Merge pull request #684 from NHSDigital/feature/axkr1-NRL-846-shared-…

…authorization-bucket-policy NRL-846 Use the auth store policy for lambdas
NHSDigital · Jul 9, 2024 · f63fb02 · f63fb02
2 parents c77609e + 99709e9
commit f63fb02
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 53 deletions.
diff --git a/terraform/account-wide-infrastructure/dev/vars.tf b/terraform/account-wide-infrastructure/dev/vars.tf
@@ -10,6 +10,6 @@ variable "dev_api_domain_name" {
 }
 
 variable "devsandbox_api_domain_name" {
-  description = "The internal DNS name of the API Gateway for the dev environment"
+  description = "The internal DNS name of the API Gateway for the dev sandbox environment"
   default     = "dev-sandbox.api.record-locator.dev.national.nhs.uk"
 }
diff --git a/terraform/account-wide-infrastructure/modules/permissions-store-bucket/iam.tf b/terraform/account-wide-infrastructure/modules/permissions-store-bucket/iam.tf
@@ -11,7 +11,8 @@ resource "aws_iam_policy" "read-s3-authorization-store" {
         ]
         Effect = "Allow"
         Resource = [
-          aws_s3_bucket.authorization-store.arn
+          aws_s3_bucket.authorization-store.arn,
+          "${aws_s3_bucket.authorization-store.arn}/*",
         ]
       },
     ]

diff --git a/terraform/infrastructure/data.tf b/terraform/infrastructure/data.tf
@@ -10,6 +10,11 @@ data "aws_s3_bucket" "authorization-store" {
   bucket = "${local.shared_prefix}-authorization-store"
 }
 
+data "aws_iam_policy" "auth-store-read-policy" {
+  count = var.use_shared_resources ? 1 : 0
+  name  = "${local.shared_prefix}-read-s3-authorization-store"
+}
+
 data "aws_dynamodb_table" "pointers-table" {
   count = var.use_shared_resources ? 1 : 0
   name  = "${local.shared_prefix}-pointers-table"

diff --git a/terraform/infrastructure/lambda.tf b/terraform/infrastructure/lambda.tf
@@ -17,7 +17,8 @@ module "consumer__readDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription
@@ -44,7 +45,8 @@ module "consumer__countDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription
@@ -71,7 +73,8 @@ module "consumer__searchDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription
@@ -98,7 +101,8 @@ module "consumer__searchPostDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription
@@ -126,7 +130,8 @@ module "producer__createDocumentReference" {
   additional_policies = [
     local.pointers_table_write_policy_arn,
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription
@@ -154,7 +159,8 @@ module "producer__deleteDocumentReference" {
   additional_policies = [
     local.pointers_table_write_policy_arn,
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription
@@ -181,7 +187,8 @@ module "producer__readDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription
@@ -208,7 +215,8 @@ module "producer__searchDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription
@@ -235,7 +243,8 @@ module "producer__searchPostDocumentReference" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription
@@ -263,7 +272,8 @@ module "producer__updateDocumentReference" {
   additional_policies = [
     local.pointers_table_read_policy_arn,
     local.pointers_table_write_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription
@@ -291,7 +301,8 @@ module "producer__upsertDocumentReference" {
   additional_policies = [
     local.pointers_table_write_policy_arn,
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription
@@ -319,7 +330,8 @@ module "consumer__status" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription
@@ -348,7 +360,8 @@ module "producer__status" {
   }
   additional_policies = [
     local.pointers_table_read_policy_arn,
-    local.pointers_kms_read_write_arn
+    local.pointers_kms_read_write_arn,
+    local.auth_store_read_policy_arn
   ]
   firehose_subscriptions = [
     module.firehose__processor.firehose_subscription

diff --git a/terraform/infrastructure/locals.tf b/terraform/infrastructure/locals.tf
@@ -35,8 +35,8 @@ locals {
 
   aws_account_id = data.aws_caller_identity.current.account_id
 
-  auth_store_id  = var.use_shared_resources ? data.aws_s3_bucket.authorization-store[0].id : module.ephemeral-s3-permission-store[0].bucket_id
-  auth_store_arn = var.use_shared_resources ? data.aws_s3_bucket.authorization-store[0].arn : module.ephemeral-s3-permission-store[0].bucket_arn
+  auth_store_id              = var.use_shared_resources ? data.aws_s3_bucket.authorization-store[0].id : module.ephemeral-s3-permission-store[0].bucket_id
+  auth_store_read_policy_arn = var.use_shared_resources ? data.aws_iam_policy.auth-store-read-policy[0].arn : module.ephemeral-s3-permission-store[0].bucket_read_policy_arn
 
   pointers_table_name             = var.use_shared_resources ? data.aws_dynamodb_table.pointers-table[0].name : module.ephemeral-pointers-table[0].table_name
   pointers_table_read_policy_arn  = var.use_shared_resources ? data.aws_iam_policy.pointers-table-read[0].arn : module.ephemeral-pointers-table[0].read_policy_arn

diff --git a/terraform/infrastructure/modules/permissions-store-bucket/iam.tf b/terraform/infrastructure/modules/permissions-store-bucket/iam.tf
@@ -11,7 +11,8 @@ resource "aws_iam_policy" "read-s3-authorization-store" {
         ]
         Effect = "Allow"
         Resource = [
-          aws_s3_bucket.authorization-store.arn
+          aws_s3_bucket.authorization-store.arn,
+          "${aws_s3_bucket.authorization-store.arn}/*",
         ]
       },
     ]

diff --git a/terraform/infrastructure/s3.tf b/terraform/infrastructure/s3.tf