Elide an unnecessarily separate IAM policy for pubapi.

There's no benefit in having a separate, almost-identical IAM policy for Publishing API to write event logs to S3 when both policies are attached to the node role anyway. If we were to someday split up the roles, assign them to serviceaccounts and use pod identity (almost certainly overkill in this case) then it would make sense to have separate policies. Until then, it's just additional toil and potential for confusion (which itself is not good for security).
alphagov · Feb 28, 2024 · 0244cb3 · 0244cb3
1 parent d94f102
commit 0244cb3
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 30 deletions.
diff --git a/terraform/deployments/govuk-publishing-infrastructure/publishing_api_s3.tf b/terraform/deployments/govuk-publishing-infrastructure/publishing_api_s3.tf
@@ -1,30 +0,0 @@
-# TODO: merge into policy in reports_s3.tf.
-data "aws_iam_policy_document" "publishing_api_s3" {
-  statement {
-    actions = ["s3:GetBucketLocation", "s3:ListBucket", ]
-    # These buckets don't seem to be defined in alphagov/govuk-aws.
-    resources = ["arn:aws:s3:::govuk-publishing-api-event-log-${var.govuk_environment}"]
-  }
-
-  statement {
-    actions = [
-      "s3:*MultipartUpload*",
-      "s3:*Object",
-      "s3:*ObjectAcl",
-      "s3:*ObjectVersion",
-      "s3:GetObject*Attributes"
-    ]
-    resources = ["arn:aws:s3:::govuk-publishing-api-event-log-${var.govuk_environment}/*"]
-  }
-}
-
-resource "aws_iam_policy" "publishing_api_s3" {
-  name        = "publishing_api_s3"
-  description = "Read and write govuk-publishing-api-event-log-${var.govuk_environment} bucket."
-  policy      = data.aws_iam_policy_document.publishing_api_s3.json
-}
-
-resource "aws_iam_role_policy_attachment" "publishing_api_s3" {
-  role       = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.worker_iam_role_name
-  policy_arn = aws_iam_policy.publishing_api_s3.arn
-}

diff --git a/terraform/deployments/govuk-publishing-infrastructure/reports_s3.tf b/terraform/deployments/govuk-publishing-infrastructure/reports_s3.tf
@@ -7,6 +7,10 @@ resource "aws_s3_bucket" "publisher_csvs" {
   }
 }
 
+# TODO: the govuk-publishing-api-event-log-* buckets don't seem to be defined
+# in alphagov/govuk-aws; define them somewhere appropriate (this module would
+# do for now) and import them.
+
 data "aws_iam_policy_document" "write_reports_to_s3" {
   statement {
     actions = ["s3:GetBucketLocation", "s3:ListBucket"]
@@ -17,6 +21,7 @@ data "aws_iam_policy_document" "write_reports_to_s3" {
       "arn:aws:s3:::govuk-${var.govuk_environment}-specialist-publisher-csvs",
       "arn:aws:s3:::govuk-${var.govuk_environment}-support-api-csvs",
       "arn:aws:s3:::govuk-${var.govuk_environment}-whitehall-csvs",
+      "arn:aws:s3:::govuk-publishing-api-event-log-${var.govuk_environment}",
     ]
   }
 
@@ -35,6 +40,7 @@ data "aws_iam_policy_document" "write_reports_to_s3" {
       "arn:aws:s3:::govuk-${var.govuk_environment}-specialist-publisher-csvs/*",
       "arn:aws:s3:::govuk-${var.govuk_environment}-support-api-csvs/*",
       "arn:aws:s3:::govuk-${var.govuk_environment}-whitehall-csvs/*",
+      "arn:aws:s3:::govuk-publishing-api-event-log-${var.govuk_environment}",
     ]
   }
 }