Merge pull request #553 from ministryofjustice/s3-migration

Swap to IRSA generated service account

app/controllers/health_controller.rb

@@ -13,6 +13,6 @@ def readiness
   private
 
   def internal_bucket_client
-    Aws::S3::Client.new(Rails.configuration.x.s3_internal_bucket_config)
+    Aws::S3::Client.new
   end
 end

app/controllers/presigned_s3_urls_controller.rb

@@ -32,15 +32,10 @@ def downloader
   def uploader
     @uploader ||= Storage::S3::Uploader.new(
       key: SecureRandom.uuid,
-      bucket: public_bucket,
-      s3_config: external_bucket_s3_config
+      bucket: public_bucket
     )
   end
 
-  def external_bucket_s3_config
-    Rails.configuration.x.s3_external_bucket_config
-  end
-
   def key
     @key ||= KeyForFile.new(
       user_id: params[:user_id],

app/services/storage/s3/uploader.rb

@@ -3,10 +3,9 @@
 module Storage
   module S3
     class Uploader
-      def initialize(key:, bucket:, s3_config: default_s3_config)
+      def initialize(key:, bucket:)
         @key = key
         @bucket = bucket
-        @s3_config = s3_config
       end
 
       def upload(file_data:)
@@ -38,14 +37,12 @@ def s3_url
 
       private
 
-      attr_accessor :key, :bucket, :s3_config
+      attr_accessor :key, :bucket
 
-      def default_s3_config
-        Rails.configuration.x.s3_internal_bucket_config
-      end
+      REGION = 'eu-west-2'.freeze
 
       def client
-        @client ||= Aws::S3::Client.new(s3_config)
+        @client ||= Aws::S3::Client.new(region: REGION)
       end
     end
   end

config/application.rb

@@ -34,14 +34,6 @@ class Application < Rails::Application
     # Only loads a smaller set of middleware suitable for API only apps.
     # Middleware like session, flash, cookies can be added back manually.
     # Skip views, helpers and assets when generating a new resource.
-    config.x.s3_internal_bucket_config = {
-      access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID'),
-      secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY')
-    }
-    config.x.s3_external_bucket_config = {
-      access_key_id: ENV.fetch('AWS_S3_EXTERNAL_BUCKET_ACCESS_KEY_ID'),
-      secret_access_key: ENV.fetch('AWS_S3_EXTERNAL_BUCKET_SECRET_ACCESS_KEY')
-    }
     config.api_only = true
   end
 end

config/environments/test.rb

@@ -47,16 +47,6 @@
 
   # Annotate rendered view with file names.
   # config.action_view.annotate_rendered_view_with_filenames = true
-  config.x.s3_internal_bucket_config = {
-    access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID'),
-    secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY'),
-    stub_responses: true
-  }
-  config.x.s3_external_bucket_config = {
-    access_key_id: ENV.fetch('AWS_S3_EXTERNAL_BUCKET_ACCESS_KEY_ID'),
-    secret_access_key: ENV.fetch('AWS_S3_EXTERNAL_BUCKET_SECRET_ACCESS_KEY'),
-    stub_responses: true
-  }
 
   config.hosts.clear
 end

deploy-eks/fb-user-filestore-chart/templates/deployment.yaml

@@ -22,7 +22,7 @@ spec:
         fb-service-token-cache-access: "true"
         tier: "frontend"
     spec:
-      serviceAccountName: "formbuilder-user-filestore-{{ .Values.environmentName }}"
+      serviceAccountName: "user-filestore-irsa-{{ .Values.environmentName }}"
       containers:
       - name: "fb-user-filestore-api-{{ .Values.environmentName }}"
         image: "754256621582.dkr.ecr.eu-west-2.amazonaws.com/formbuilder/fb-user-filestore-api:{{ .Values.circleSha1 }}"
@@ -70,16 +70,6 @@ spec:
               secretKeyRef:
                 name: fb-user-filestore-api-secrets-{{ .Values.environmentName }}
                 key: key_encryption_iv
-          - name: AWS_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: s3-formbuilder-user-filestore-{{ .Values.environmentName }}
-                key: access_key_id
-          - name: AWS_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: s3-formbuilder-user-filestore-{{ .Values.environmentName }}
-                key: secret_access_key
           - name: AWS_S3_BUCKET_NAME
             valueFrom:
               secretKeyRef:
@@ -110,16 +100,6 @@ spec:
               secretKeyRef:
                 name: json-output-attachments-s3-bucket-{{ .Values.environmentName }}
                 key: bucket_arn
-          - name: AWS_S3_EXTERNAL_BUCKET_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: json-output-attachments-s3-bucket-{{ .Values.environmentName }}
-                key: access_key_id
-          - name: AWS_S3_EXTERNAL_BUCKET_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: json-output-attachments-s3-bucket-{{ .Values.environmentName }}
-                key: secret_access_key
       volumes:
         - name: tmp-files
           emptyDir: {}

spec/services/storage/s3/uploader_spec.rb

@@ -65,36 +65,4 @@
       end
     end
   end
-
-  context 'when different S3 credentials are required' do
-    let(:bucket) { ENV['AWS_S3_EXTERNAL_BUCKET_NAME'] }
-
-    context 'with default credentials' do
-      let(:subject) { described_class.new(key: key, bucket: bucket) }
-      let(:expected_config) do
-        {
-          access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID'),
-          secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY'),
-          stub_responses: true
-        }
-      end
-
-      it 'should create the S3 client with the default credentials' do
-        expect(Aws::S3::Client).to receive(:new).with(expected_config).and_call_original
-        subject.upload(file_data: "abc")
-      end
-    end
-
-    context 'with alternative credentials' do
-      let(:subject) do
-        described_class.new(key: key, bucket: bucket, s3_config: external_config)
-      end
-      let(:external_config) { Rails.configuration.x.s3_external_bucket_config }
-
-      it 'should create the S3 client with the injected credentials' do
-        expect(Aws::S3::Client).to receive(:new).with(external_config).and_call_original
-        subject.upload(file_data: "abc")
-      end
-    end
-  end
 end