remove roles and add new secret

iac/main/resources/redshift.yml

@@ -24,24 +24,13 @@ IAMRoleRedshiftServerless:
                 - 's3:ListBucket'
                 - 's3:ListBucketMultipartUploads'
                 - 's3:PutObject'
-              Resource: !If
-                - IsADMEnvironment
-                - - !Sub 'arn:aws:s3:::${RawLayerBucket}'
-                  - !Sub 'arn:aws:s3:::${RawLayerBucket}/*'
-                  - !Sub 'arn:aws:s3:::${StageLayerBucket}'
-                  - !Sub 'arn:aws:s3:::${StageLayerBucket}/*'
-                  - !Sub 'arn:aws:s3:::${ELTMetadataBucket}'
-                  - !Sub 'arn:aws:s3:::${ELTMetadataBucket}/*'
-                  # Cost Usage Report buckets in SRE account
-                  - !Sub arn:aws:s3:::cid-{{resolve:secretsmanager:SRE-account-id-secret:SecretString:accountId}}-shared
-                  - !Sub arn:aws:s3:::cid-{{resolve:secretsmanager:SRE-account-id-secret:SecretString:accountId}}-shared/*
-                - - !Sub 'arn:aws:s3:::${RawLayerBucket}'
-                  - !Sub 'arn:aws:s3:::${RawLayerBucket}/*'
-                  - !Sub 'arn:aws:s3:::${StageLayerBucket}'
-                  - !Sub 'arn:aws:s3:::${StageLayerBucket}/*'
-                  - !Sub 'arn:aws:s3:::${ELTMetadataBucket}'
-                  - !Sub 'arn:aws:s3:::${ELTMetadataBucket}/*'
-
+              Resource:
+                - !Sub 'arn:aws:s3:::${RawLayerBucket}'
+                - !Sub 'arn:aws:s3:::${RawLayerBucket}/*'
+                - !Sub 'arn:aws:s3:::${StageLayerBucket}'
+                - !Sub 'arn:aws:s3:::${StageLayerBucket}/*'
+                - !Sub 'arn:aws:s3:::${ELTMetadataBucket}'
+                - !Sub 'arn:aws:s3:::${ELTMetadataBucket}/*'
             - Effect: Allow
               Resource: !Sub arn:aws:glue:eu-west-2:${AWS::AccountId}:*
               Action:

