From 48e991fdf9a4d6f4971ed91e4b2aa5ee96dd34c8 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Thu, 5 Oct 2023 14:03:42 +0100
Subject: [PATCH] create a gateway endpoint for s3

---
 terraform/account/region/vpc_endpoints.tf | 32 +++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/terraform/account/region/vpc_endpoints.tf b/terraform/account/region/vpc_endpoints.tf
index 0b88f30097..b2dcbb4b7a 100644
--- a/terraform/account/region/vpc_endpoints.tf
+++ b/terraform/account/region/vpc_endpoints.tf
@@ -67,3 +67,35 @@ resource "aws_vpc_endpoint_policy" "ec2" {
     ]
   })
 }
+
+data "aws_route_tables" "public" {
+  provider = aws.region
+  filter {
+    name   = "tag:Name"
+    values = ["public-route-table"]
+  }
+}
+
+resource "aws_vpc_endpoint" "s3" {
+  provider          = aws.region
+  count             = 3
+  vpc_id            = module.network.vpc.id
+  service_name      = "com.amazonaws.${data.aws_region.current.name}.s3"
+  route_table_ids   = tolist(data.aws_route_tables.public.ids)
+  vpc_endpoint_type = "Gateway"
+  policy            = data.aws_iam_policy_document.s3_vpc_endpoint.json
+  tags              = { "Name" = "public.${data.aws_default_tags.current.tags.account-name}" }
+}
+
+data "aws_iam_policy_document" "s3_vpc_endpoint" {
+  provider = aws.region
+  statement {
+    sid       = "S3VpcEndpointPolicy"
+    actions   = ["*"]
+    resources = ["*"]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+  }
+}