From 4fcfb211aa75a8d66f8991c7d39c3fcfd20a89eb Mon Sep 17 00:00:00 2001
From: Alex Saunders <acsauk@gmail.com>
Date: Fri, 29 Sep 2023 10:46:22 +0100
Subject: [PATCH] MLPAB-1375: Tag evidence on upload (#736)

---
 internal/page/donor/upload_evidence.go                         | 1 +
 internal/page/donor/upload_evidence_test.go                    | 2 ++
 terraform/environment/region/modules/app/ecs.tf                | 1 +
 terraform/environment/region/modules/uploads_s3_bucket/main.tf | 1 +
 4 files changed, 5 insertions(+)

diff --git a/internal/page/donor/upload_evidence.go b/internal/page/donor/upload_evidence.go
index f04d2c8b77..b429148b1b 100644
--- a/internal/page/donor/upload_evidence.go
+++ b/internal/page/donor/upload_evidence.go
@@ -60,6 +60,7 @@ func UploadEvidence(tmpl template.Template, payer Payer, donorStore DonorStore,
 						Key:                  aws.String(key),
 						Body:                 bytes.NewReader(file.Data),
 						ServerSideEncryption: types.ServerSideEncryptionAwsKms,
+						Tagging:              aws.String("replicate=true"),
 					})
 					if err != nil {
 						return err
diff --git a/internal/page/donor/upload_evidence_test.go b/internal/page/donor/upload_evidence_test.go
index c9012e1a35..326169a6a4 100644
--- a/internal/page/donor/upload_evidence_test.go
+++ b/internal/page/donor/upload_evidence_test.go
@@ -75,6 +75,7 @@ func TestPostUploadEvidence(t *testing.T) {
 		On("PutObject", r.Context(), mock.MatchedBy(func(input *s3.PutObjectInput) bool {
 			return assert.Equal(t, aws.String("bucket-name"), input.Bucket) &&
 				assert.Equal(t, aws.String("lpa-uid-evidence-a-uid"), input.Key) &&
+				assert.Equal(t, aws.String("replicate=true"), input.Tagging) &&
 				assert.Equal(t, types.ServerSideEncryptionAwsKms, input.ServerSideEncryption)
 		})).
 		Return(nil, nil)
@@ -82,6 +83,7 @@ func TestPostUploadEvidence(t *testing.T) {
 		On("PutObject", r.Context(), mock.MatchedBy(func(input *s3.PutObjectInput) bool {
 			return assert.Equal(t, aws.String("bucket-name"), input.Bucket) &&
 				assert.Equal(t, aws.String("lpa-uid-evidence-a-uid"), input.Key) &&
+				assert.Equal(t, aws.String("replicate=true"), input.Tagging) &&
 				assert.Equal(t, types.ServerSideEncryptionAwsKms, input.ServerSideEncryption)
 		})).
 		Return(nil, nil)
diff --git a/terraform/environment/region/modules/app/ecs.tf b/terraform/environment/region/modules/app/ecs.tf
index ef41486a79..380241667a 100644
--- a/terraform/environment/region/modules/app/ecs.tf
+++ b/terraform/environment/region/modules/app/ecs.tf
@@ -265,6 +265,7 @@ data "aws_iam_policy_document" "task_role_access_policy" {
     effect = "Allow"
     actions = [
       "s3:PutObject",
+      "s3:PutObjectTagging",
       "s3:DeleteObject",
     ]
     resources = [
diff --git a/terraform/environment/region/modules/uploads_s3_bucket/main.tf b/terraform/environment/region/modules/uploads_s3_bucket/main.tf
index 1bd1669c33..86bae9e0dd 100644
--- a/terraform/environment/region/modules/uploads_s3_bucket/main.tf
+++ b/terraform/environment/region/modules/uploads_s3_bucket/main.tf
@@ -99,5 +99,6 @@ data "aws_iam_policy_document" "bucket" {
       identifiers = ["*"]
     }
   }
+
   provider = aws.region
 }