Merge pull request #9173 from ministryofjustice/DBA-827

Require individual policies for each MIS database type

terraform/environments/delius-core/modules/components/oracle_db_shared/backup_vault.tf

@@ -15,38 +15,19 @@ resource "aws_backup_vault" "oracle_backup_vault" {
 # backup vault allows them to timeout without being overwritten.
 # The AWSBackupDefaultServiceRole managed by AWS and is documented at: 
 # https://docs.aws.amazon.com/aws-backup/latest/devguide/iam-service-roles.html
+data "aws_iam_policy_document" "oracle_ec2_snapshot_backup_role_policy_document" {
+   statement {
+       effect    = "Allow"
+       actions   = ["iam:PassRole"]
+       resources = ["arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"]
+   }
+   statement {
+       effect    = "Allow"
+       actions   = ["backup:ListBackupVaults",
+                   "backup:StartBackupJob",
+                   "backup:DescribeBackupJob",
+                   "ec2:DescribeSnapshots"]
+       resources = ["*"]
+   }
+}
 
-# BELOW CODE TEMPORARILY REMOVED TO ALLOW MIGRATION TO COMPLETE.
-# FOLLOWING MIGRATION, IT WILL BE REPLACED BY CHANGES IN (TO BE REVIEWED)
-# https://github.com/ministryofjustice/modernisation-platform-environments/pull/9173/files#diff-64bc1f41fcc3aa7402b57fa993681f66854c1aff8a0d065bf92357640a27f5e8
-
-# resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
-#   name        = "oracle-ec2-snapshot-backup-role-policy"
-#   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
-
-#   policy = jsonencode({
-#     Version = "2012-10-17",
-#     Statement = [
-#       {
-#         Effect   = "Allow",
-#         Action   = "iam:PassRole",
-#         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
-#       },
-#       {
-#         Effect = "Allow"
-#         Action = ["backup:ListBackupVaults",
-#           "backup:StartBackupJob",
-#           "backup:DescribeBackupJob",
-#         "ec2:DescribeSnapshots"],
-#         Resource = "*"
-#       }
-#     ]
-#   })
-# }
-
-# # Allow Access To AWSBackupDefaultServiceRolePolicy From EC2 Instance Roles
-# resource "aws_iam_policy_attachment" "oracle_ec2_snapshot_backup_role_policy_attachment" {
-#   name       = "oracle-ec2-snapshot-backup-role-policy-attachment"
-#   roles      = var.instance_roles
-#   policy_arn = aws_iam_policy.oracle_ec2_snapshot_backup_role_policy.arn
-# }

terraform/environments/delius-core/modules/components/oracle_db_shared/iam.tf

@@ -1,11 +1,6 @@
 ##############################################
 # IAM Instance Profile
 ##############################################
-#resource "aws_iam_instance_profile" "db_ec2_instanceprofile" {
-#  name = format("%s-delius-db-ec2_instance_iam_role", var.env_name)
-#  role = aws_iam_role.db_ec2_instance_iam_role.name
-#}
-
 
 # Pre-reqs - IAM role, attachment for SSM usage and instance profile
 data "aws_iam_policy_document" "db_ec2_instance_iam_assume_policy" {
@@ -21,15 +16,6 @@ data "aws_iam_policy_document" "db_ec2_instance_iam_assume_policy" {
   }
 }
 
-
-#resource "aws_iam_role" "db_ec2_instance_iam_role" {
-#  name               = lower(format("%s-delius-db-ec2_instance", var.env_name))
-#  assume_role_policy = data.aws_iam_policy_document.db_ec2_instance_iam_assume_policy.json
-#  tags = merge(var.tags,
-#    { Name = lower(format("%s-delius-db-ec2_instance", var.env_name)) }
-#  )
-#}
-
 data "aws_iam_policy_document" "business_unit_kms_key_access" {
   statement {
     effect = "Allow"
@@ -69,12 +55,6 @@ data "aws_iam_policy_document" "core_shared_services_bucket_access" {
   }
 }
 
-resource "aws_iam_policy" "core_shared_services_bucket_access" {
-  name   = "${var.env_name}-${var.db_suffix}-core-shared-services-bucket-access-policy"
-  path   = "/"
-  policy = data.aws_iam_policy_document.core_shared_services_bucket_access.json
-}
-
 data "aws_iam_policy_document" "ec2_access_for_ansible" {
   statement {
     effect = "Allow"
@@ -100,46 +80,6 @@ data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
   }
 }
 
