Skip to content

Commit

Permalink
VEGA-2289 - Remove redundant keys and sort permissions for cross regi…
Browse files Browse the repository at this point in the history 
…on replication #minor
  • Loading branch information
@sixdaysandy
sixdaysandy committed Feb 7, 2024
1 parent ecdf94d commit ac8ef70
Show file tree
Hide file tree
Showing 12 changed files with 38 additions and 149 deletions.
5 changes: 3 additions & 2 deletions terraform/environment/.envrc
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Terraform
export TF_WORKSPACE=development
export TF_VAR_default_role=operator
export TF_WORKSPACE=103vega2289
export TF_VAR_app_version=v4.29.0-VEGA2289.3
export TF_VAR_default_role=breakglass
export TF_VAR_management_role=operator

export TF_CLI_ARGS_init="-backend-config=role_arn=arn:aws:iam::311462405659:role/operator"
4 changes: 3 additions & 1 deletion terraform/environment/data_sources.tf
View file
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
data "aws_caller_identity" "current" {}
data "aws_caller_identity" "current" {
provider = aws.eu_west_1
}
28 changes: 5 additions & 23 deletions terraform/environment/s3.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,22 +18,6 @@ data "aws_iam_policy_document" "s3_replication_role_assume_role" {
}
}

module "s3_replica_kms_key" {
source = "../modules/s3_multi_region_replica_key"

bucket_arns = [
module.s3_lpa_store_static_eu_west_1.bucket.arn,
module.s3_lpa_store_static_eu_west_2.bucket.arn,
]

environment_name = local.environment_name
s3_replication_role = aws_iam_role.s3_replication_role
providers = {
aws.eu-west-1 = aws
aws.eu-west-2 = aws.eu_west_2
}
}

module "s3_lpa_store_static_eu_west_1" {
source = "../modules/s3_multi_region_replica_bucket"
# accounts_allowed_to_read = [local.backup_account]
Expand All @@ -43,17 +27,16 @@ module "s3_lpa_store_static_eu_west_1" {
[{
account_id = data.aws_caller_identity.current.account_id,
bucket = module.s3_lpa_store_static_eu_west_2.bucket
kms_key_arn = module.s3_replica_kms_key.eu_west_2.arn
kms_key_arn = module.s3_lpa_store_static_eu_west_2.encryption_kms_key.arn
}],
local.cross_account_s3_replica_config)
replication_kms_key_arns = [
module.s3_replica_kms_key.eu_west_1.arn,
module.s3_replica_kms_key.eu_west_2.arn
module.s3_lpa_store_static_eu_west_2.encryption_kms_key.arn
]
s3_access_logging_bucket = "s3-access-logs-opg-lpa-store-${local.environment.account_name}-eu-west-1"
s3_replication_role = aws_iam_role.s3_replication_role
providers = {
aws = aws
aws = aws.eu_west_1
}
}

Expand All @@ -66,12 +49,11 @@ module "s3_lpa_store_static_eu_west_2" {
[{
account_id = data.aws_caller_identity.current.account_id,
bucket = module.s3_lpa_store_static_eu_west_1.bucket
kms_key_arn = module.s3_replica_kms_key.eu_west_1.arn
kms_key_arn = module.s3_lpa_store_static_eu_west_1.encryption_kms_key.arn
}],
local.cross_account_s3_replica_config)
replication_kms_key_arns = [
module.s3_replica_kms_key.eu_west_1.arn,
module.s3_replica_kms_key.eu_west_2.arn
module.s3_lpa_store_static_eu_west_1.encryption_kms_key.arn
]
s3_access_logging_bucket = "s3-access-logs-opg-lpa-store-${local.environment.account_name}-eu-west-2"
s3_replication_role = aws_iam_role.s3_replication_role
Expand Down
2 changes: 1 addition & 1 deletion terraform/modules/s3_cross_account_backup/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ resource "aws_iam_role_policy_attachment" "cross_account_policy_attachment" {
}

resource "aws_iam_policy" "cross_account_backup_policy" {
name = "cross-account-s3-backu-policy-${var.environment_name}"
name = "cross-account-s3-backup-policy-${var.environment_name}"
description = "IAM Policy for s3 replication in ${var.environment_name}"
policy = data.aws_iam_policy_document.cross_account_policy.json
provider = aws.source-account
Expand Down
23 changes: 22 additions & 1 deletion terraform/modules/s3_multi_region_replica_bucket/iam_replication.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,29 @@ data "aws_iam_policy_document" "replication_role_s3_permissions" {
condition {
test = "StringLikeIfExists"
variable = "s3:x-amz-server-side-encryption-aws-kms-key-id"
values = var.replication_kms_key_arns
values = concat(var.replication_kms_key_arns, [aws_kms_key.s3.arn])
}
resources = ["${aws_s3_bucket.bucket.arn}/*"]
}
statement {
sid = "AllowKeysEncryptDecryptForS3CrossRegion"
effect = "Allow"
actions = [
"kms:Decrypt",
"kms:Encrypt"
]

condition {
test = "StringLike"
variable = "kms:ViaService"

values = [
"s3.eu-west-1.amazonaws.com",
"s3.eu-west-2.amazonaws.com",
]
}
resources = [
aws_kms_key.s3.arn
]
}
}
4 changes: 4 additions & 0 deletions terraform/modules/s3_multi_region_replica_bucket/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
output "bucket" {
value = aws_s3_bucket.bucket
}

output "encryption_kms_key" {
value = aws_kms_key.s3
}
43 changes: 0 additions & 43 deletions terraform/modules/s3_multi_region_replica_key/cross_region_iam.tf
View file

This file was deleted.

42 changes: 0 additions & 42 deletions terraform/modules/s3_multi_region_replica_key/cross_region_kms.tf
View file

This file was deleted.

3 changes: 0 additions & 3 deletions terraform/modules/s3_multi_region_replica_key/data_sources.tf
View file

This file was deleted.

7 changes: 0 additions & 7 deletions terraform/modules/s3_multi_region_replica_key/outputs.tf
View file

This file was deleted.

13 changes: 0 additions & 13 deletions terraform/modules/s3_multi_region_replica_key/terraform.tf
View file

This file was deleted.

13 changes: 0 additions & 13 deletions terraform/modules/s3_multi_region_replica_key/variables.tf
View file

This file was deleted.

0 comments on commit ac8ef70

Please sign in to comment.