From 10d89234d96c5678993c113565ed6d2cbacbc6bb Mon Sep 17 00:00:00 2001 From: Gary <26419401+Gary-H9@users.noreply.github.com> Date: Tue, 11 Feb 2025 11:52:13 +0000 Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Refactor=20`ingress`=20/?= =?UTF-8?q?=20`egress`=20in=20`analytical-platform-data-production`=20(#68?= =?UTF-8?q?03)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * ♻️ Refactor * :wrench: Specify Replication permissions --- .../ingestion-egress/iam-policies.tf | 66 ----------------- .../ingestion-egress/iam-roles.tf | 17 ----- .../ingestion-egress/kms-keys.tf | 15 ---- .../ingestion-egress/s3.tf | 73 ------------------- .../ingestion-ingress/kms-keys.tf | 14 ++++ .../ingestion-ingress/s3.tf | 58 +++++++++++++++ 6 files changed, 72 insertions(+), 171 deletions(-) create mode 100644 terraform/aws/analytical-platform-data-production/ingestion-ingress/kms-keys.tf create mode 100644 terraform/aws/analytical-platform-data-production/ingestion-ingress/s3.tf diff --git a/terraform/aws/analytical-platform-data-production/ingestion-egress/iam-policies.tf b/terraform/aws/analytical-platform-data-production/ingestion-egress/iam-policies.tf index c555112619..e4d16c4471 100644 --- a/terraform/aws/analytical-platform-data-production/ingestion-egress/iam-policies.tf +++ b/terraform/aws/analytical-platform-data-production/ingestion-egress/iam-policies.tf @@ -127,69 +127,3 @@ module "production_replication_iam_policy" { policy = data.aws_iam_policy_document.production_replication.json } - - -data "aws_iam_policy_document" "production_cica_dms_replication" { - statement { - sid = "DestinationBucketPermissions" - effect = "Allow" - actions = [ - "s3:ReplicateObject", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:GetObjectVersionTagging", - "s3:ReplicateTags", - "s3:ReplicateDelete" - ] - resources = ["arn:aws:s3:::mojap-ingestion-production-cica-dms-egress/*"] - } - statement { - sid = "SourceBucketPermissions" - effect = "Allow" - actions = [ - "s3:GetReplicationConfiguration", - "s3:ListBucket" - ] - resources = [module.cica_dms_egress_s3.s3_bucket_arn] - } - statement { - sid = "SourceBucketObjectPermissions" - effect = "Allow" - actions = [ - "s3:GetObjectVersionForReplication", - "s3:GetObjectVersionAcl", - "s3:GetObjectVersionTagging", - "s3:ObjectOwnerOverrideToBucketOwner" - ] - resources = ["${module.cica_dms_egress_s3.s3_bucket_arn}/*"] - } - statement { - sid = "SourceBucketKMSKey" - effect = "Allow" - actions = [ - "kms:Decrypt", - "kms:GenerateDataKey" - ] - resources = [module.production_cica_dms_kms.key_arn] - } - statement { - sid = "DestinationBucketKMSKey" - effect = "Allow" - actions = [ - "kms:Encrypt", - "kms:GenerateDataKey" - ] - resources = ["arn:aws:kms:eu-west-2:471112983409:key/d6969401-8722-4f00-9cb4-2c6261515b02"] - } -} - -module "production_replication_cica_dms_iam_policy" { - #checkov:skip=CKV_TF_1:Module is from Terraform registry - #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - - source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.52.2" - - name_prefix = "mojap-data-production-cica-dms-egress-production" - - policy = data.aws_iam_policy_document.production_cica_dms_replication.json -} diff --git a/terraform/aws/analytical-platform-data-production/ingestion-egress/iam-roles.tf b/terraform/aws/analytical-platform-data-production/ingestion-egress/iam-roles.tf index 99b9478e94..8e61616d59 100644 --- a/terraform/aws/analytical-platform-data-production/ingestion-egress/iam-roles.tf +++ b/terraform/aws/analytical-platform-data-production/ingestion-egress/iam-roles.tf @@ -31,20 +31,3 @@ module "production_replication_iam_role" { custom_role_policy_arns = [module.production_replication_iam_policy.arn] } - -module "production_replication_cica_dms_iam_role" { - #checkov:skip=CKV_TF_1:Module is from Terraform registry - #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.52.2" - - create_role = true - - role_name = "mojap-data-production-cica-dms-egress-production" - role_requires_mfa = false - - trusted_role_services = ["s3.amazonaws.com"] - - custom_role_policy_arns = [module.production_replication_iam_policy.arn] -} diff --git a/terraform/aws/analytical-platform-data-production/ingestion-egress/kms-keys.tf b/terraform/aws/analytical-platform-data-production/ingestion-egress/kms-keys.tf index a5aea2ebb3..768868d3fc 100644 --- a/terraform/aws/analytical-platform-data-production/ingestion-egress/kms-keys.tf +++ b/terraform/aws/analytical-platform-data-production/ingestion-egress/kms-keys.tf @@ -67,18 +67,3 @@ module "production_kms_eu_west_1_replica" { deletion_window_in_days = 7 } - -module "production_cica_dms_kms" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - - source = "terraform-aws-modules/kms/aws" - version = "3.1.1" - - aliases = ["s3/mojap-data-production-cica-dms-egress-production"] - description = "MoJ AP CICA DMS Egress - Production" - enable_default_policy = true - multi_region = true - - deletion_window_in_days = 7 -} diff --git a/terraform/aws/analytical-platform-data-production/ingestion-egress/s3.tf b/terraform/aws/analytical-platform-data-production/ingestion-egress/s3.tf index 059ab55122..5c8fdb1bd5 100644 --- a/terraform/aws/analytical-platform-data-production/ingestion-egress/s3.tf +++ b/terraform/aws/analytical-platform-data-production/ingestion-egress/s3.tf @@ -143,76 +143,3 @@ module "production_s3" { } } } - -#tfsec:ignore:AVD-AWS-0088:Bucket is encrypted with CMK KMS, but not detected by Trivy -#tfsec:ignore:AVD-AWS-0089:Bucket logging not enabled currently -#tfsec:ignore:AVD-AWS-0132:Bucket is encrypted with CMK KMS, but not detected by Trivy -module "cica_dms_egress_s3" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - #checkov:skip=CKV_AWS_18:Access logging not enabled currently - #checkov:skip=CKV_AWS_21:Versioning is enabled, but not detected by Checkov - #checkov:skip=CKV_AWS_145:Bucket is encrypted with CMK KMS, but not detected by Checkov - #checkov:skip=CKV_AWS_300:Lifecycle configuration not enabled currently - #checkov:skip=CKV_AWS_144:Cross-region replication is not required currently - #checkov:skip=CKV2_AWS_6:Public access block is enabled, but not detected by Checkov - #checkov:skip=CKV2_AWS_61:Lifecycle configuration not enabled currently - #checkov:skip=CKV2_AWS_62:Bucket notifications not required currently - #checkov:skip=CKV2_AWS_67:Regular CMK key rotation is not required currently - - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.5.0" - - bucket = "mojap-data-production-cica-dms-egress-production" - force_destroy = true - - versioning = { - enabled = true - } - - replication_configuration = { - role = module.production_replication_cica_dms_iam_role.iam_role_arn - rules = [ - { - id = "mojap-ingestion-cica-dms-egress" - status = "Enabled" - delete_marker_replication = true - - source_selection_criteria = { - sse_kms_encrypted_objects = { - enabled = true - } - } - - destination = { - account_id = "471112983409" - bucket = "arn:aws:s3:::mojap-ingestion-production-cica-dms-egress" - storage_class = "STANDARD" - access_control_translation = { - owner = "Destination" - } - encryption_configuration = { - replica_kms_key_id = "arn:aws:kms:eu-west-2:593291632749:key/mrk-0148560792c648ccb8cf051ee32e358c" - } - metrics = { - status = "Enabled" - minutes = 15 - } - replication_time = { - status = "Enabled" - minutes = 15 - } - } - } - ] - } - - server_side_encryption_configuration = { - rule = { - apply_server_side_encryption_by_default = { - kms_master_key_id = module.production_cica_dms_kms.key_arn - sse_algorithm = "aws:kms" - } - } - } -} diff --git a/terraform/aws/analytical-platform-data-production/ingestion-ingress/kms-keys.tf b/terraform/aws/analytical-platform-data-production/ingestion-ingress/kms-keys.tf new file mode 100644 index 0000000000..0788beb5de --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/ingestion-ingress/kms-keys.tf @@ -0,0 +1,14 @@ +module "production_cica_dms_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + source = "terraform-aws-modules/kms/aws" + version = "3.1.1" + + aliases = ["s3/mojap-data-production-cica-dms-ingress-production"] + description = "MoJ AP CICA DMS Ibgress - Production" + enable_default_policy = true + multi_region = true + + deletion_window_in_days = 7 +} diff --git a/terraform/aws/analytical-platform-data-production/ingestion-ingress/s3.tf b/terraform/aws/analytical-platform-data-production/ingestion-ingress/s3.tf new file mode 100644 index 0000000000..223fdf048a --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/ingestion-ingress/s3.tf @@ -0,0 +1,58 @@ +data "aws_iam_policy_document" "cica_dms_ingress_bucket_policy" { + statement { + sid = "ReplicationPermissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::471112983409:role/cica-dms-ingress-production-replication"] + } + actions = [ + "s3:ReplicateObject", + "s3:ObjectOwnerOverrideToBucketOwner", + "s3:GetObjectVersionTagging", + "s3:ReplicateTags", + "s3:ReplicateDelete" + ] + resources = ["arn:aws:s3:::mojap-data-production-cica-dms-ingress-production/*"] + } +} + +#tfsec:ignore:AVD-AWS-0088:Bucket is encrypted with CMK KMS, but not detected by Trivy +#tfsec:ignore:AVD-AWS-0089:Bucket logging not enabled currently +#tfsec:ignore:AVD-AWS-0132:Bucket is encrypted with CMK KMS, but not detected by Trivy +module "cica_dms_ingress_s3" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + #checkov:skip=CKV_AWS_18:Access logging not enabled currently + #checkov:skip=CKV_AWS_21:Versioning is enabled, but not detected by Checkov + #checkov:skip=CKV_AWS_145:Bucket is encrypted with CMK KMS, but not detected by Checkov + #checkov:skip=CKV_AWS_300:Lifecycle configuration not enabled currently + #checkov:skip=CKV_AWS_144:Cross-region replication is not required currently + #checkov:skip=CKV2_AWS_6:Public access block is enabled, but not detected by Checkov + #checkov:skip=CKV2_AWS_61:Lifecycle configuration not enabled currently + #checkov:skip=CKV2_AWS_62:Bucket notifications not required currently + #checkov:skip=CKV2_AWS_67:Regular CMK key rotation is not required currently + + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.5.0" + + bucket = "mojap-data-production-cica-dms-ingress-production" + + force_destroy = true + + versioning = { + enabled = true + } + + attach_policy = true + policy = data.aws_iam_policy_document.cica_dms_ingress_bucket_policy.json + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + kms_master_key_id = module.production_cica_dms_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } +}