MLPAB-1470 - Create gateway endpoints for DynamoDB and S3 (#778)

* create endpoint in app subnet * upgrade lock * add ddb vpce * add s3 endpoint * add ecr endpoints * add policy conditions to allow ECR access via VPCe
ministryofjustice · Nov 2, 2023 · abb6cf7 · abb6cf7
1 parent c438826
commit abb6cf7
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 85 deletions.
diff --git a/terraform/account/.terraform.lock.hcl b/terraform/account/.terraform.lock.hcl
diff --git a/terraform/account/region/vpc_endpoints.tf b/terraform/account/region/vpc_endpoints.tf
@@ -31,8 +31,8 @@ resource "aws_security_group_rule" "vpc_endpoints_public_subnet_ingress" {
 locals {
   interface_endpoint = toset([
     "ec2",
-    # "ecr.api",
-    # "ecr.dkr",
+    "ecr.api",
+    "ecr.dkr",
     "execute-api",
     "events",
     "logs",
@@ -78,67 +78,71 @@ resource "aws_vpc_endpoint_policy" "private" {
   })
 }
 
-data "aws_route_tables" "public" {
+data "aws_route_tables" "application" {
   provider = aws.region
   filter {
     name   = "tag:Name"
-    values = ["public-route-table"]
+    values = ["application-route-table"]
   }
 }
 
-# resource "aws_vpc_endpoint" "s3" {
-#   provider          = aws.region
-#   vpc_id            = module.network.vpc.id
-#   service_name      = "com.amazonaws.${data.aws_region.current.name}.s3"
-#   route_table_ids   = tolist(data.aws_route_tables.public.ids)
-#   vpc_endpoint_type = "Gateway"
-#   policy            = data.aws_iam_policy_document.s3_vpc_endpoint.json
-#   tags              = { Name = "s3-private-${data.aws_region.current.name}" }
-# }
+resource "aws_vpc_endpoint" "s3" {
+  provider          = aws.region
+  vpc_id            = module.network.vpc.id
+  service_name      = "com.amazonaws.${data.aws_region.current.name}.s3"
+  route_table_ids   = tolist(data.aws_route_tables.application.ids)
+  vpc_endpoint_type = "Gateway"
+  policy            = data.aws_iam_policy_document.s3.json
+  tags              = { Name = "s3-private-${data.aws_region.current.name}" }
+}
 
-# data "aws_iam_policy_document" "s3_vpc_endpoint" {
-#   provider = aws.region
-#   statement {
-#     sid       = "S3VpcEndpointPolicy"
-#     actions   = ["s3:*"]
-#     resources = ["*"]
-#     principals {
-#       type        = "AWS"
-#       identifiers = ["*"]
-#     }
-#     condition {
-#       test     = "StringEquals"
-#       variable = "aws:PrincipalAccount"
-#       values   = [data.aws_caller_identity.current.account_id]
-#     }
-#   }
-# }
+resource "aws_vpc_endpoint" "dynamodb" {
+  provider          = aws.region
+  vpc_id            = module.network.vpc.id
+  service_name      = "com.amazonaws.${data.aws_region.current.name}.dynamodb"
+  route_table_ids   = tolist(data.aws_route_tables.application.ids)
+  vpc_endpoint_type = "Gateway"
+  policy            = data.aws_iam_policy_document.allow_account_access.json
+  tags              = { Name = "dynamodb-private-${data.aws_region.current.name}" }
+}
 
-# resource "aws_vpc_endpoint" "dynamodb" {
-#   provider          = aws.region
-#   vpc_id            = module.network.vpc.id
-#   service_name      = "com.amazonaws.${data.aws_region.current.name}.dynamodb"
-#   route_table_ids   = tolist(data.aws_route_tables.public.ids)
-#   vpc_endpoint_type = "Gateway"
-#   policy            = data.aws_iam_policy_document.dynamodb_vpc_endpoint.json
-#   tags              = { Name = "dynamodb-private-${data.aws_region.current.name}" }
-# }
 
-# data "aws_iam_policy_document" "dynamodb_vpc_endpoint" {
-#   provider = aws.region
-#   statement {
-#     sid       = "DynamoDBVpcEndpointPolicy"
-#     effect    = "Allow"
-#     actions   = ["dynamodb:*"]
-#     resources = ["*"]
-#     principals {
-#       type        = "AWS"
-#       identifiers = ["*"]
-#     }
-#     condition {
-#       test     = "StringEquals"
-#       variable = "aws:PrincipalAccount"
-#       values   = [data.aws_caller_identity.current.account_id]
-#     }
-#   }
-# }
+
+data "aws_iam_policy_document" "allow_account_access" {
+  provider = aws.region
+  statement {
+    sid       = "Allow-callers-from-specific-account"
+    effect    = "Allow"
+    actions   = ["*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "s3" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.allow_account_access.json,
+    data.aws_iam_policy_document.s3_bucket_access.json,
+  ]
+}
+
+data "aws_iam_policy_document" "s3_bucket_access" {
+  statement {
+    sid       = "Access-to-specific-bucket-only"
+    effect    = "Allow"
+    actions   = ["s3:GetObject"]
+    resources = ["arn:aws:s3:::prod-${data.aws_region.current.name}-starport-layer-bucket/*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+  }
+}
diff --git a/terraform/environment/.terraform.lock.hcl b/terraform/environment/.terraform.lock.hcl
diff --git a/terraform/environment/region/iam_execution_policy.tf b/terraform/environment/region/iam_execution_policy.tf
@@ -23,6 +23,7 @@ data "aws_iam_policy_document" "execution_role_region" {
       "secretsmanager:GetSecretValue",
     ]
   }
+
   statement {
     effect = "Allow"
 
@@ -39,5 +40,6 @@ data "aws_iam_policy_document" "execution_role_region" {
       "kms:DescribeKey",
     ]
   }
+
   provider = aws.global
 }