From 6d5754e648b0835c0095eaaa35dbe264d35d0712 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Tue, 26 Mar 2024 12:54:48 +0000 Subject: [PATCH 01/11] WIP - Add S3 bucket, KMS, custom policy --- .../analytical-platform-ingestion/data.tf | 9 ++++++++ .../analytical-platform-ingestion/kms-keys.tf | 12 ++++++++++ .../analytical-platform-ingestion/s3.tf | 22 ++++++++++++++++--- 3 files changed, 40 insertions(+), 3 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/data.tf b/terraform/environments/analytical-platform-ingestion/data.tf index 49bbbf30bd4..519582dc500 100644 --- a/terraform/environments/analytical-platform-ingestion/data.tf +++ b/terraform/environments/analytical-platform-ingestion/data.tf @@ -1,2 +1,11 @@ #### This file can be used to store data specific to the member account #### data "aws_availability_zones" "available" {} + +data "aws_iam_policy_document" "s3_download_kms_policy" { + statement { + sid = "AllowS3Download" + effect = "Allow" + actions = ["kms:Decrypt"] + resources = ["*"] + } +} \ No newline at end of file diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index 4e55287e9c1..ff160a38c12 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -46,6 +46,18 @@ module "s3_definitions_kms" { deletion_window_in_days = 7 } +module "s3_download_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" + version = "2.2.1" + + aliases = ["s3/download"] + description = "Used in the download S3 object" + enable_default_policy = true + + deletion_window_in_days = 7 +} + module "sns_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index 749f7fd478d..e9af71f51f4 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -34,7 +34,6 @@ module "quarantine_bucket" { } } - module "definitions_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" @@ -53,8 +52,6 @@ module "definitions_bucket" { } } - - module "processed_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" @@ -72,3 +69,22 @@ module "processed_bucket" { } } } + +module "download_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.0" + + bucket = "mojap-ingestion-${local.environment}-download" + # TODO: Is this needed below? + force_destroy = true + policy = data.aws_iam_policy_document.s3_download_kms_policy.json + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + kms_master_key_id = module.s3_processed_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } +} From 724ff7e44a4bb165beec7e9d5aaaf59a28b5a5a9 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Tue, 26 Mar 2024 14:33:39 +0000 Subject: [PATCH 02/11] Rename buckets + Add Policy --- .../analytical-platform-ingestion/data.tf | 22 +++++++++++++++---- .../analytical-platform-ingestion/kms-keys.tf | 6 ++--- .../analytical-platform-ingestion/s3.tf | 6 ++--- 3 files changed, 24 insertions(+), 10 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/data.tf b/terraform/environments/analytical-platform-ingestion/data.tf index 519582dc500..477986973f6 100644 --- a/terraform/environments/analytical-platform-ingestion/data.tf +++ b/terraform/environments/analytical-platform-ingestion/data.tf @@ -1,11 +1,25 @@ #### This file can be used to store data specific to the member account #### data "aws_availability_zones" "available" {} -data "aws_iam_policy_document" "s3_download_kms_policy" { +data "aws_iam_policy_document" "s3_bold_egress_s3_policy" { statement { - sid = "AllowS3Download" - effect = "Allow" - actions = ["kms:Decrypt"] + sid = "ReplicationPermissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::593291632749:role/service-role/source-account-IAM-role"] + } + actions = [ + "s3:ReplicateDelete", + "s3:ReplicateObject", + "s3:ObjectOwnerOverrideToBucketOwner", + "s3:GetBucketVersioning", + "s3:PutBucketVersioning" + ] resources = ["*"] + # resources = module.bold_egress_bucket.arn } + + + } \ No newline at end of file diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index ff160a38c12..a7ae89657f2 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -46,13 +46,13 @@ module "s3_definitions_kms" { deletion_window_in_days = 7 } -module "s3_download_kms" { +module "s3_bold_egress_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" version = "2.2.1" - aliases = ["s3/download"] - description = "Used in the download S3 object" + aliases = ["s3/bold_egress"] + description = "Used in the Bold Egress Solution" enable_default_policy = true deletion_window_in_days = 7 diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index e9af71f51f4..773983df6c3 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -70,14 +70,14 @@ module "processed_bucket" { } } -module "download_bucket" { +module "bold_egress_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" - bucket = "mojap-ingestion-${local.environment}-download" + bucket = "mojap-ingestion-${local.environment}-bold-egress" # TODO: Is this needed below? force_destroy = true - policy = data.aws_iam_policy_document.s3_download_kms_policy.json + policy = data.aws_iam_policy_document.s3_bold_egress_s3_policy.json server_side_encryption_configuration = { rule = { From 