♻️ Refactor ingress / egress in `analytical-platform-data-product…

…ion` (#6803) * ♻️ Refactor * 🔧 Specify Replication permissions
ministryofjustice · Feb 11, 2025 · 10d8923 · 10d8923
1 parent fefebb4
commit 10d8923
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 171 deletions.
diff --git a/terraform/aws/analytical-platform-data-production/ingestion-egress/iam-policies.tf b/terraform/aws/analytical-platform-data-production/ingestion-egress/iam-policies.tf
@@ -127,69 +127,3 @@ module "production_replication_iam_policy" {
 
   policy = data.aws_iam_policy_document.production_replication.json
 }
-
-
-data "aws_iam_policy_document" "production_cica_dms_replication" {
-  statement {
-    sid    = "DestinationBucketPermissions"
-    effect = "Allow"
-    actions = [
-      "s3:ReplicateObject",
-      "s3:ObjectOwnerOverrideToBucketOwner",
-      "s3:GetObjectVersionTagging",
-      "s3:ReplicateTags",
-      "s3:ReplicateDelete"
-    ]
-    resources = ["arn:aws:s3:::mojap-ingestion-production-cica-dms-egress/*"]
-  }
-  statement {
-    sid    = "SourceBucketPermissions"
-    effect = "Allow"
-    actions = [
-      "s3:GetReplicationConfiguration",
-      "s3:ListBucket"
-    ]
-    resources = [module.cica_dms_egress_s3.s3_bucket_arn]
-  }
-  statement {
-    sid    = "SourceBucketObjectPermissions"
-    effect = "Allow"
-    actions = [
-      "s3:GetObjectVersionForReplication",
-      "s3:GetObjectVersionAcl",
-      "s3:GetObjectVersionTagging",
-      "s3:ObjectOwnerOverrideToBucketOwner"
-    ]
-    resources = ["${module.cica_dms_egress_s3.s3_bucket_arn}/*"]
-  }
-  statement {
-    sid    = "SourceBucketKMSKey"
-    effect = "Allow"
-    actions = [
-      "kms:Decrypt",
-      "kms:GenerateDataKey"
-    ]
-    resources = [module.production_cica_dms_kms.key_arn]
-  }
-  statement {
-    sid    = "DestinationBucketKMSKey"
-    effect = "Allow"
-    actions = [
-      "kms:Encrypt",
-      "kms:GenerateDataKey"
-    ]
-    resources = ["arn:aws:kms:eu-west-2:471112983409:key/d6969401-8722-4f00-9cb4-2c6261515b02"]
-  }
-}
-
-module "production_replication_cica_dms_iam_policy" {
-  #checkov:skip=CKV_TF_1:Module is from Terraform registry
-  #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
-
-  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.52.2"
-
-  name_prefix = "mojap-data-production-cica-dms-egress-production"
-
-  policy = data.aws_iam_policy_document.production_cica_dms_replication.json
-}
diff --git a/terraform/aws/analytical-platform-data-production/ingestion-egress/iam-roles.tf b/terraform/aws/analytical-platform-data-production/ingestion-egress/iam-roles.tf
@@ -31,20 +31,3 @@ module "production_replication_iam_role" {
 
   custom_role_policy_arns = [module.production_replication_iam_policy.arn]
 }
-
-module "production_replication_cica_dms_iam_role" {
-  #checkov:skip=CKV_TF_1:Module is from Terraform registry
-  #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
-
-  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
-  version = "5.52.2"
-
-  create_role = true
-
-  role_name         = "mojap-data-production-cica-dms-egress-production"
-  role_requires_mfa = false
-
-  trusted_role_services = ["s3.amazonaws.com"]
-
-  custom_role_policy_arns = [module.production_replication_iam_policy.arn]
-}
diff --git a/terraform/aws/analytical-platform-data-production/ingestion-egress/kms-keys.tf b/terraform/aws/analytical-platform-data-production/ingestion-egress/kms-keys.tf
@@ -67,18 +67,3 @@ module "production_kms_eu_west_1_replica" {
 
