WIP - Add S3 bucket, KMS, custom policy

ministryofjustice · Mar 26, 2024 · 6d5754e · 6d5754e
1 parent 09ef147
commit 6d5754e
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 3 deletions.
diff --git a/terraform/environments/analytical-platform-ingestion/data.tf b/terraform/environments/analytical-platform-ingestion/data.tf
@@ -1,2 +1,11 @@
 #### This file can be used to store data specific to the member account ####
 data "aws_availability_zones" "available" {}
+
+data "aws_iam_policy_document" "s3_download_kms_policy" {
+  statement {
+    sid       = "AllowS3Download"
+    effect    = "Allow"
+    actions   = ["kms:Decrypt"]
+    resources = ["*"]
+  }
+}
diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf
@@ -46,6 +46,18 @@ module "s3_definitions_kms" {
   deletion_window_in_days = 7
 }
 
+module "s3_download_kms" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  source  = "terraform-aws-modules/kms/aws"
+  version = "2.2.1"
+
+  aliases               = ["s3/download"]
+  description           = "Used in the download S3 object"
+  enable_default_policy = true
+
+  deletion_window_in_days = 7
+}
+
 module "sns_kms" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
   source  = "terraform-aws-modules/kms/aws"

diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf
@@ -34,7 +34,6 @@ module "quarantine_bucket" {
   }
 }
 
-
 module "definitions_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "4.1.0"
@@ -53,8 +52,6 @@ module "definitions_bucket" {
   }
 }
 
-
-
 module "processed_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "4.1.0"
@@ -72,3 +69,22 @@ module "processed_bucket" {
     }
   }
 }
+
+module "download_bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "4.1.0"
+
+  bucket = "mojap-ingestion-${local.environment}-download"
+  # TODO: Is this needed below?
+  force_destroy = true
+  policy = data.aws_iam_policy_document.s3_download_kms_policy.json
+
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        kms_master_key_id = module.s3_processed_kms.key_arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}