From 54dfca21eb5d787341d2f4ab9d003734a2b91fe8 Mon Sep 17 00:00:00 2001 From: Adnan Hassan Date: Tue, 18 Feb 2025 12:50:02 +0000 Subject: [PATCH 1/4] remove roles and add new secret --- iac/main/resources/redshift.yml | 9 -- iac/main/resources/sustainability.yml | 150 +------------------------- 2 files changed, 3 insertions(+), 156 deletions(-) diff --git a/iac/main/resources/redshift.yml b/iac/main/resources/redshift.yml index 953708ad..3cad25a6 100644 --- a/iac/main/resources/redshift.yml +++ b/iac/main/resources/redshift.yml @@ -32,15 +32,6 @@ IAMRoleRedshiftServerless: - !Sub 'arn:aws:s3:::${StageLayerBucket}/*' - !Sub 'arn:aws:s3:::${ELTMetadataBucket}' - !Sub 'arn:aws:s3:::${ELTMetadataBucket}/*' - # Cost Usage Report buckets in SRE account - - !Sub arn:aws:s3:::cid-{{resolve:secretsmanager:SRE-account-id-secret:SecretString:accountId}}-shared - - !Sub arn:aws:s3:::cid-{{resolve:secretsmanager:SRE-account-id-secret:SecretString:accountId}}-shared/* - - - !Sub 'arn:aws:s3:::${RawLayerBucket}' - - !Sub 'arn:aws:s3:::${RawLayerBucket}/*' - - !Sub 'arn:aws:s3:::${StageLayerBucket}' - - !Sub 'arn:aws:s3:::${StageLayerBucket}/*' - - !Sub 'arn:aws:s3:::${ELTMetadataBucket}' - - !Sub 'arn:aws:s3:::${ELTMetadataBucket}/*' - Effect: Allow Resource: !Sub arn:aws:glue:eu-west-2:${AWS::AccountId}:* diff --git a/iac/main/resources/sustainability.yml b/iac/main/resources/sustainability.yml index fb47f9ca..b5af7a60 100644 --- a/iac/main/resources/sustainability.yml +++ b/iac/main/resources/sustainability.yml @@ -1,108 +1,5 @@ -SustainabilityBucket: - Type: 'AWS::S3::Bucket' - Properties: - AccessControl: Private - BucketName: !Sub ${Environment}-dap-sustainability - LoggingConfiguration: - DestinationBucketName: !Ref GlobalLogBucket - LogFilePrefix: dap-sustainability/log - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - VersioningConfiguration: - Status: Enabled - # NotificationConfiguration: - # TopicConfigurations: - # - Event: s3:Replication:OperationFailedReplication - # Topic: !Ref SNSAlertTopic - LifecycleConfiguration: - # Permanently removing files after 40 days - Rules: - - Id: CleanupRule - Status: Enabled - ExpirationInDays: 30 - NoncurrentVersionExpiration: - NoncurrentDays: 10 - ReplicationConfiguration: - Role: !GetAtt SustainabilityBucketRole.Arn - Rules: - - Id: SustainabilityBucketRule - Status: Enabled - Priority: 1 - DeleteMarkerReplication: - Status: Enabled - Destination: - Bucket: !Sub 'arn:aws:s3:::production-dap-sustainability-921370741319-shared' - Metrics: - Status: Enabled - Filter: - Prefix: '' - -SustainabilityBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref SustainabilityBucket - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Deny - Action: 's3:*' - Resource: !Sub ${SustainabilityBucket.Arn}/* - Principal: '*' - Condition: - Bool: - aws:SecureTransport: false - - Effect: Allow - Action: - - 's3:PutObject' - - 's3:GetBucketLocation' - - 's3:ListBucket' - Resource: - - !Sub ${SustainabilityBucket.Arn} - - !Sub ${SustainabilityBucket.Arn}/* - Principal: - AWS: !GetAtt IAMRoleRedshiftServerless.Arn - -SustainabilityBucketIamPolicy: - Type: 'AWS::IAM::Policy' - Properties: - PolicyDocument: - Statement: - - Action: - - 's3:GetReplicationConfiguration' - - 's3:ListBucket' - - 's3:GetObjectVersionForReplication' - - 's3:GetObjectVersionAcl' - Effect: Allow - Resource: - - !Sub ${SustainabilityBucket.Arn} - - !Sub ${SustainabilityBucket.Arn}/* - - Action: - - 's3:ReplicateObject' - - 's3:ReplicateDelete' - Effect: Allow - Resource: - - !Sub 'arn:aws:s3:::production-dap-sustainability-921370741319-shared' - - !Sub 'arn:aws:s3:::production-dap-sustainability-921370741319-shared/*' - PolicyName: !Sub ${Environment}-dap-sustainabilityBucketIamPolicy - Roles: - - !Ref SustainabilityBucketRole -SustainabilityBucketRole: - Type: 'AWS::IAM::Role' - Properties: - AssumeRolePolicyDocument: - Statement: - - Action: - - 'sts:AssumeRole' - Effect: Allow - Principal: - Service: - - s3.amazonaws.com - -SREAccountId: +SustainabilityAccountIds: #checkov:skip=CKV_AWS_149:We will use aws managed kms key Type: AWS::SecretsManager::Secret DeletionPolicy: Retain @@ -110,46 +7,5 @@ SREAccountId: Condition: IsADMEnvironment Properties: Description: 'a secret to store account id for SRE account' - Name: SRE-account-id-secret - SecretString: '{"accountId":"xxx"}' - -SustainabilityCrawlerRole: - Type: AWS::IAM::Role - Condition: IsADMEnvironment - Properties: - RoleName: !Sub ${Environment}-sustainability-glue-crawler-role - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: [glue.amazonaws.com] - Action: ['sts:AssumeRole'] - ManagedPolicyArns: - - arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole - Path: / - Policies: - - PolicyName: !Sub ${Environment}-sustainability-glue-crawler-policy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - 'glue:GetConnection' - - 'glue:GetCrawler' - - 'glue:CreateTable' - - 'glue:UpdateCrawler' - - 'glue:CreatePartition' - - 'glue:BatchCreatePartition' - Resource: '*' - - Effect: Allow - Action: - - 's3:GetObject' - - 's3:ListObject' - Resource: - # Cost Usage Report buckets in SRE account - - !Sub arn:aws:s3:::cid-{{resolve:secretsmanager:SRE-account-id-secret:SecretString:accountId}}-shared - - !Sub arn:aws:s3:::cid-{{resolve:secretsmanager:SRE-account-id-secret:SecretString:accountId}}-shared/* - - Effect: Allow - Action: 'logs:AssociateKmsKey' - Resource: 'arn:aws:logs:*:*:/aws-glue/*' + Name: cur-account-ids + SecretString: '{"ct-shared-services":"xxx", "source-bill-payer": "xxx"}' From 63c07bc8f33059ea0c22297be6963d04c735e63b Mon Sep 17 00:00:00 2001 From: Adnan Hassan Date: Tue, 18 Feb 2025 12:53:17 +0000 Subject: [PATCH 2/4] lint --- iac/main/resources/sustainability.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/iac/main/resources/sustainability.yml b/iac/main/resources/sustainability.yml index b5af7a60..e07f13b1 100644 --- a/iac/main/resources/sustainability.yml +++ b/iac/main/resources/sustainability.yml @@ -1,4 +1,3 @@ - SustainabilityAccountIds: #checkov:skip=CKV_AWS_149:We will use aws managed kms key Type: AWS::SecretsManager::Secret From d549de9814afd92069f798f50088edacf4d1ea09 Mon Sep 17 00:00:00 2001 From: Adnan Hassan Date: Tue, 18 Feb 2025 12:55:16 +0000 Subject: [PATCH 3/4] format --- iac/main/resources/redshift.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/iac/main/resources/redshift.yml b/iac/main/resources/redshift.yml index 3cad25a6..79c07e5e 100644 --- a/iac/main/resources/redshift.yml +++ b/iac/main/resources/redshift.yml @@ -24,15 +24,13 @@ IAMRoleRedshiftServerless: - 's3:ListBucket' - 's3:ListBucketMultipartUploads' - 's3:PutObject' - Resource: !If - - IsADMEnvironment - - - !Sub 'arn:aws:s3:::${RawLayerBucket}' - - !Sub 'arn:aws:s3:::${RawLayerBucket}/*' - - !Sub 'arn:aws:s3:::${StageLayerBucket}' - - !Sub 'arn:aws:s3:::${StageLayerBucket}/*' - - !Sub 'arn:aws:s3:::${ELTMetadataBucket}' - - !Sub 'arn:aws:s3:::${ELTMetadataBucket}/*' - + Resource: + - !Sub 'arn:aws:s3:::${RawLayerBucket}' + - !Sub 'arn:aws:s3:::${RawLayerBucket}/*' + - !Sub 'arn:aws:s3:::${StageLayerBucket}' + - !Sub 'arn:aws:s3:::${StageLayerBucket}/*' + - !Sub 'arn:aws:s3:::${ELTMetadataBucket}' + - !Sub 'arn:aws:s3:::${ELTMetadataBucket}/*' - Effect: Allow Resource: !Sub arn:aws:glue:eu-west-2:${AWS::AccountId}:* Action: From 0081e04c8fe01e6901f41b4e1f3c97ae61f26e08 Mon Sep 17 00:00:00 2001 From: Adnan Hassan Date: Tue, 18 Feb 2025 12:56:46 +0000 Subject: [PATCH 4/4] lint --- iac/main/resources/redshift.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iac/main/resources/redshift.yml b/iac/main/resources/redshift.yml index 79c07e5e..e0d0010b 100644 --- a/iac/main/resources/redshift.yml +++ b/iac/main/resources/redshift.yml @@ -24,7 +24,7 @@ IAMRoleRedshiftServerless: - 's3:ListBucket' - 's3:ListBucketMultipartUploads' - 's3:PutObject' - Resource: + Resource: - !Sub 'arn:aws:s3:::${RawLayerBucket}' - !Sub 'arn:aws:s3:::${RawLayerBucket}/*' - !Sub 'arn:aws:s3:::${StageLayerBucket}'