10 +44,10 @@ data "aws_iam_policy_document" "ldap_datasync_role_access" { statement { effect = "Allow" actions = [ - "backup:StartRestoreJob", - "backup:Get*", - "backup:List*" + "backup:*", + "datasync:*", + "elasticfilesystem:*", ] - resources = ["arn:aws:backup:::*/*"] + resources = ["*"] } } \ No newline at end of file From c3db477b8c32ed959fac19e984f2de3b7024a65d Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 11 Oct 2023 16:04:57 +0100 Subject: [PATCH 8/9] Update ldap_datasync.tf --- .../modules/environment_all_components/ldap_datasync.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf index 3389ac8b052..4ed9da1e439 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf @@ -29,6 +29,11 @@ resource "aws_iam_role" "ldap_datasync_role" { assume_role_policy = data.aws_iam_policy_document.ldap_datasync_role_assume.json } +resource "aws_iam_role_policy" "ldap_refresh_access" { + policy = data.aws_iam_policy_document.ldap_datasync_role_access.json + role = aws_iam_role.ldap_datasync_role.name +} + data "aws_iam_policy_document" "ldap_datasync_role_assume" { statement { actions = ["sts:AssumeRole"] @@ -50,4 +55,4 @@ data "aws_iam_policy_document" "ldap_datasync_role_access" { ] resources = ["*"] } -} \ No newline at end of file +} From 7b33f39a1a6fe14fd6de2d5a9d8af8a308031b95 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 11 Oct 2023 17:13:55 +0100 Subject: [PATCH 9/9] Revert "always create the role" This reverts commit 51b599fa20136670c4c82b0a6de2dc07315cab54. --- terraform/environments/nomis-data-hub/locals.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/terraform/environments/nomis-data-hub/locals.tf b/terraform/environments/nomis-data-hub/locals.tf index 22ce3e32d2b..09aeaa03a8f 100644 --- a/terraform/environments/nomis-data-hub/locals.tf +++ b/terraform/environments/nomis-data-hub/locals.tf @@ -47,10 +47,10 @@ locals { }) user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_and_ansible tags = { - description = "RHEL7.9 NDH App" - component = "ndh" - server-type = "ndh-app" - monitored = false + description = "RHEL7.9 NDH App" + component = "ndh" + server-type = "ndh-app" + monitored = false instance-scheduling = "skip-scheduling" } } @@ -67,10 +67,10 @@ locals { }) user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_and_ansible tags = { - description = "RHEL7.9 NDH ems" - component = "ndh" - server-type = "ndh-ems" - monitored = false + description = "RHEL7.9 NDH ems" + component = "ndh" + server-type = "ndh-ems" + monitored = false instance-scheduling = "skip-scheduling" } }