iac/main/resources/sustainability.yml

@@ -1,155 +1,10 @@
-SustainabilityBucket:
-  Type: 'AWS::S3::Bucket'
-  Properties:
-    AccessControl: Private
-    BucketName: !Sub ${Environment}-dap-sustainability
-    LoggingConfiguration:
-      DestinationBucketName: !Ref GlobalLogBucket
-      LogFilePrefix: dap-sustainability/log
-    PublicAccessBlockConfiguration:
-      BlockPublicAcls: true
-      BlockPublicPolicy: true
-      IgnorePublicAcls: true
-      RestrictPublicBuckets: true
-    VersioningConfiguration:
-      Status: Enabled
-    # NotificationConfiguration:
-    #   TopicConfigurations:
-    #     - Event: s3:Replication:OperationFailedReplication
-    #       Topic: !Ref SNSAlertTopic
-    LifecycleConfiguration:
-      # Permanently removing files after 40 days
-      Rules:
-        - Id: CleanupRule
-          Status: Enabled
-          ExpirationInDays: 30
-          NoncurrentVersionExpiration:
-            NoncurrentDays: 10
-    ReplicationConfiguration:
-      Role: !GetAtt SustainabilityBucketRole.Arn
-      Rules:
-        - Id: SustainabilityBucketRule
-          Status: Enabled
-          Priority: 1
-          DeleteMarkerReplication:
-            Status: Enabled
-          Destination:
-            Bucket: !Sub 'arn:aws:s3:::production-dap-sustainability-921370741319-shared'
-            Metrics:
-              Status: Enabled
-          Filter:
-            Prefix: ''
-
-SustainabilityBucketPolicy:
-  Type: AWS::S3::BucketPolicy
-  Properties:
-    Bucket: !Ref SustainabilityBucket
-    PolicyDocument:
-      Version: 2012-10-17
-      Statement:
-        - Effect: Deny
-          Action: 's3:*'
-          Resource: !Sub ${SustainabilityBucket.Arn}/*
-          Principal: '*'
-          Condition:
-            Bool:
-              aws:SecureTransport: false
-        - Effect: Allow
-          Action:
-            - 's3:PutObject'
-            - 's3:GetBucketLocation'
-            - 's3:ListBucket'
-          Resource:
-            - !Sub ${SustainabilityBucket.Arn}
-            - !Sub ${SustainabilityBucket.Arn}/*
-          Principal:
-            AWS: !GetAtt IAMRoleRedshiftServerless.Arn
-
-SustainabilityBucketIamPolicy:
-  Type: 'AWS::IAM::Policy'
-  Properties:
-    PolicyDocument:
-      Statement:
-        - Action:
-            - 's3:GetReplicationConfiguration'
-            - 's3:ListBucket'
-            - 's3:GetObjectVersionForReplication'
-            - 's3:GetObjectVersionAcl'
-          Effect: Allow
-          Resource:
-            - !Sub ${SustainabilityBucket.Arn}
-            - !Sub ${SustainabilityBucket.Arn}/*
-        - Action:
-            - 's3:ReplicateObject'
-            - 's3:ReplicateDelete'
-          Effect: Allow
-          Resource:
-            - !Sub 'arn:aws:s3:::production-dap-sustainability-921370741319-shared'
-            - !Sub 'arn:aws:s3:::production-dap-sustainability-921370741319-shared/*'
-    PolicyName: !Sub ${Environment}-dap-sustainabilityBucketIamPolicy
-    Roles:
-      - !Ref SustainabilityBucketRole
-
-SustainabilityBucketRole:
-  Type: 'AWS::IAM::Role'
-  Properties:
-    AssumeRolePolicyDocument:
-      Statement:
-        - Action:
-            - 'sts:AssumeRole'
-          Effect: Allow
-          Principal:
-            Service:
-              - s3.amazonaws.com
-
-SREAccountId:
+SustainabilityAccountIds:
   #checkov:skip=CKV_AWS_149:We will use aws managed kms key
   Type: AWS::SecretsManager::Secret
   DeletionPolicy: Retain
   UpdateReplacePolicy: Retain
   Condition: IsADMEnvironment
   Properties:
     Description: 'a secret to store account id for SRE account'
-    Name: SRE-account-id-secret
-    SecretString: '{"accountId":"xxx"}'
-
-SustainabilityCrawlerRole:
-  Type: AWS::IAM::Role
-  Condition: IsADMEnvironment
-  Properties:
-    RoleName: !Sub ${Environment}-sustainability-glue-crawler-role
-    AssumeRolePolicyDocument:
-      Version: '2012-10-17'
-      Statement:
-        - Effect: Allow
-          Principal:
-            Service: [glue.amazonaws.com]
-          Action: ['sts:AssumeRole']
-    ManagedPolicyArns:
-      - arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
-    Path: /
-    Policies:
-      - PolicyName: !Sub ${Environment}-sustainability-glue-crawler-policy
-        PolicyDocument:
-          Version: '2012-10-17'
-          Statement:
-            - Effect: Allow
-              Action:
-                - 'glue:GetConnection'
-                - 'glue:GetCrawler'
-                - 'glue:CreateTable'
-                - 'glue:UpdateCrawler'
-                - 'glue:CreatePartition'
-                - 'glue:BatchCreatePartition'
-              Resource: '*'
-            - Effect: Allow
-              Action:
-                - 's3:GetObject'
-                - 's3:ListObject'
-              Resource:
-                # Cost Usage Report buckets in SRE account
-                - !Sub arn:aws:s3:::cid-{{resolve:secretsmanager:SRE-account-id-secret:SecretString:accountId}}-shared
-                - !Sub arn:aws:s3:::cid-{{resolve:secretsmanager:SRE-account-id-secret:SecretString:accountId}}-shared/*
-            - Effect: Allow
-              Action: 'logs:AssociateKmsKey'
-              Resource: 'arn:aws:logs:*:*:/aws-glue/*'
+    Name: cur-account-ids
+    SecretString: '{"ct-shared-services":"xxx", "source-bill-payer": "xxx"}'