-resource "aws_iam_policy" "allow_access_to_ssm_parameter_store" {
-  name   = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ssm-parameter-store-access"
-  path   = "/"
-  policy = data.aws_iam_policy_document.allow_access_to_ssm_parameter_store.json
-}
-#
-#resource "aws_iam_role_policy_attachment" "allow_access_to_ssm_parameter_store" {
-#  role       = aws_iam_role.db_ec2_instance_iam_role.name
-#  policy_arn = aws_iam_policy.allow_access_to_ssm_parameter_store.arn
-#}
-
-resource "aws_iam_policy" "ec2_access_for_ansible" {
-  name   = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ansible-ec2-access"
-  path   = "/"
-  policy = data.aws_iam_policy_document.ec2_access_for_ansible.json
-}
-
-#resource "aws_iam_role_policy" "business_unit_kms_key_access" {
-#  name   = "business_unit_kms_key_access"
-#  role   = aws_iam_role.db_ec2_instance_iam_role.name
-#  policy = data.aws_iam_policy_document.business_unit_kms_key_access.json
-#}
-#
-#resource "aws_iam_role_policy" "core_shared_services_bucket_access" {
-#  name   = "core_shared_services_bucket_access"
-#  role   = aws_iam_role.db_ec2_instance_iam_role.name
-#  policy = data.aws_iam_policy_document.core_shared_services_bucket_access.json
-#}
-#
-#resource "aws_iam_role_policy" "ec2_access" {
-#  name   = "ec2_access"
-#  role   = aws_iam_role.db_ec2_instance_iam_role.name
-#  policy = data.aws_iam_policy_document.ec2_access_for_ansible.json
-#}
-
-#resource "aws_iam_role_policy_attachment" "db_ec2_instance_amazonssmmanagedinstancecore" {
-#  role       = aws_iam_role.db_ec2_instance_iam_role.name
-#  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
-#}
-
 # Policy document for both Oracle database DBA and application secrets
 
 data "aws_iam_policy_document" "db_access_to_secrets_manager" {
@@ -161,13 +101,6 @@ data "aws_iam_policy_document" "db_access_to_secrets_manager" {
   }
 }
 
-# Policy to allow access to both Oracle database DBA and application secrets
-
-resource "aws_iam_policy" "db_access_to_secrets_manager" {
-  name   = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-secrets-manager-access"
-  policy = data.aws_iam_policy_document.db_access_to_secrets_manager.json
-}
-
 data "aws_iam_policy_document" "instance_ssm" {
   #checkov:skip=CKV_AWS_108 "ignore"
   #checkov:skip=CKV_AWS_111 "ignore"
@@ -223,62 +156,20 @@ data "aws_iam_policy_document" "instance_ssm" {
   }
 }
 
-resource "aws_iam_policy" "instance_ssm" {
-  name   = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ssm-access"
-  policy = data.aws_iam_policy_document.instance_ssm.json
+data "aws_iam_policy_document" "combined_instance_policy" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.core_shared_services_bucket_access.json,
+    data.aws_iam_policy_document.allow_access_to_ssm_parameter_store.json,
+    data.aws_iam_policy_document.ec2_access_for_ansible.json,
+    data.aws_iam_policy_document.db_access_to_secrets_manager.json,
+    data.aws_iam_policy_document.oracledb_backup_bucket_access.json,
+    data.aws_iam_policy_document.db_ssh_keys_s3_policy_document.json,
+    data.aws_iam_policy_document.instance_ssm.json,
+    data.aws_iam_policy_document.oracle_ec2_snapshot_backup_role_policy_document.json
+  ]
 }
 
