Skip to content

Commit

Permalink
Merge pull request #916 from alphagov/sengi/write-s3-backups
Browse files Browse the repository at this point in the history 
IAM policy, role etc. for database backup/restore jobs.
  • Loading branch information
@sengi
sengi authored Jul 21, 2023
2 parents a1033cf + 14842c0 commit 4c37f37
Showing 1 changed file with 45 additions and 0 deletions.
45 changes: 45 additions & 0 deletions terraform/deployments/govuk-publishing-infrastructure/db_backup_s3.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
locals {
db_backup_service_account_name = "db-backup"
}

module "db_backup_iam_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
version = "~> 5.20"

role_name = "${local.db_backup_service_account_name}-${data.terraform_remote_state.cluster_infrastructure.outputs.cluster_id}"
role_description = "Role for database backup jobs. Corresponds to ${local.db_backup_service_account_name} k8s ServiceAccount."
max_session_duration = 14400

role_policy_arns = { policy = aws_iam_policy.db_backup_s3.arn }
oidc_providers = {
main = {
provider_arn = data.terraform_remote_state.cluster_infrastructure.outputs.cluster_oidc_provider_arn
namespace_service_accounts = ["apps:${local.db_backup_service_account_name}"]
}
}
}

data "aws_iam_policy_document" "db_backup_s3" {
statement {
actions = [
"s3:GetBucketLocation",
"s3:ListBucket",
]
resources = ["arn:aws:s3:::govuk-${var.govuk_environment}-database-backups"]
}
statement {
actions = [
"s3:*MultipartUpload*",
"s3:GetObject",
"s3:PutObject",
"s3:GetObject*Attributes",
]
resources = ["arn:aws:s3:::govuk-${var.govuk_environment}-database-backups/*"]
}
}

resource "aws_iam_policy" "db_backup_s3" {
name = "db_backup_s3"
description = "Permissions over this environment's govuk-*-database-backups bucket."
policy = data.aws_iam_policy_document.db_backup_s3.json
}

0 comments on commit 4c37f37

Please sign in to comment.