   deletion_window_in_days = 7
 }
-
-module "production_cica_dms_kms" {
-  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
-  #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
-
-  source  = "terraform-aws-modules/kms/aws"
-  version = "3.1.1"
-
-  aliases               = ["s3/mojap-data-production-cica-dms-egress-production"]
-  description           = "MoJ AP CICA DMS Egress - Production"
-  enable_default_policy = true
-  multi_region          = true
-
-  deletion_window_in_days = 7
-}
diff --git a/terraform/aws/analytical-platform-data-production/ingestion-egress/s3.tf b/terraform/aws/analytical-platform-data-production/ingestion-egress/s3.tf
@@ -143,76 +143,3 @@ module "production_s3" {
     }
   }
 }
-
-#tfsec:ignore:AVD-AWS-0088:Bucket is encrypted with CMK KMS, but not detected by Trivy
-#tfsec:ignore:AVD-AWS-0089:Bucket logging not enabled currently
-#tfsec:ignore:AVD-AWS-0132:Bucket is encrypted with CMK KMS, but not detected by Trivy
-module "cica_dms_egress_s3" {
-  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
-  #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
-  #checkov:skip=CKV_AWS_18:Access logging not enabled currently
-  #checkov:skip=CKV_AWS_21:Versioning is enabled, but not detected by Checkov
-  #checkov:skip=CKV_AWS_145:Bucket is encrypted with CMK KMS, but not detected by Checkov
-  #checkov:skip=CKV_AWS_300:Lifecycle configuration not enabled currently
-  #checkov:skip=CKV_AWS_144:Cross-region replication is not required currently
-  #checkov:skip=CKV2_AWS_6:Public access block is enabled, but not detected by Checkov
-  #checkov:skip=CKV2_AWS_61:Lifecycle configuration not enabled currently
-  #checkov:skip=CKV2_AWS_62:Bucket notifications not required currently
-  #checkov:skip=CKV2_AWS_67:Regular CMK key rotation is not required currently
-
-  source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "4.5.0"
-
-  bucket        = "mojap-data-production-cica-dms-egress-production"
-  force_destroy = true
-
-  versioning = {
-    enabled = true
-  }
-
-  replication_configuration = {
-    role = module.production_replication_cica_dms_iam_role.iam_role_arn
-    rules = [
-      {
-        id                        = "mojap-ingestion-cica-dms-egress"
-        status                    = "Enabled"
-        delete_marker_replication = true
-
-        source_selection_criteria = {
-          sse_kms_encrypted_objects = {
-            enabled = true
-          }
-        }
-
-        destination = {
-          account_id    = "471112983409"
-          bucket        = "arn:aws:s3:::mojap-ingestion-production-cica-dms-egress"
-          storage_class = "STANDARD"
-          access_control_translation = {
-            owner = "Destination"
-          }
-          encryption_configuration = {
-            replica_kms_key_id = "arn:aws:kms:eu-west-2:593291632749:key/mrk-0148560792c648ccb8cf051ee32e358c"
-          }
-          metrics = {
-            status  = "Enabled"
-            minutes = 15
-          }
-          replication_time = {
-            status  = "Enabled"
-            minutes = 15
-          }
-        }
-      }
-    ]
-  }
-
-  server_side_encryption_configuration = {
-    rule = {
-      apply_server_side_encryption_by_default = {
-        kms_master_key_id = module.production_cica_dms_kms.key_arn
-        sse_algorithm     = "aws:kms"
-      }
-    }
-  }
-}
diff --git a/terraform/aws/analytical-platform-data-production/ingestion-ingress/kms-keys.tf b/terraform/aws/analytical-platform-data-production/ingestion-ingress/kms-keys.tf
@@ -0,0 +1,14 @@
+module "production_cica_dms_kms" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
+
+  source  = "terraform-aws-modules/kms/aws"
+  version = "3.1.1"
+
+  aliases               = ["s3/mojap-data-production-cica-dms-ingress-production"]
+  description           = "MoJ AP CICA DMS Ibgress - Production"
+  enable_default_policy = true
+  multi_region          = true
+
+  deletion_window_in_days = 7
+}
diff --git a/terraform/aws/analytical-platform-data-production/ingestion-ingress/s3.tf b/terraform/aws/analytical-platform-data-production/ingestion-ingress/s3.tf
@@ -0,0 +1,58 @@
+data "aws_iam_policy_document" "cica_dms_ingress_bucket_policy" {
+  statement {
+    sid    = "ReplicationPermissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::471112983409:role/cica-dms-ingress-production-replication"]
+    }
+    actions = [
+      "s3:ReplicateObject",
+      "s3:ObjectOwnerOverrideToBucketOwner",
+      "s3:GetObjectVersionTagging",
+      "s3:ReplicateTags",
+      "s3:ReplicateDelete"
+    ]
+    resources = ["arn:aws:s3:::mojap-data-production-cica-dms-ingress-production/*"]
+  }
+}
+
+#tfsec:ignore:AVD-AWS-0088:Bucket is encrypted with CMK KMS, but not detected by Trivy
+#tfsec:ignore:AVD-AWS-0089:Bucket logging not enabled currently
+#tfsec:ignore:AVD-AWS-0132:Bucket is encrypted with CMK KMS, but not detected by Trivy
+module "cica_dms_ingress_s3" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
+  #checkov:skip=CKV_AWS_18:Access logging not enabled currently
+  #checkov:skip=CKV_AWS_21:Versioning is enabled, but not detected by Checkov
+  #checkov:skip=CKV_AWS_145:Bucket is encrypted with CMK KMS, but not detected by Checkov
+  #checkov:skip=CKV_AWS_300:Lifecycle configuration not enabled currently
+  #checkov:skip=CKV_AWS_144:Cross-region replication is not required currently
+  #checkov:skip=CKV2_AWS_6:Public access block is enabled, but not detected by Checkov
+  #checkov:skip=CKV2_AWS_61:Lifecycle configuration not enabled currently
+  #checkov:skip=CKV2_AWS_62:Bucket notifications not required currently
+  #checkov:skip=CKV2_AWS_67:Regular CMK key rotation is not required currently
+
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "4.5.0"
+
+  bucket = "mojap-data-production-cica-dms-ingress-production"
+
+  force_destroy = true
+
+  versioning = {
+    enabled = true
+  }
+
+  attach_policy = true
+  policy        = data.aws_iam_policy_document.cica_dms_ingress_bucket_policy.json
+
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        kms_master_key_id = module.production_cica_dms_kms.key_arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}