Merge pull request #5482 from ministryofjustice/ingestion-s3

🔧 Add Egress S3 bucket to Analytical Platform Ingestion
ministryofjustice · Mar 26, 2024 · dbd9134 · dbd9134
2 parents 9ddc4a5 + 139aaa1
commit dbd9134
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 3 deletions.
diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf
@@ -46,6 +46,34 @@ module "s3_definitions_kms" {
   deletion_window_in_days = 7
 }
 
+module "s3_bold_egress_kms" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  source  = "terraform-aws-modules/kms/aws"
+  version = "2.2.1"
+
+  aliases               = ["s3/bold-egress"]
+  description           = "Used in the Bold Egress Solution"
+  enable_default_policy = true
+  key_statements = [
+    {
+      sid = "AllowAnalyticalPlatformDataEngineeringProduction"
+      actions = [
+        "kms:Encrypt",
+        "kms:GenerateDataKey"
+      ]
+      resources = ["*"]
+      effect    = "Allow"
+      principals = [
+        {
+          type        = "AWS"
+          identifiers = ["arn:aws:iam::593291632749:role/mojap-data-production-bold-egress-${local.environment}"]
+        }
+      ]
+    }
+  ]
+  deletion_window_in_days = 7
+}
+
 module "sns_kms" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
   source  = "terraform-aws-modules/kms/aws"

diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf
@@ -34,7 +34,6 @@ module "quarantine_bucket" {
   }
 }
 
-
 module "definitions_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "4.1.0"
@@ -53,8 +52,6 @@ module "definitions_bucket" {
   }
 }
 
-
-
 module "processed_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "4.1.0"
@@ -72,3 +69,47 @@ module "processed_bucket" {
     }
   }
 }
+
+data "aws_iam_policy_document" "bold_egress_bucket_policy" {
+  statement {
+    sid    = "ReplicationPermissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::593291632749:role/mojap-data-production-bold-egress-${local.environment}"]
+    }
+    actions = [
+      "s3:ReplicateObject",
+      "s3:ObjectOwnerOverrideToBucketOwner",
+      "s3:GetObjectVersionTagging",
+      "s3:ReplicateTags",
+      "s3:ReplicateDelete"
+    ]
+    resources = ["arn:aws:s3:::mojap-ingestion-${local.environment}-bold-egress/*"]
+  }
+}
+
+module "bold_egress_bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "4.1.0"
+
+  bucket = "mojap-ingestion-${local.environment}-bold-egress"
+
+  force_destroy = true
+
+  versioning = {
+    enabled = true
+  }
+
+  attach_policy = true
+  policy        = data.aws_iam_policy_document.bold_egress_bucket_policy.json
+
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        kms_master_key_id = module.s3_bold_egress_kms.key_arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}