From a38835e8bb5d52dfd7b2de53bf3394390ef3ad48 Mon Sep 17 00:00:00 2001 From: Aaron Robinson Date: Mon, 30 Sep 2024 15:35:58 +0100 Subject: [PATCH 1/5] refine athena policy and add cur reports bucket --- .../core-logging/observability.tf | 131 +++++++++++++++++- 1 file changed, 130 insertions(+), 1 deletion(-) diff --git a/terraform/environments/core-logging/observability.tf b/terraform/environments/core-logging/observability.tf index b780aba85..f39a20943 100644 --- a/terraform/environments/core-logging/observability.tf +++ b/terraform/environments/core-logging/observability.tf @@ -4,8 +4,25 @@ module "observability_platform_tenant" { observability_platform_account_id = local.environment_management.account_ids["observability-platform-production"] + additional_policies = { + athena_policy = resource.aws_iam_policy_document.additional_athena_policy + } + tags = local.tags } + +# Assume Role Policy for Grafana-Athena +data "aws_iam_policy_document" "grafana_athena_assume_role_policy" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["athena.amazonaws.com"] + } + } +} + # Grafana-Athena Role resource "aws_iam_role" "grafana_athena" { name = "grafana-athena" @@ -57,7 +74,7 @@ resource "aws_iam_role_policy_attachment" "grafana_athena_attachment" { # S3 bucket for Grafana Athena query results module "s3-grafana-athena-query-results" { - source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=4e17731f72ef24b804207f55b182f49057e73ec9" + source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=4e17731f72ef24b804207f55b182f49057e73ec9" # v8.1.0 bucket_prefix = "grafana-athena-query-results-" versioning_enabled = true ownership_controls = "BucketOwnerEnforced" @@ -110,6 +127,61 @@ module "s3-grafana-athena-query-results" { tags = local.tags } +# S3 bucket for CUR Reports +module "s3-moj-cur-reports-modplatform" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=4e17731f72ef24b804207f55b182f49057e73ec9" # v8.1.0 + bucket_prefix = "moj-cur-reports-modplatform-" + versioning_enabled = true + ownership_controls = "BucketOwnerEnforced" + replication_enabled = false + providers = { + aws.bucket-replication = aws + } + + lifecycle_rule = [ + { + id = "main" + enabled = "Enabled" + prefix = "" + + tags = { + rule = "log" + autoclean = "true" + } + + transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + expiration = { + days = 730 + } + + noncurrent_version_transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + }, { + days = 365 + storage_class = "GLACIER" + } + ] + + noncurrent_version_expiration = { + days = 730 + } + } + ] + + tags = local.tags +} + resource "aws_athena_workgroup" "mod-platform-cur-reports" { name = "mod-platform-cur-reports" @@ -125,3 +197,60 @@ resource "aws_athena_workgroup" "mod-platform-cur-reports" { } } } + +resource "aws_iam_policy_document" "additional_athena_policy" { + statement = { + sid = "AthenaQueryAccess" + effect = "Allow" + actions = [ + "athena:ListDatabases", + "athena:ListDataCatalogs", + "athena:ListWorkGroups", + "athena:GetDatabase", + "athena:GetDataCatalog", + "athena:GetQueryExecution", + "athena:GetQueryResults", + "athena:GetTableMetadata", + "athena:GetWorkGroup", + "athena:ListTableMetadata", + "athena:StartQueryExecution", + "athena:StopQueryExecution" + ] + + Resource = ["*"] + } + statement { + sid = "GlueReadAccess" + effect = "Allow" + action = [ + "glue:GetDatabase", + "glue:GetDatabases", + "glue:GetTable", + "glue:GetTables", + "glue:GetPartition", + "glue:GetPartitions", + "glue:BatchGetPartition" + ] + Resource = ["*"] + } + statement { + sid = "AthenaS3Access" + effect = "Allow" + action = [ + "s3:GetBucketLocation", + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketMultipartUploads", + "s3:ListMultipartUploadParts", + "s3:AbortMultipartUpload", + "s3:PutObject" + ] + Resource = ["arn:aws:s3:::aws-athena-query-results-*"] + } + statement { + sid = "AthenaCURReportsAccess" + effect = "Allow" + action = ["s3:GetObject", "s3:ListBucket"] + resource = ["arn:aws:s3:::moj-cur-reports-modplatform*"] + } +} From df6d577830100748c8f243050a54322d4fe71c9d Mon Sep 17 00:00:00 2001 From: Aaron Robinson Date: Mon, 30 Sep 2024 15:48:21 +0100 Subject: [PATCH 2/5] remove duplicate policy --- terraform/environments/core-logging/observability.tf | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/terraform/environments/core-logging/observability.tf b/terraform/environments/core-logging/observability.tf index f39a20943..6e79601d6 100644 --- a/terraform/environments/core-logging/observability.tf +++ b/terraform/environments/core-logging/observability.tf @@ -11,18 +11,6 @@ module "observability_platform_tenant" { tags = local.tags } -# Assume Role Policy for Grafana-Athena -data "aws_iam_policy_document" "grafana_athena_assume_role_policy" { - statement { - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - identifiers = ["athena.amazonaws.com"] - } - } -} - # Grafana-Athena Role resource "aws_iam_role" "grafana_athena" { name = "grafana-athena" From 0764e627b85bb533f4c88461d10bcfa1e060326a Mon Sep 17 00:00:00 2001 From: Aaron Robinson Date: Mon, 30 Sep 2024 16:24:08 +0100 Subject: [PATCH 3/5] additional policy --- .../core-logging/observability.tf | 32 +++++++++++-------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/terraform/environments/core-logging/observability.tf b/terraform/environments/core-logging/observability.tf index 6e79601d6..c7095ce03 100644 --- a/terraform/environments/core-logging/observability.tf +++ b/terraform/environments/core-logging/observability.tf @@ -1,11 +1,10 @@ module "observability_platform_tenant" { - source = "github.com/ministryofjustice/terraform-aws-observability-platform-tenant?ref=fbbe5c8282786bcc0a00c969fe598e14f12eea9b" # v1.2.0 observability_platform_account_id = local.environment_management.account_ids["observability-platform-production"] additional_policies = { - athena_policy = resource.aws_iam_policy_document.additional_athena_policy + additional_athena_policy = aws_iam_policy.additional_athena_policy.arn } tags = local.tags @@ -29,7 +28,7 @@ data "aws_iam_policy_document" "grafana_athena_assume_role_policy" { } } -# Grafana-Athena S3 Access Policy (Note: remove aws_iam_role reference) +# Grafana-Athena S3 Access Policy data "aws_iam_policy_document" "grafana_athena_policy" { statement { sid = "s3Access" @@ -170,6 +169,7 @@ module "s3-moj-cur-reports-modplatform" { tags = local.tags } +# Athena Workgroup for CUR Reports resource "aws_athena_workgroup" "mod-platform-cur-reports" { name = "mod-platform-cur-reports" @@ -186,8 +186,9 @@ resource "aws_athena_workgroup" "mod-platform-cur-reports" { } } -resource "aws_iam_policy_document" "additional_athena_policy" { - statement = { +# Additional Athena Policy +data "aws_iam_policy_document" "additional_athena_policy" { + statement { sid = "AthenaQueryAccess" effect = "Allow" actions = [ @@ -204,13 +205,12 @@ resource "aws_iam_policy_document" "additional_athena_policy" { "athena:StartQueryExecution", "athena:StopQueryExecution" ] - - Resource = ["*"] + resources = ["*"] } statement { sid = "GlueReadAccess" effect = "Allow" - action = [ + actions = [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", @@ -219,12 +219,12 @@ resource "aws_iam_policy_document" "additional_athena_policy" { "glue:GetPartitions", "glue:BatchGetPartition" ] - Resource = ["*"] + resources = ["*"] } statement { sid = "AthenaS3Access" effect = "Allow" - action = [ + actions = [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", @@ -233,12 +233,18 @@ resource "aws_iam_policy_document" "additional_athena_policy" { "s3:AbortMultipartUpload", "s3:PutObject" ] - Resource = ["arn:aws:s3:::aws-athena-query-results-*"] + resources = ["arn:aws:s3:::aws-athena-query-results-*"] } statement { sid = "AthenaCURReportsAccess" effect = "Allow" - action = ["s3:GetObject", "s3:ListBucket"] - resource = ["arn:aws:s3:::moj-cur-reports-modplatform*"] + actions = ["s3:GetObject", "s3:ListBucket"] + resources = ["arn:aws:s3:::moj-cur-reports-modplatform*"] } } + +# Create an IAM policy from the additional Athena policy document +resource "aws_iam_policy" "additional_athena_policy" { + name = "additional-athena-policy" + policy = data.aws_iam_policy_document.additional_athena_policy.json +} From d89516a8d07d9a59f66678c84837458b2f2942b4 Mon Sep 17 00:00:00 2001 From: Aaron Robinson Date: Mon, 30 Sep 2024 16:35:30 +0100 Subject: [PATCH 4/5] update bucket prefix --- terraform/environments/core-logging/observability.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/core-logging/observability.tf b/terraform/environments/core-logging/observability.tf index c7095ce03..7c02c165b 100644 --- a/terraform/environments/core-logging/observability.tf +++ b/terraform/environments/core-logging/observability.tf @@ -233,7 +233,7 @@ data "aws_iam_policy_document" "additional_athena_policy" { "s3:AbortMultipartUpload", "s3:PutObject" ] - resources = ["arn:aws:s3:::aws-athena-query-results-*"] + resources = ["arn:aws:s3:::grafana-athena-query-results-*"] } statement { sid = "AthenaCURReportsAccess" From cb8bd5ef76f4fbb64482031be949278b0a5b7a74 Mon Sep 17 00:00:00 2001 From: Aaron Robinson Date: Mon, 30 Sep 2024 16:43:37 +0100 Subject: [PATCH 5/5] TSA warnings --- terraform/environments/core-logging/observability.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/environments/core-logging/observability.tf b/terraform/environments/core-logging/observability.tf index 7c02c165b..1156c80a1 100644 --- a/terraform/environments/core-logging/observability.tf +++ b/terraform/environments/core-logging/observability.tf @@ -188,6 +188,8 @@ resource "aws_athena_workgroup" "mod-platform-cur-reports" { # Additional Athena Policy data "aws_iam_policy_document" "additional_athena_policy" { +#checkov:skip=CKV_AWS_356: Needs to access multiple resources +#checkov:skip=CKV_AWS_111 statement { sid = "AthenaQueryAccess" effect = "Allow"