Skip to content

Commit

Permalink
Allow google_s3_mirror to read from staging
Browse files Browse the repository at this point in the history 
... as well as integration.

The idea here is to mirror from staging instead of integration, so that
we can reduce the frequency that the integration databases are restored.
See alphagov/govuk-helm-charts#2719 for more
context.

Initially, we need to allow reading from both environments, otherwise
we'll break the current mirroring from integration. There's probably no
harm in it being able to read both in the long term, but strictly
speaking it should only need staging once we've switched it over.

This produces no-changes plans in integration and production. In staging
we have:

    Terraform will perform the following actions:

      # aws_iam_policy.google-s3-mirror[0] will be created
      + resource "aws_iam_policy" "google-s3-mirror" {
          + arn         = (known after apply)
          + description = "Allows a Google Cloud Platform project to mirror S3 buckets."
          + id          = (known after apply)
          + name        = "google-s3-mirror"
          + path        = "/"
          + policy      = jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
                              + "s3:Get*",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:s3:::govuk-staging-database-backups/*",
                              + "arn:aws:s3:::govuk-staging-database-backups",
                            ]
                          + Sid      = "GoogleReadBucket"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            )
          + policy_id   = (known after apply)
          + tags_all    = (known after apply)
        }

      # aws_iam_role.google-s3-mirror[0] will be created
      + resource "aws_iam_role" "google-s3-mirror" {
          + arn                   = (known after apply)
          + assume_role_policy    = jsonencode(
                {
                  + Statement = [
                      + {
                          + Action    = "sts:AssumeRoleWithWebIdentity"
                          + Condition = {
                              + StringEquals = {
                                  + accounts.google.com:sub = "107768730699967087212"
                                }
                            }
                          + Effect    = "Allow"
                          + Principal = {
                              + Federated = "accounts.google.com"
                            }
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            )
          + create_date           = (known after apply)
          + force_detach_policies = false
          + id                    = (known after apply)
          + managed_policy_arns   = (known after apply)
          + max_session_duration  = 3600
          + name                  = "google-s3-mirror"
          + name_prefix           = (known after apply)
          + path                  = "/"
          + tags_all              = (known after apply)
          + unique_id             = (known after apply)

          + inline_policy {
              + name   = (known after apply)
              + policy = (known after apply)
            }
        }

      # aws_iam_role_policy_attachment.google-s3-mirror-access[0] will be created
      + resource "aws_iam_role_policy_attachment" "google-s3-mirror-access" {
          + id         = (known after apply)
          + policy_arn = (known after apply)
          + role       = "google-s3-mirror"
        }

    Plan: 3 to add, 0 to change, 0 to destroy.
  • Loading branch information
@richardTowers
richardTowers committed Oct 24, 2024
1 parent aaa83e4 commit fd0be13
Showing 1 changed file with 10 additions and 6 deletions.
16 changes: 10 additions & 6 deletions terraform/projects/infra-security/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -377,8 +377,12 @@ resource "aws_iam_role_policy_attachment" "shield-response-team-access" {
policy_arn = aws_iam_policy.shield-response-team-access.arn
}

locals {
allow_google_s3_mirror = contains(["integration", "staging"], var.aws_environment)
}

data "aws_iam_policy_document" "google_s3_mirror" {
count = var.aws_environment == "integration" ? 1 : 0
count = local.allow_google_s3_mirror ? 1 : 0

statement {
sid = "GoogleReadBucket"
Expand All @@ -390,21 +394,21 @@ data "aws_iam_policy_document" "google_s3_mirror" {

# Need access to the top level of the tree.
resources = [
"arn:aws:s3:::govuk-integration-database-backups",
"arn:aws:s3:::govuk-integration-database-backups/*",
"arn:aws:s3:::govuk-${var.aws_environment}-database-backups",
"arn:aws:s3:::govuk-${var.aws_environment}-database-backups/*",
]
}
}

resource "aws_iam_policy" "google-s3-mirror" {
count = var.aws_environment == "integration" ? 1 : 0
count = local.allow_google_s3_mirror ? 1 : 0
name = "google-s3-mirror"
description = "Allows a Google Cloud Platform project to mirror S3 buckets."
policy = data.aws_iam_policy_document.google_s3_mirror[0].json
}

resource "aws_iam_role" "google-s3-mirror" {
count = var.aws_environment == "integration" ? 1 : 0
count = local.allow_google_s3_mirror ? 1 : 0
name = "google-s3-mirror"

assume_role_policy = jsonencode({
Expand All @@ -427,7 +431,7 @@ resource "aws_iam_role" "google-s3-mirror" {
}

resource "aws_iam_role_policy_attachment" "google-s3-mirror-access" {
count = var.aws_environment == "integration" ? 1 : 0
count = local.allow_google_s3_mirror ? 1 : 0
role = aws_iam_role.google-s3-mirror[0].name
policy_arn = aws_iam_policy.google-s3-mirror[0].arn
}
Expand Down

0 comments on commit fd0be13

Please sign in to comment.