7717ce0f28c658628e05eeb8a14202ca52e3aadc Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Tue, 26 Mar 2024 15:15:04 +0000 Subject: [PATCH 03/11] Further configuration --- .../analytical-platform-ingestion/data.tf | 23 ------------------ .../analytical-platform-ingestion/kms-keys.tf | 17 +++++++++++++ .../analytical-platform-ingestion/s3.tf | 24 +++++++++++++++++-- 3 files changed, 39 insertions(+), 25 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/data.tf b/terraform/environments/analytical-platform-ingestion/data.tf index 477986973f6..49bbbf30bd4 100644 --- a/terraform/environments/analytical-platform-ingestion/data.tf +++ b/terraform/environments/analytical-platform-ingestion/data.tf @@ -1,25 +1,2 @@ #### This file can be used to store data specific to the member account #### data "aws_availability_zones" "available" {} - -data "aws_iam_policy_document" "s3_bold_egress_s3_policy" { - statement { - sid = "ReplicationPermissions" - effect = "Allow" - principals { - type = "AWS" - identifiers = ["arn:aws:iam::593291632749:role/service-role/source-account-IAM-role"] - } - actions = [ - "s3:ReplicateDelete", - "s3:ReplicateObject", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:GetBucketVersioning", - "s3:PutBucketVersioning" - ] - resources = ["*"] - # resources = module.bold_egress_bucket.arn - } - - - -} \ No newline at end of file diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index a7ae89657f2..021b5535dae 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -46,6 +46,22 @@ module "s3_definitions_kms" { deletion_window_in_days = 7 } +data "aws_iam_policy_document" "s3_bold_egress_kms_policy" { + statement { + sid = "AllowAnalyticalPlatformDataEngineeringProduction" + actions = [ + "kms:Decrypt", + "kms:GenerateDataKey" + ] + resources = ["*"] + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::593291632749:role/mojap-data-production-bold-egress-${local.environment}"] + } + } +} + module "s3_bold_egress_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" @@ -54,6 +70,7 @@ module "s3_bold_egress_kms" { aliases = ["s3/bold_egress"] description = "Used in the Bold Egress Solution" enable_default_policy = true + policy = data.aws_iam_policy_document.s3_bold_egress_kms_policy.json deletion_window_in_days = 7 } diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index 773983df6c3..0c57dd61458 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -70,14 +70,34 @@ module "processed_bucket" { } } +data "aws_iam_policy_document" "bold_egress_bucket_policy" { + statement { + sid = "ReplicationPermissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::593291632749:role/mojap-data-production-bold-egress-${local.environment}"] + } + actions = [ + "s3:ReplicateObject", + "s3:ObjectOwnerOverrideToBucketOwner", + "s3:GetObjectVersionTagging", + "s3:ReplicateTags", + "s3:ReplicateDelete" + ] + resources = ["${module.bold_egress_bucket.s3_bucket_arn}/*"] + } +} + module "bold_egress_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" bucket = "mojap-ingestion-${local.environment}-bold-egress" - # TODO: Is this needed below? + force_destroy = true - policy = data.aws_iam_policy_document.s3_bold_egress_s3_policy.json + + policy = data.aws_iam_policy_document.bold_egress_bucket_policy.json server_side_encryption_configuration = { rule = { From 3b4a9bcb854415cb51ec0ad01b58c2298e8f1a6a Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Tue, 26 Mar 2024 15:30:12 +0000 Subject: [PATCH 04/11] Add versioning to S3 bucket --- terraform/environments/analytical-platform-ingestion/s3.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index 0c57dd61458..3c1c8cdbd14 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -97,6 +97,10 @@ module "bold_egress_bucket" { force_destroy = true + versioning = { + enabled = true + } + policy = data.aws_iam_policy_document.bold_egress_bucket_policy.json server_side_encryption_configuration = { From d182b4989d8e65238bf8dba11cf912f92482d577 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Tue, 26 Mar 2024 15:41:09 +0000 Subject: [PATCH 05/11] Correct KMS key --- .../analytical-platform-ingestion/kms-keys.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index 021b5535dae..2a3de2113fe 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -47,6 +47,15 @@ module "s3_definitions_kms" { } data "aws_iam_policy_document" "s3_bold_egress_kms_policy" { + statement { + sid = "Default" + effect = "Allow" + actions = ["kms:*"] + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + } statement { sid = "AllowAnalyticalPlatformDataEngineeringProduction" actions = [ From ef1161d58b0d7ade8b4ba583646b7efb6b801a6b Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Tue, 26 Mar 2024 15:51:23 +0000 Subject: [PATCH 06/11] Refactor default policy on KMS key --- .../environments/analytical-platform-ingestion/kms-keys.tf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index 2a3de2113fe..188c0fac332 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -76,10 +76,9 @@ module "s3_bold_egress_kms" { source = "terraform-aws-modules/kms/aws" version = "2.2.1" - aliases = ["s3/bold_egress"] - description = "Used in the Bold Egress Solution" - enable_default_policy = true - policy = data.aws_iam_policy_document.s3_bold_egress_kms_policy.json + aliases = ["s3/bold_egress"] + description = "Used in the Bold Egress Solution" + policy = data.aws_iam_policy_document.s3_bold_egress_kms_policy.json deletion_window_in_days = 7 } From e217ca82189c354da6745a3a61c37f145e01eb8f Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Tue, 26 Mar 2024 16:00:02 +0000 Subject: [PATCH 07/11] Refactor --- .../analytical-platform-ingestion/kms-keys.tf | 49 ++++++++----------- 1 file changed, 20 insertions(+), 29 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index 188c0fac332..0b0e6477ce6 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -46,40 +46,31 @@ module "s3_definitions_kms" { deletion_window_in_days = 7 } -data "aws_iam_policy_document" "s3_bold_egress_kms_policy" { - statement { - sid = "Default" - effect = "Allow" - actions = ["kms:*"] - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] - } - } - statement { - sid = "AllowAnalyticalPlatformDataEngineeringProduction" - actions = [ - "kms:Decrypt", - "kms:GenerateDataKey" - ] - resources = ["*"] - effect = "Allow" - principals { - type = "AWS" - identifiers = ["arn:aws:iam::593291632749:role/mojap-data-production-bold-egress-${local.environment}"] - } - } -} - module "s3_bold_egress_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" version = "2.2.1" - aliases = ["s3/bold_egress"] - description = "Used in the Bold Egress Solution" - policy = data.aws_iam_policy_document.s3_bold_egress_kms_policy.json - + aliases = ["s3/bold_egress"] + description = "Used in the Bold Egress Solution" + enable_default_policy = true + key_statements = [ + { + sid = "AllowAnalyticalPlatformDataEngineeringProduction" + actions = [ + "kms:Decrypt", + "kms:GenerateDataKey" + ] + resources = ["*"] + effect = "Allow" + principals = [ + { + type = "AWS" + identifiers = ["arn:aws:iam::593291632749:role/mojap-data-production-bold-egress-${local.environment}"] + } + ] + } + ] deletion_window_in_days = 7 } From 45c12a103efa55f9f8d60518522c0d51e2c87f10 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Tue, 26 Mar 2024 16:40:51 +0000 Subject: [PATCH 08/11] Refactor to remove cyclic condition --- .../environments/analytical-platform-ingestion/kms-keys.tf | 2 +- terraform/environments/analytical-platform-ingestion/s3.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index 0b0e6477ce6..acfe5a623d3 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -51,7 +51,7 @@ module "s3_bold_egress_kms" { source = "terraform-aws-modules/kms/aws" version = "2.2.1" - aliases = ["s3/bold_egress"] + aliases = ["s3/bold-egress"] description = "Used in the Bold Egress Solution" enable_default_policy = true key_statements = [ diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index 3c1c8cdbd14..f75e4fd30ce 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -85,7 +85,7 @@ data "aws_iam_policy_document" "bold_egress_bucket_policy" { "s3:ReplicateTags", "s3:ReplicateDelete" ] - resources = ["${module.bold_egress_bucket.s3_bucket_arn}/*"] + resources = ["arn:aws:s3:::mojap-ingestion-${local.environment}-bold-egress/*"] } } From 0151dd8d0ad09ae7cf5177c61fca9eac0202f99b Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Tue, 26 Mar 2024 16:42:48 +0000 Subject: [PATCH 09/11] ...add the policy --- terraform/environments/analytical-platform-ingestion/s3.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index f75e4fd30ce..cc5795ae195 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -101,7 +101,8 @@ module "bold_egress_bucket" { enabled = true } - policy = data.aws_iam_policy_document.bold_egress_bucket_policy.json + attach_policy = true + policy = data.aws_iam_policy_document.bold_egress_bucket_policy.json server_side_encryption_configuration = { rule = { From 1a966d872f1ea098e2c1eccce645bbcd8e71d086 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Tue, 26 Mar 2024 16:57:17 +0000 Subject: [PATCH 10/11] Modify KMS permissions --- .../environments/analytical-platform-ingestion/kms-keys.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index acfe5a623d3..aea1434eeaf 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -58,7 +58,7 @@ module "s3_bold_egress_kms" { { sid = "AllowAnalyticalPlatformDataEngineeringProduction" actions = [ - "kms:Decrypt", + "kms:Encrypt", "kms:GenerateDataKey" ] resources = ["*"] From 139aaa17837847be4a12031fef3c44ec785014c7 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Tue, 26 Mar 2024 17:12:48 +0000 Subject: [PATCH 11/11] Correct key --- terraform/environments/analytical-platform-ingestion/s3.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index cc5795ae195..699bc6a42ec 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -107,7 +107,7 @@ module "bold_egress_bucket" { server_side_encryption_configuration = { rule = { apply_server_side_encryption_by_default = { - kms_master_key_id = module.s3_processed_kms.key_arn + kms_master_key_id = module.s3_bold_egress_kms.key_arn sse_algorithm = "aws:kms" } }