Skip to content

Commit

Permalink
Merge pull request #4531 from ministryofjustice/less-permissive-db-pe…
Browse files Browse the repository at this point in the history 
…rmissions

less permissive db permissions
  • Loading branch information
@wullub
wullub authored Jan 16, 2024
2 parents 61ccb5a + 59a31f9 commit 1b92887
Show file tree
Hide file tree
Showing 9 changed files with 56 additions and 60 deletions.
52 changes: 51 additions & 1 deletion terraform/environments/hmpps-oem/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ locals {
enable_image_builder = true
enable_ec2_cloud_watch_agent = true
enable_ec2_self_provision = true
enable_ec2_oracle_enterprise_manager = true
enable_ec2_reduced_ssm_policy = true
enable_ec2_user_keypair = true
enable_ec2_oracle_enterprise_managed_server = true # the oem manager manages itself, so it needs all of these permissions too
enable_shared_s3 = true # adds permissions to ec2s to interact with devtest or prodpreprod buckets
db_backup_s3 = true # adds db backup buckets
cloudwatch_metric_alarms = {}
Expand All @@ -40,6 +40,56 @@ locals {
baseline_ec2_autoscaling_groups = {}
baseline_ec2_instances = {}
baseline_iam_policies = {
Ec2OracleEnterpriseManagerPolicy = {
description = "Permissions required for Oracle Enterprise Manager"
statements = [
{
sid = "S3ListLocation"
effect = "Allow"
actions = [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
]
resources = [
"arn:aws:s3:::*"
]
},
{
sid = "SecretsmanagerReadWriteOracleOem"
effect = "Allow"
actions = [
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
]
resources = [
"arn:aws:secretsmanager:*:*:secret:/oracle/*",
]
},
{
sid = "SSMReadAccountIdsOracle"
effect = "Allow"
actions = [
"ssm:GetParameter",
"ssm:GetParameters",
]
resources = [
"arn:aws:ssm:*:*:parameter/account_ids",
"arn:aws:ssm:*:*:parameter/oracle/*",
]
},
{
sid = "SSMWriteOracle"
effect = "Allow"
actions = [
"ssm:PutParameter",
"ssm:PutParameters",
]
resources = [
"arn:aws:ssm:*:*:parameter/oracle/*",
]
}
]
}
DBRefresherPolicy = {
description = "Permissions for the db refresh process"
statements = [
Expand Down
3 changes: 3 additions & 0 deletions terraform/environments/hmpps-oem/locals_oem.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,9 @@ locals {
config = merge(module.baseline_presets.ec2_instance.config.db, {
ami_name = "hmpps_ol_8_5_oracledb_19c_release_2023-08-07T16-14-04.275Z"
ami_owner = "self"
instance_profile_policies = concat(module.baseline_presets.ec2_instance.config.db.instance_profile_policies, [
"Ec2OracleEnterpriseManagerPolicy",
])
})

instance = merge(module.baseline_presets.ec2_instance.instance.default_db, {
Expand Down
1 change: 0 additions & 1 deletion terraform/environments/oasys/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,6 @@ locals {
availability_zone = "${local.region}a"
instance_profile_policies = flatten([
module.baseline_presets.ec2_instance.config.db.instance_profile_policies,
"Ec2OracleEnterpriseManagerPolicy"
])
})
instance = merge(module.baseline_presets.ec2_instance.instance.default_db, {
Expand Down
1 change: 1 addition & 0 deletions terraform/environments/oasys/locals_test.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -630,6 +630,7 @@ locals {
}
}


# The following zones can be found on azure:
# az.justice.gov.uk
# oasys.service.justice.gov.uk
Expand Down
7 changes: 0 additions & 7 deletions terraform/modules/baseline_presets/iam_policies.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ locals {
var.options.enable_shared_s3 ? ["Ec2AccessSharedS3Policy"] : [],
var.options.enable_ec2_reduced_ssm_policy ? ["SSMManagedInstanceCoreReducedPolicy"] : [],
var.options.enable_ec2_oracle_enterprise_managed_server ? ["OracleEnterpriseManagementSecretsPolicy", "Ec2OracleEnterpriseManagedServerPolicy"] : [],
var.options.enable_ec2_oracle_enterprise_manager ? ["OracleEnterpriseManagementSecretsPolicy", "Ec2OracleEnterpriseManagerPolicy"] : [],
var.options.iam_policies_filter,
"EC2Default",
"EC2Db",
Expand All @@ -35,7 +34,6 @@ locals {
var.options.enable_shared_s3 ? local.iam_policy_statements_ec2.S3ReadSharedWrite : [],
var.options.enable_ec2_reduced_ssm_policy ? local.iam_policy_statements_ec2.SSMManagedInstanceCoreReduced : [],
var.options.enable_ec2_oracle_enterprise_managed_server ? local.iam_policy_statements_ec2.OracleEnterpriseManagedServer : [],
var.options.enable_ec2_oracle_enterprise_manager ? local.iam_policy_statements_ec2.OracleEnterpriseManager : [],
var.options.iam_policy_statements_ec2_default
])

