Skip to content

Commit

Permalink
release/2024-07-22 Updated bucket policy to not override & added s3pr…
Browse files Browse the repository at this point in the history 
…efix to export state machine step
  • Loading branch information
@megan-bower4
megan-bower4 committed Jul 22, 2024
1 parent 50f32c8 commit 3149adc
Show file tree
Hide file tree
Showing 3 changed files with 101 additions and 45 deletions.
72 changes: 50 additions & 22 deletions infrastructure/terraform/per_account/int/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,11 +103,9 @@ resource "aws_route53_zone" "int-ns" {
}

module "snapshot_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.15.2"
bucket = "${local.project}--${replace(terraform.workspace, "_", "-")}--snapshot"
attach_deny_insecure_transport_policy = true
attach_access_log_delivery_policy = true
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.15.2"
bucket = "${local.project}--${replace(terraform.workspace, "_", "-")}--snapshot"
versioning = {
enabled = true
}
Expand All @@ -116,28 +114,58 @@ module "snapshot_bucket" {
}
}

data "aws_s3_bucket_policy" "existing_policy" {
bucket = module.snapshot_bucket.s3_bucket_id
}

resource "aws_s3_bucket_policy" "snapshot_bucket_policy" {
bucket = module.snapshot_bucket.s3_bucket_id

policy = jsonencode({
Version = "2012-10-17",
Statement = concat(
jsondecode(data.aws_s3_bucket_policy.existing_policy.policy)["Statement"], [
{
Sid = "AllowDynamoDBExport",
Effect = "Allow",
Principal = { Service = "dynamodb.amazonaws.com" },
Action = [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
Resource = "${module.snapshot_bucket.s3_bucket_arn}/*"
Statement = [
{
Sid = "AWSAccessLogDeliveryWrite",
Effect = "Allow",
Principal = {
Service = "logging.s3.amazonaws.com"
},
Action = "s3:PutObject",
Resource = "${module.snapshot_bucket.s3_bucket_arn}/*"
},
{
Sid = "AWSAccessLogDeliveryAclCheck",
Effect = "Allow",
Principal = {
Service = "logging.s3.amazonaws.com"
},
Action = "s3:GetBucketAcl",
Resource = "${module.snapshot_bucket.s3_bucket_arn}"
},
{
Sid = "denyInsecureTransport",
Effect = "Deny",
Principal = "*",
Action = "s3:*",
Resource = [
"${module.snapshot_bucket.s3_bucket_arn}",
"${module.snapshot_bucket.s3_bucket_arn}/*"
],
Condition = {
Bool = {
"aws:SecureTransport" = "false"
}
}
])
},
{
Sid = "AllowDynamoDBExport",
Effect = "Allow",
Principal = {
Service = "dynamodb.amazonaws.com"
},
Action = [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
Resource = "${module.snapshot_bucket.s3_bucket_arn}/*"
}
]
})
}
73 changes: 50 additions & 23 deletions infrastructure/terraform/per_account/prod/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,41 +101,68 @@ resource "aws_route53_zone" "prod-ns" {
}

module "snapshot_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.15.2"
bucket = "${local.project}--${replace(terraform.workspace, "_", "-")}--snapshot"
attach_deny_insecure_transport_policy = true
attach_access_log_delivery_policy = true
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.15.2"
bucket = "${local.project}--${replace(terraform.workspace, "_", "-")}--snapshot"
versioning = {
enabled = true
}
tags = {
Name = "${local.project}--${replace(terraform.workspace, "_", "-")}--snapshot"
}
}

data "aws_s3_bucket_policy" "existing_policy" {
bucket = module.snapshot_bucket.s3_bucket_id
}

resource "aws_s3_bucket_policy" "snapshot_bucket_policy" {
bucket = module.snapshot_bucket.s3_bucket_id

policy = jsonencode({
Version = "2012-10-17",
Statement = concat(
jsondecode(data.aws_s3_bucket_policy.existing_policy.policy)["Statement"], [
{
Sid = "AllowDynamoDBExport",
Effect = "Allow",
Principal = { Service = "dynamodb.amazonaws.com" },
Action = [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
Resource = "${module.snapshot_bucket.s3_bucket_arn}/*"
Statement = [
{
Sid = "AWSAccessLogDeliveryWrite",
Effect = "Allow",
Principal = {
Service = "logging.s3.amazonaws.com"
},
Action = "s3:PutObject",
Resource = "${module.snapshot_bucket.s3_bucket_arn}/*"
},
{
Sid = "AWSAccessLogDeliveryAclCheck",
Effect = "Allow",
Principal = {
Service = "logging.s3.amazonaws.com"
},
Action = "s3:GetBucketAcl",
Resource = "${module.snapshot_bucket.s3_bucket_arn}"
},
{
Sid = "denyInsecureTransport",
Effect = "Deny",
Principal = "*",
Action = "s3:*",
Resource = [
"${module.snapshot_bucket.s3_bucket_arn}",
"${module.snapshot_bucket.s3_bucket_arn}/*"
],
Condition = {
Bool = {
"aws:SecureTransport" = "false"
}
}
])
},
{
Sid = "AllowDynamoDBExport",
Effect = "Allow",
Principal = {
Service = "dynamodb.amazonaws.com"
},
Action = [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
Resource = "${module.snapshot_bucket.s3_bucket_arn}/*"
}
]
})
}
1 change: 1 addition & 0 deletions infrastructure/terraform/per_workspace/modules/etl/sds/etl-diagram.asl.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,7 @@
"Type": "Task",
"Parameters": {
"S3Bucket": "${etl_snapshot_bucket}",
"S3Prefix.$": "$$.Execution.Name",
"TableArn": "${table_arn}"
},
"Resource": "arn:aws:states:::aws-sdk:dynamodb:exportTableToPointInTime",
Expand Down

0 comments on commit 3149adc

Please sign in to comment.