Merge pull request #85 from ministryofjustice/feature/explicit-attach…

…-json-var Adding explicit attach json policy var to avoid plan failures.
ministryofjustice · Oct 5, 2023 · a4392c1 · a4392c1
2 parents c32d5fa + 93d515a
commit a4392c1
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 7 deletions.
diff --git a/.github/workflows/go-terratest.yml b/.github/workflows/go-terratest.yml
@@ -14,9 +14,8 @@ jobs:
     name: Run Go Unit Tests
     runs-on: ubuntu-latest
     steps:
- dependabot/github_actions/actions/setup-go-4.0.0
-      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
-      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: 1.18
       - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
@@ -28,4 +27,4 @@ jobs:
         run: go mod download
       - name: Run Go Tests
         working-directory: test
-        run: go test -v
+        run: go test -v
diff --git a/README.md b/README.md
@@ -92,6 +92,7 @@ No modules.
 | <a name="input_package_type"></a> [package\_type](#input\_package\_type) | The Lambda deployment package type. Valid options: Image | `string` | `"Image"` | no |
 | <a name="input_policy_arns"></a> [policy\_arns](#input\_policy\_arns) | List of policy statements ARN to attach to Lambda Function role | `list(string)` | `[]` | no |
 | <a name="input_policy_json"></a> [policy\_json](#input\_policy\_json) | An policy document as JSON to attach to the Lambda Function role | `string` | `null` | no |
+| <a name="input_policy_json_attached"></a> [policy\_json\_attached](#input\_policy\_json\_attached) | A json policy document is being passed into the module | `bool` | `false` | no |
 | <a name="input_policy_name"></a> [policy\_name](#input\_policy\_name) | IAM policy name. It override the default value, which is the same as role\_name | `string` | `null` | no |
 | <a name="input_reserved_concurrent_executions"></a> [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | The amount of reserved concurrent executions for this Lambda Function. A value of 0 disables Lambda Function from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. | `number` | `-1` | no |
 | <a name="input_role_description"></a> [role\_description](#input\_role\_description) | Description of IAM role to use for Lambda Function | `string` | `null` | no |

diff --git a/main.tf b/main.tf
@@ -37,14 +37,14 @@ resource "aws_iam_role" "this" {
 }
 
 resource "aws_iam_policy" "policy_from_json" {
-  count  = var.create_role && can(var.policy_json) ? 1 : 0
+  count  = var.create_role && var.policy_json_attached ? 1 : 0
   name   = coalesce(var.policy_name, var.role_name, var.function_name)
   policy = var.policy_json
   tags   = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "policy_from_json" {
-  count      = var.create_role && can(var.policy_json) ? 1 : 0
+  count      = var.create_role && var.policy_json_attached ? 1 : 0
   role       = aws_iam_role.this[0].name
   policy_arn = aws_iam_policy.policy_from_json[0].arn
 }

diff --git a/test/unit-test/main.tf b/test/unit-test/main.tf
@@ -5,6 +5,7 @@ module "module_test" {
   tags                           = local.tags
   description                    = "test lambda"
   role_name                      = "InstanceSchedulerLambdaFunctionPolicy"
+  policy_json_attached           = true
   policy_json                    = data.aws_iam_policy_document.instance-scheduler-lambda-function-policy.json
   function_name                  = "instance-scheduler-lambda-function"
   create_role                    = true
@@ -73,7 +74,7 @@ data "aws_iam_policy_document" "instance-scheduler-lambda-function-policy" {
       "logs:CreateLogGroup"
     ]
     resources = [
-      format("arn:aws:logs:eu-west-2:%s:*", data.aws_caller_identity.current.account_id)
+      format("arn:aws:logs:eu-west-2:%s:aws/lambda/fake", data.aws_caller_identity.current.account_id)
     ]
   }
   statement {
@@ -125,12 +126,27 @@ data "aws_iam_policy_document" "instance-scheduler-lambda-function-policy" {
   }
   # checkov:skip=CKV_AWS_111: "Cannot restrict by KMS alias so leaving open"
   # checkov:skip=CKV_AWS_109: "Cannot restrict by KMS alias so leaving open"
+  # checkov:skip=CKV_AWS_356: "Cannot restrict by KMS alias so leaving open"
   statement {
     sid       = "AllowToDecryptKMS"
     effect    = "Allow"
     resources = ["*"]
     actions   = ["kms:Decrypt"]
   }
+  statement {
+    sid    = "s3Access"
+    effect = "Allow"
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:ListBucket",
+      "s3:GetBucketLocation"
+    ]
+    resources = [
+      "${module.s3-bucket.bucket.arn}/*",
+      "${module.s3-bucket.bucket.arn}"
+    ]
+  }
 }
 
 resource "aws_lambda_invocation" "test_invocation" {

diff --git a/test/unit-test/s3.tf b/test/unit-test/s3.tf
@@ -0,0 +1,58 @@
+module "s3-bucket" {                                                                             #tfsec:ignore:aws-s3-enable-versioning
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc1" # Hash for v7.0.0
+
+  bucket_prefix      = "data-platform-products-${local.environment}"
+  versioning_enabled = false
+  # Refer to the below section "Replication" before enabling replication
+  replication_enabled = false
+  force_destroy       = true
+  providers = {
+    # Here we use the default provider Region for replication. Destination buckets can be within the same Region as the
+    # source bucket. On the other hand, if you need to enable cross-region replication, please contact the Modernisation
+    # Platform team to add a new provider for the additional Region.
+    aws.bucket-replication = aws
+  }
+
+  lifecycle_rule = [
+    {
+      id      = "main"
+      enabled = "Enabled"
+      prefix  = ""
+
+      tags = {
+        rule      = "log"
+        autoclean = "true"
+      }
+
+      transition = [
+        {
+          days          = 90
+          storage_class = "STANDARD_IA"
+          }, {
+          days          = 365
+          storage_class = "GLACIER"
+        }
+      ]
+
+      expiration = {
+        days = 730
+      }
+
+      noncurrent_version_transition = [
+        {
+          days          = 90
+          storage_class = "STANDARD_IA"
+          }, {
+          days          = 365
+          storage_class = "GLACIER"
+        }
+      ]
+
+      noncurrent_version_expiration = {
+        days = 730
+      }
+    }
+  ]
+
+  tags = local.tags
+}
diff --git a/variables.tf b/variables.tf
@@ -118,3 +118,11 @@ variable "memory_size" {
   type        = number
   default     = 128
 }
+
+variable "policy_json_attached" {
+
+  description = "A json policy document is being passed into the module"
+  type        = bool
+  default     = false
+
+}