Expand Down Expand Up @@ -116,11 +114,6 @@ locals {
statements = local.iam_policy_statements_ec2.OracleEnterpriseManagedServer
}

Ec2OracleEnterpriseManagerPolicy = {
description = "Permissions required for Oracle Enterprise Manager"
statements = local.iam_policy_statements_ec2.OracleEnterpriseManager
}

SSMManagedInstanceCoreReducedPolicy = {
description = "AmazonSSMManagedInstanceCore minus GetParameters"
statements = local.iam_policy_statements_ec2.SSMManagedInstanceCoreReduced
Expand Down
48 changes: 0 additions & 48 deletions terraform/modules/baseline_presets/iam_policy_statements_ec2.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,54 +240,6 @@ locals {
}
]

OracleEnterpriseManager = [
{
sid = "S3ListLocation"
effect = "Allow"
actions = [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
]
resources = [
"arn:aws:s3:::*"
]
},
{
sid = "SecretsmanagerReadWriteOracle"
effect = "Allow"
actions = [
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
]
resources = [
"arn:aws:secretsmanager:*:*:secret:/oracle/*",
]
},
{
sid = "SSMReadAccountIdsOracle"
effect = "Allow"
actions = [
"ssm:GetParameter",
"ssm:GetParameters",
]
resources = [
"arn:aws:ssm:*:*:parameter/account_ids",
"arn:aws:ssm:*:*:parameter/oracle/*",
]
},
{
sid = "SSMWriteOracle"
effect = "Allow"
actions = [
"ssm:PutParameter",
"ssm:PutParameters",
]
resources = [
"arn:aws:ssm:*:*:parameter/oracle/*",
]
}
]

OracleLicenseTracking = [
{
sid = "OracleLicenseTracking"
Expand Down
2 changes: 1 addition & 1 deletion terraform/modules/baseline_presets/iam_roles.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ locals {

iam_roles_filter = flatten([
var.options.enable_image_builder ? ["EC2ImageBuilderDistributionCrossAccountRole"] : [],
var.options.enable_ec2_oracle_enterprise_managed_server || var.options.enable_ec2_oracle_enterprise_manager ? ["EC2OracleEnterpriseManagementSecretsRole"] : [],
var.options.enable_ec2_oracle_enterprise_managed_server ? ["EC2OracleEnterpriseManagementSecretsRole"] : [],
var.options.enable_observability_platform_monitoring ? ["observability-platform"] : [],
])

Expand Down
1 change: 0 additions & 1 deletion terraform/modules/baseline_presets/ssm.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ locals {
# the relevant account ids.
account_names_for_account_ids_ssm_parameter = distinct(flatten([
var.options.enable_ec2_oracle_enterprise_managed_server ? ["hmpps-oem-${var.environment.environment}"] : [],
var.options.enable_ec2_oracle_enterprise_manager ? ["hmpps-oem-${var.environment.environment}"] : [],
]))

# add a cloud watch windows SSM param if the file is present
Expand Down
1 change: 0 additions & 1 deletion terraform/modules/baseline_presets/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ variable "options" {
enable_ec2_self_provision = optional(bool, false)
enable_ec2_reduced_ssm_policy = optional(bool, false)
enable_ec2_oracle_enterprise_managed_server = optional(bool, false)
enable_ec2_oracle_enterprise_manager = optional(bool, false)
enable_ec2_user_keypair = optional(bool, false)
enable_shared_s3 = optional(bool, false)
enable_observability_platform_monitoring = optional(bool, false)
Expand Down

0 comments on commit 1b92887

Please sign in to comment.