use account level role (#1021)

Co-authored-by: Alex Saunders <[email protected]>

terraform/environment/region/modules/uploads_s3_bucket/README.md

@@ -28,7 +28,6 @@ This module creates an S3 bucket for storing uploads, triggers for virus scannin
 |------|------|
 | [aws_cloudwatch_metric_alarm.replication-failed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_iam_policy.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_role.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.scheduler_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.s3_create_batch_replication_jobs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.scheduler_invoke_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
@@ -50,12 +49,12 @@ This module creates an S3 bucket for storing uploads, triggers for virus scannin
 | [aws_ssm_parameter.s3_batch_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source |
-| [aws_iam_policy_document.assume_replication_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3_create_batch_replication_jobs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.scheduler_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.scheduler_invoke_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_role.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
 | [aws_kms_alias.cloudwatch_application_logs_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
 | [aws_kms_alias.reduced_fees_uploads_s3_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

terraform/environment/region/modules/uploads_s3_bucket/lambda.tf

@@ -48,7 +48,7 @@ data "aws_iam_policy_document" "s3_create_batch_replication_jobs" {
     sid    = "Passrole"
     effect = "Allow"
     resources = [
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${data.aws_default_tags.current.tags.environment-name}-reduced-fees-uploads-replication",
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/reduced-fees-uploads-replication",
     ]
     actions = [
       "iam:GetRole",

terraform/environment/region/modules/uploads_s3_bucket/s3_object_replication.tf

@@ -1,27 +1,8 @@
-data "aws_iam_policy_document" "assume_replication_role" {
-  statement {
-    effect = "Allow"
-
-    principals {
-      type = "Service"
-      identifiers = [
-        "s3.amazonaws.com",
-        "batchoperations.s3.amazonaws.com"
-      ]
-    }
-
-    actions = ["sts:AssumeRole"]
-  }
+data "aws_iam_role" "replication" {
+  name     = "reduced-fees-uploads-replication"
   provider = aws.region
 }
 
-resource "aws_iam_role" "replication" {
-  name               = "${data.aws_default_tags.current.tags.environment-name}-reduced-fees-uploads-replication"
-  assume_role_policy = data.aws_iam_policy_document.assume_replication_role.json
-  provider           = aws.region
-}
-
-
 data "aws_iam_policy_document" "replication" {
 
   statement {
@@ -117,14 +98,14 @@ resource "aws_iam_policy" "replication" {
 }
 
 resource "aws_iam_role_policy_attachment" "replication" {
-  role       = aws_iam_role.replication.name
+  role       = data.aws_iam_role.replication.name
   policy_arn = aws_iam_policy.replication.arn
   provider   = aws.region
 }
 
 resource "aws_s3_bucket_replication_configuration" "replication" {
   depends_on = [aws_s3_bucket_versioning.bucket_versioning]
-  role       = aws_iam_role.replication.arn
+  role       = data.aws_iam_role.replication.arn
   bucket     = aws_s3_bucket.bucket.id
 
   rule {
@@ -191,7 +172,7 @@ resource "aws_ssm_parameter" "s3_batch_configuration" {
     "aws_account_id" : data.aws_caller_identity.current.account_id,
     "report_and_manifests_bucket" : "arn:aws:s3:::batch-manifests-${data.aws_default_tags.current.tags.application}-${data.aws_default_tags.current.tags.account-name}-${data.aws_region.current.name}",
     "source_bucket" : aws_s3_bucket.bucket.arn,
-    "role_arn" : aws_iam_role.replication.arn,
+    "role_arn" : data.aws_iam_role.replication.arn,
     "aws_region" : data.aws_region.current.name,
   })
   provider = aws.region