-# new IAM role OEM setup to allow ec2s to access secrets manager and kms keys
-# resource "aws_iam_role" "EC2OracleEnterpriseManagementSecretsRole" {
-#   name = "EC2OracleEnterpriseManagementSecretsRole-${var.env_name}-${var.db_suffix}"
-
-#   assume_role_policy = <<EOF
-# {
-#   "Version": "2012-10-17",
-#   "Statement": [
-#     {
-#       "Effect": "Allow",
-#       "Principal": {
-#         "AWS": "*"
-#       },
-#       "Action": "sts:AssumeRole",
-#       "Condition": {
-#         "ForAnyValue:ArnLike": {
-#           "aws:PrincipalArn": "arn:aws:iam::${var.account_info.id}:role/instance-role-${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-*"
-#         }
-#       }
-#     }
-#   ]
-# }
-# EOF
-# }
-
-# resource "aws_iam_role_policy_attachment" "allow_kms_keys_access" {
-#   role       = aws_iam_role.EC2OracleEnterpriseManagementSecretsRole.name
-#   policy_arn = aws_iam_policy.business_unit_kms_key_access.arn
-# }
-
-# data "aws_iam_policy_document" "OracleEnterpriseManagementSecretsPolicyDocument" {
-#   statement {
-#     sid    = "OracleEnterpriseManagementSecretsPolicyDocument"
-#     effect = "Allow"
-#     actions = [
-#       "secretsmanager:GetSecretValue"
-#     ]
-#     resources = [
-#       "arn:aws:secretsmanager:*:*:secret:/oracle/database/EMREP/shared-*",
-#       "arn:aws:secretsmanager:*:*:secret:/oracle/database/*RCVCAT/shared-*",
-#       "arn:aws:secretsmanager:*:*:secret:/oracle/oem/shared-*"
-#     ]
-#   }
-# }
-
-# resource "aws_iam_policy" "OracleEnterpriseManagementSecretsPolicy" {
-#   name   = "OracleEnterpriseManagementSecretsPolicy-${var.env_name}-${var.db_suffix}"
-#   policy = data.aws_iam_policy_document.OracleEnterpriseManagementSecretsPolicyDocument.json
-# }
-
-# resource "aws_iam_role_policy_attachment" "OracleEnterpriseManagementSecretsPolicy" {
-#   role       = aws_iam_role.EC2OracleEnterpriseManagementSecretsRole.name
-#   policy_arn = aws_iam_policy.OracleEnterpriseManagementSecretsPolicy.arn
-# }
+resource "aws_iam_policy" "combined_instance_policy" {
+  name   = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-combined-instance-policy"
+  policy = data.aws_iam_policy_document.combined_instance_policy.json
+}

terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf

@@ -63,4 +63,5 @@ locals {
 
   db_port      = 1521
   db_tcps_port = 1522
+
 }

terraform/environments/delius-core/modules/components/oracle_db_shared/outputs.tf

@@ -16,6 +16,7 @@ output "ssh_keys_bucket_name" {
 
 output "instance_policies" {
   value = {
+     "combined_instance_policy" = aws_iam_policy.combined_instance_policy
   }
 }
 

terraform/environments/delius-core/modules/components/oracle_db_shared/variables.tf

@@ -49,8 +49,3 @@ variable "db_suffix" {
   type        = string
   default     = "db"
 }
-
-variable "instance_roles" {
-  description = "AMI roles associated with the database EC2 hosts"
-  type        = list(string)
-}

terraform/environments/delius-core/modules/delius_environment/database.tf

@@ -17,7 +17,6 @@ module "oracle_db_shared" {
   env_name           = var.env_name
   tags               = local.tags
   public_keys        = local.db_public_key_data.keys[var.env_name]
-  instance_roles     = [for i in range(1, try(var.db_config.primary_instance_count, 1) + try(var.db_config.standby_count, 0) + 1) : "instance-role-delius-core-${var.env_name}-db-${i}"]
 
   bastion_sg_id = module.bastion_linux.bastion_security_group
 

terraform/environments/delius-mis/modules/mis_environment/databases.tf

@@ -20,11 +20,6 @@ module "oracle_db_shared" {
   env_name           = var.env_name
   tags               = local.tags
   public_keys        = local.db_public_key_data.keys[var.account_info.mp_environment]
-  instance_roles = concat(
-    each.key == "mis-db" ? [for i in range(1, try(var.mis_db_config.instance_count, 1) + 1) : "arn:aws:iam::${var.account_info.id}:role/instance-role-delius-mis-${var.env_name}-mis-db-${i}"] : [],
-    each.key == "boe-db" ? [for i in range(1, try(var.boe_db_config.instance_count, 1) + 1) : "arn:aws:iam::${var.account_info.id}:role/instance-role-delius-mis-${var.env_name}-boe-db-${i}"] : [],
-    each.key == "dsd-db" ? [for i in range(1, try(var.dsd_db_config.instance_count, 1) + 1) : "arn:aws:iam::${var.account_info.id}:role/instance-role-delius-mis-${var.env_name}-mis-db-${i}"] : []
-  )
 
   db_suffix = each.key