DT-1395: Sharing staging S3 DAP bucket with Funding Service Find team

terraform/modules/marklogic/dap_export_s3.tf

@@ -31,6 +31,21 @@ data "aws_iam_policy_document" "allow_access_from_dap" {
       "${module.dap_export_bucket.bucket_arn}/latest/*",
     ]
   }
+  statement {
+    sid    = "AllowExternalBucketAccess"
+    effect = "Allow"
+    principals {
+      type        = "CanonicalUser"
+      identifiers = var.dap_external_canonical_users
+    }
+    actions = [
+      "s3:GetObject"
+    ]
+    resources = [
+      module.dap_export_bucket.bucket_arn,
+      "${module.dap_export_bucket.bucket_arn}/latest/*",
+    ]
+  }
 }
 
 resource "aws_s3_bucket_lifecycle_configuration" "dap_export" {

terraform/modules/marklogic/variables.tf

@@ -100,6 +100,10 @@ variable "dap_external_role_arns" {
   type = list(string)
 }
 
+variable "dap_external_canonical_users" {
+  type = list(string)
+}
+
 variable "marklogic_ami_version" {
   type = string
 

terraform/production/main.tf

@@ -229,9 +229,10 @@ module "marklogic" {
   alarms_sns_topic_arn                    = module.notifications.alarms_sns_topic_arn
   data_disk_usage_alarm_threshold_percent = 55
   dap_external_role_arns                  = var.dap_external_role_arns
+  dap_external_canonical_users            = var.dap_external_canonical_users
   dap_job_notification_emails = concat(
     local.all_notifications_email_addresses,
-    ["deltastatsupport@levellingup.gov.uk"]
+    ["deltastatsupport@communities.gov.uk"]
   )
   backup_replication_bucket          = module.backup_replication_bucket.bucket
   ebs_backup_role_arn                = module.ebs_backup.role_arn

terraform/production/variables.tf

@@ -54,3 +54,8 @@ variable "dap_external_role_arns" {
   # "DSQSS" is DAP's staging/test server. Added here for MSD-54917, informed they exist in the same environment.
   default = ["arn:aws:iam::062321884391:role/DSQL1", "arn:aws:iam::062321884391:role/DSQSS"]
 }
+
+variable "dap_external_canonical_users" {
+  type    = list(string)
+  default = []
+}

terraform/staging/main.tf

@@ -317,6 +317,7 @@ module "marklogic" {
   alarms_sns_topic_arn                    = module.notifications.alarms_sns_topic_arn
   data_disk_usage_alarm_threshold_percent = 70
   dap_external_role_arns                  = var.dap_external_role_arns
+  dap_external_canonical_users            = var.dap_external_canonical_users
   dap_job_notification_emails             = local.all_notifications_email_addresses
   backup_replication_bucket               = module.backup_replication_bucket.bucket
   ebs_backup_role_arn                     = module.ebs_backup.role_arn

terraform/staging/variables.tf

@@ -53,3 +53,9 @@ variable "dap_external_role_arns" {
   type    = list(string)
   default = ["arn:aws:iam::062321884391:role/DSQSS"]
 }
+
+variable "dap_external_canonical_users" {
+  type        = list(string)
+  description = "Funding service accounts that we wish to have access to staging DAP S3 bucket"
+  default     = ["4a20e1ecba266786127536b068cbbf222b344a2e21024029f1a778f98e8667c0", "5544757b63b565e6774e61121ba15cfa98206f1629455df924f60d942a861d56"]
+}

terraform/test/main.tf

@@ -322,6 +322,7 @@ module "marklogic" {
   alarms_sns_topic_arn                    = module.notifications.alarms_sns_topic_arn
   data_disk_usage_alarm_threshold_percent = 70
   dap_external_role_arns                  = var.dap_external_role_arns
+  dap_external_canonical_users            = var.dap_external_canonical_users
   dap_job_notification_emails             = local.all_notifications_email_addresses
   backup_replication_bucket               = module.backup_replication_bucket.bucket
   ebs_backup_role_arn                     = module.ebs_backup.role_arn

terraform/test/variables.tf

@@ -52,3 +52,8 @@ variable "dap_external_role_arns" {
   type    = list(string)
   default = ["arn:aws:iam::062321884391:role/DSQSS"]
 }
+
+variable "dap_external_canonical_users" {
+  type    = list(string)
+  default = []
+}