Merge pull request #8121 from ministryofjustice/obs-plat/athena-policies

🧪 Refine athena policy and add cur reports bucket
ministryofjustice · Sep 30, 2024 · 2704165 · 2704165
2 parents d4ed173 + cb8bd5e
commit 2704165
Showing 1 changed file with 128 additions and 3 deletions.
diff --git a/terraform/environments/core-logging/observability.tf b/terraform/environments/core-logging/observability.tf
@@ -1,11 +1,15 @@
 module "observability_platform_tenant" {
-
   source = "github.com/ministryofjustice/terraform-aws-observability-platform-tenant?ref=fbbe5c8282786bcc0a00c969fe598e14f12eea9b" # v1.2.0
 
   observability_platform_account_id = local.environment_management.account_ids["observability-platform-production"]
 
+  additional_policies = {
+    additional_athena_policy = aws_iam_policy.additional_athena_policy.arn
+  }
+
   tags = local.tags
 }
+
 # Grafana-Athena Role
 resource "aws_iam_role" "grafana_athena" {
   name               = "grafana-athena"
@@ -24,7 +28,7 @@ data "aws_iam_policy_document" "grafana_athena_assume_role_policy" {
   }
 }
 
-# Grafana-Athena S3 Access Policy (Note: remove aws_iam_role reference)
+# Grafana-Athena S3 Access Policy
 data "aws_iam_policy_document" "grafana_athena_policy" {
   statement {
     sid    = "s3Access"
@@ -57,7 +61,7 @@ resource "aws_iam_role_policy_attachment" "grafana_athena_attachment" {
 
 # S3 bucket for Grafana Athena query results
 module "s3-grafana-athena-query-results" {
-  source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=4e17731f72ef24b804207f55b182f49057e73ec9"
+  source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=4e17731f72ef24b804207f55b182f49057e73ec9" # v8.1.0
   bucket_prefix       = "grafana-athena-query-results-"
   versioning_enabled  = true
   ownership_controls  = "BucketOwnerEnforced"
@@ -110,6 +114,62 @@ module "s3-grafana-athena-query-results" {
   tags = local.tags
 }
 
+# S3 bucket for CUR Reports
+module "s3-moj-cur-reports-modplatform" {
+  source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=4e17731f72ef24b804207f55b182f49057e73ec9" # v8.1.0
+  bucket_prefix       = "moj-cur-reports-modplatform-"
+  versioning_enabled  = true
+  ownership_controls  = "BucketOwnerEnforced"
+  replication_enabled = false
+  providers = {
+    aws.bucket-replication = aws
+  }
+
+  lifecycle_rule = [
+    {
+      id      = "main"
+      enabled = "Enabled"
+      prefix  = ""
+
+      tags = {
+        rule      = "log"
+        autoclean = "true"
+      }
+
+      transition = [
+        {
+          days          = 90
+          storage_class = "STANDARD_IA"
+          }, {
+          days          = 365
+          storage_class = "GLACIER"
+        }
+      ]
+
+      expiration = {
+        days = 730
+      }
+
+      noncurrent_version_transition = [
+        {
+          days          = 90
+          storage_class = "STANDARD_IA"
+          }, {
+          days          = 365
+          storage_class = "GLACIER"
+        }
+      ]
+
+      noncurrent_version_expiration = {
+        days = 730
+      }
+    }
+  ]
+
+  tags = local.tags
+}
+
+# Athena Workgroup for CUR Reports
 resource "aws_athena_workgroup" "mod-platform-cur-reports" {
   name = "mod-platform-cur-reports"
 
@@ -125,3 +185,68 @@ resource "aws_athena_workgroup" "mod-platform-cur-reports" {
     }
   }
 }
+
+# Additional Athena Policy
+data "aws_iam_policy_document" "additional_athena_policy" {
+#checkov:skip=CKV_AWS_356: Needs to access multiple resources
+#checkov:skip=CKV_AWS_111
+  statement {
+    sid     = "AthenaQueryAccess"
+    effect  = "Allow"
+    actions = [
+      "athena:ListDatabases",
+      "athena:ListDataCatalogs",
+      "athena:ListWorkGroups",
+      "athena:GetDatabase",
+      "athena:GetDataCatalog",
+      "athena:GetQueryExecution",
+      "athena:GetQueryResults",
+      "athena:GetTableMetadata",
+      "athena:GetWorkGroup",
+      "athena:ListTableMetadata",
+      "athena:StartQueryExecution",
+      "athena:StopQueryExecution"
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid = "GlueReadAccess"
+    effect = "Allow"
+    actions = [
+      "glue:GetDatabase",
+      "glue:GetDatabases",
+      "glue:GetTable",
+      "glue:GetTables",
+      "glue:GetPartition",
+      "glue:GetPartitions",
+      "glue:BatchGetPartition"
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid = "AthenaS3Access"
+    effect = "Allow"
+    actions = [
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads",
+      "s3:ListMultipartUploadParts",
+      "s3:AbortMultipartUpload",
+      "s3:PutObject"
+    ]
+    resources = ["arn:aws:s3:::grafana-athena-query-results-*"]
+  }
+  statement {
+    sid = "AthenaCURReportsAccess"
+    effect = "Allow"
+    actions = ["s3:GetObject", "s3:ListBucket"]
+    resources = ["arn:aws:s3:::moj-cur-reports-modplatform*"]
+  }
+}
+
+# Create an IAM policy from the additional Athena policy document
+resource "aws_iam_policy" "additional_athena_policy" {
+  name   = "additional-athena-policy"
+  policy = data.aws_iam_policy_document.additional_athena_policy.json
+}