From 14842c041e2d128591f6736ae301c9fb352dd4b2 Mon Sep 17 00:00:00 2001 From: Chris Banks Date: Thu, 20 Jul 2023 18:17:01 +0100 Subject: [PATCH] IAM policy, role etc. for database backup/restore jobs. --- .../db_backup_s3.tf | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 terraform/deployments/govuk-publishing-infrastructure/db_backup_s3.tf diff --git a/terraform/deployments/govuk-publishing-infrastructure/db_backup_s3.tf b/terraform/deployments/govuk-publishing-infrastructure/db_backup_s3.tf new file mode 100644 index 000000000..8c4a84d2c --- /dev/null +++ b/terraform/deployments/govuk-publishing-infrastructure/db_backup_s3.tf @@ -0,0 +1,45 @@ +locals { + db_backup_service_account_name = "db-backup" +} + +module "db_backup_iam_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.20" + + role_name = "${local.db_backup_service_account_name}-${data.terraform_remote_state.cluster_infrastructure.outputs.cluster_id}" + role_description = "Role for database backup jobs. Corresponds to ${local.db_backup_service_account_name} k8s ServiceAccount." + max_session_duration = 14400 + + role_policy_arns = { policy = aws_iam_policy.db_backup_s3.arn } + oidc_providers = { + main = { + provider_arn = data.terraform_remote_state.cluster_infrastructure.outputs.cluster_oidc_provider_arn + namespace_service_accounts = ["apps:${local.db_backup_service_account_name}"] + } + } +} + +data "aws_iam_policy_document" "db_backup_s3" { + statement { + actions = [ + "s3:GetBucketLocation", + "s3:ListBucket", + ] + resources = ["arn:aws:s3:::govuk-${var.govuk_environment}-database-backups"] + } + statement { + actions = [ + "s3:*MultipartUpload*", + "s3:GetObject", + "s3:PutObject", + "s3:GetObject*Attributes", + ] + resources = ["arn:aws:s3:::govuk-${var.govuk_environment}-database-backups/*"] + } +} + +resource "aws_iam_policy" "db_backup_s3" { + name = "db_backup_s3" + description = "Permissions over this environment's govuk-*-database-backups bucket." + policy = data.aws_iam_policy_document.db_backup_s3.json +}