Skip to content

Commit

Permalink
feat: add dynamic s3Locations statements to allow oidc roles access…
Browse files Browse the repository at this point in the history 
… to specified s3 paths (#6567)

* feat: add dynamic `s3Locations` statements to allow oidc roles access to specified s3 paths

Required for `analytics-platform-helm-charts` role to deposit artefacts

* fix: add empty `s3Locations` list to roles maps
  • Loading branch information
@tom-webber
tom-webber authored Jan 16, 2025
1 parent 03a422b commit f4bd0de
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 0 deletions.
24 changes: 24 additions & 0 deletions terraform/aws/analytical-platform/oidc/configuration/assumable-roles.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
"stateBucketKey": ".pulumi/"
}
],
"s3Locations": [],
"repositories": ["ministryofjustice/moj-data-transfer-api"],
"targets": [
"analytical-platform-data-production",
Expand All @@ -24,6 +25,7 @@
"stateBucketKey": ".pulumi/"
}
],
"s3Locations": [],
"repositories": ["ministryofjustice/data-engineering-pulumi-components"],
"targets": ["analytical-platform-data-engineering-sandbox-a"],
"stateLockingDetails": [],
Expand All @@ -42,6 +44,7 @@
"stateBucketKey": ".pulumi/"
}
],
"s3Locations": [],
"repositories": ["ministryofjustice/register-my-data"],
"targets": [
"analytical-platform-data-engineering-production",
Expand All @@ -63,6 +66,7 @@
"stateBucketKey": ".pulumi/"
}
],
"s3Locations": [],
"repositories": ["ministryofjustice/data-engineering-airflow"],
"targets": [
"analytical-platform-data-engineering-production",
Expand All @@ -79,6 +83,7 @@
"stateBucketKey": ".pulumi/"
}
],
"s3Locations": [],
"repositories": ["ministryofjustice/analytical-platform-uploader"],
"targets": [
"analytical-platform-data-engineering-production",
Expand All @@ -104,6 +109,7 @@
"stateBucketKey": ".pulumi/"
}
],
"s3Locations": [],
"repositories": ["ministryofjustice/analytical-platform-data-engineering"],
"targets": [
"analytical-platform-data-production",
Expand All @@ -120,6 +126,7 @@
"stateBucketKey": ".pulumi/"
}
],
"s3Locations": [],
"repositories": ["ministryofjustice/analytical-platform-data-engineering"],
"targets": ["analytical-platform-data-engineering-sandbox-a"],
"stateLockingDetails": [],
Expand All @@ -133,6 +140,7 @@
"stateBucketKey": "pulumi-oidc-test/.pulumi/"
}
],
"s3Locations": [],
"repositories": ["moj-analytical-services/pulumi-oidc-test"],
"targets": ["analytical-platform-data-engineering-sandbox-a"],
"stateLockingDetails": [],
Expand All @@ -141,6 +149,7 @@
"lookup-offence-sandbox": {
"account": "analytical-platform-data-engineering-sandbox-a",
"stateConfig": [],
"s3Locations": [],
"repositories": ["ministryofjustice/lookup-offence-sandbox"],
"targets": ["analytical-platform-data-engineering-sandbox-a"],
"stateLockingDetails": [],
Expand All @@ -149,6 +158,7 @@
"create-a-derived-table": {
"account": "analytical-platform-data-production",
"stateConfig": [],
"s3Locations": [],
"repositories": ["moj-analytical-services/create-a-derived-table"],
"targets": ["analytical-platform-data-production"],
"stateLockingDetails": [],
Expand All @@ -157,6 +167,7 @@
"lookup-offence": {
"account": "analytical-platform-data-production",
"stateConfig": [],
"s3Locations": [],
"repositories": ["moj-analytical-services/lookup_offence"],
"targets": ["analytical-platform-data-production"],
"stateLockingDetails": [],
Expand All @@ -165,6 +176,7 @@
"data-platform-apps": {
"account": "analytical-platform-data-production",
"stateConfig": [],
"s3Locations": [],
"repositories": [
"ministryofjustice/hmpps-hr-dashboard",
"ministryofjustice/ltc-capabilites-app",
Expand All @@ -180,6 +192,7 @@
"modernisation-platform-lake-formation-share": {
"account": "analytical-platform-data-production",
"stateConfig": [],
"s3Locations": [],
"repositories": ["ministryofjustice/modernisation-platform-environments"],
"targets": [],
"stateLockingDetails": [],
Expand All @@ -189,6 +202,7 @@
"data-discovery": {
"account": "analytical-platform-data-production",
"stateConfig": [],
"s3Locations": [],
"repositories": ["moj-analytical-services/data-discovery"],
"targets": ["analytical-platform-data-production"],
"stateLockingDetails": [],
Expand All @@ -197,6 +211,12 @@
"analytics-platform-helm-charts": {
"account": "analytical-platform-data-production",
"stateConfig": [],
"s3Locations": [
{
"bucket": "moj-analytics-helm-repo",
"keys": [""]
}
],
"repositories": ["ministryofjustice/analytics-platform-helm-charts"],
"targets": ["analytical-platform-data-production"],
"stateLockingDetails": [],
Expand All @@ -205,6 +225,7 @@
"data-engineering-cleanup": {
"account": "analytical-platform-data-engineering-production",
"stateConfig": [],
"s3Locations": [],
"repositories": ["ministryofjustice/data-engineering-cleanup"],
"targets": [
"analytical-platform-data-engineering-production",
Expand All @@ -221,6 +242,7 @@
"airflow-contracts-etl": {
"account": "analytical-platform-data-engineering-production",
"stateConfig": [],
"s3Locations": [],
"repositories": ["moj-analytical-services/airflow-contracts-etl"],
"targets": [
"analytical-platform-data-engineering-production",
Expand All @@ -237,6 +259,7 @@
"stateBucketKey": ".pulumi/"
}
],
"s3Locations": [],
"repositories": ["ministryofjustice/create-a-derived-table-infrastructure"],
"targets": ["analytical-platform-data-production"],
"stateLockingDetails": [],
Expand All @@ -250,6 +273,7 @@
"stateBucketKey": ".pulumi/"
}
],
"s3Locations": [],
"repositories": [
"moj-analytical-services/data-engineering-database-access"
],
Expand Down
32 changes: 32 additions & 0 deletions terraform/aws/analytical-platform/oidc/oidc-roles.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,38 @@ data "aws_iam_policy_document" "github_oidc_role" {
resources = ["arn:aws:s3:::${statement.value.stateBucket}${statement.value.stateBucketKey}*"]
}
}
dynamic "statement" {
for_each = each.value.s3Locations

content {
sid = "AllowS3LocationRead"
effect = "Allow"
actions = [
"s3:Get*",
"s3:List*"
]
resources = [
"arn:aws:s3:::${statement.value.bucket}"
]
}
}
dynamic "statement" {
for_each = each.value.s3Locations

content {
#checkov:skip=CKV_AWS_111: skip requires access to multiple resources
sid = "AllowS3LocationWrite"
effect = "Allow"
actions = [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
]
resources = [
for key in statement.value.keys : "arn:aws:s3:::${statement.value.bucket}/${key}*"
]
}
}
dynamic "statement" {
for_each = each.value.stateLockingDetails

Expand Down

0 comments on commit f4bd0de

Please sign in to comment.