From e938c9afc6e0db2ebb5b233bca76ed6986c8fe7f Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 16:57:51 +0000 Subject: [PATCH 1/3] Adding KMS key Amending mojap-land-dev Signed-off-by: Jacob Woffenden --- .../.terraform.lock.hcl | 1 + .../data-engineering-pipelines/kms-keys.tf | 29 +++++++++++++++++++ .../data-engineering-pipelines/locals.tf | 17 +++++++++++ 3 files changed, 47 insertions(+) create mode 100644 terraform/aws/analytical-platform-data-production/data-engineering-pipelines/kms-keys.tf diff --git a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/.terraform.lock.hcl b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/.terraform.lock.hcl index 34ab6c5ed1..91504bfae6 100644 --- a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/.terraform.lock.hcl +++ b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/.terraform.lock.hcl @@ -7,6 +7,7 @@ provider "registry.terraform.io/hashicorp/aws" { hashes = [ "h1:PIBnv1Mi0tX2GF6qUSdps3IouABeTqVgJZ4aAzIVzdI=", "h1:fr252BPFVqsCcVoLMN4PTVacXmrW3pbMlK1ibi/wHiU=", + "h1:ijX5mwbQZOnPVQGxxVsJs6Yh6h2w+V3mQmKznB6pIkw=", "zh:1075825e7311a8d2d233fd453a173910e891b0320e8a7698af44d1f90b02621d", "zh:203c5d09a03fcaa946defb8459f01227f2fcda07df768f74777beb328d6751ae", "zh:21bc79ccb09bfdeb711a3a5226c6c4a457ac7c4bb781dbda6ade7be38461739f", diff --git a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/kms-keys.tf b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/kms-keys.tf new file mode 100644 index 0000000000..8144d55bce --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/kms-keys.tf @@ -0,0 +1,29 @@ +module "mojap_land_datasync_replication_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/kms/aws" + version = "3.1.0" + + aliases = ["s3/mojap-land-datasync-replication"] + enable_default_policy = true + key_statements = [ + { + sid = "AllowAnalyticalPlatformIngestion" + actions = [ + "kms:Encrypt", + "kms:GenerateDataKey" + ] + resources = ["*"] + effect = "Allow" + principals = [ + { + type = "AWS" + identifiers = [ + "arn:aws:iam::730335344807:role/datasync-replication" // analytical-platform-ingestion-development + ] + } + ] + } + ] + deletion_window_in_days = 7 +} diff --git a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/locals.tf b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/locals.tf index 301d98bf90..608310781a 100644 --- a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/locals.tf +++ b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/locals.tf @@ -973,6 +973,23 @@ locals { "arn:aws:s3:::mojap-land-dev/bold/essex-police/*" ] }, + { + Sid = "AllowAnalyticalPlatformIngestionDataSyncReplication" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::730335344807:role/datasync-replication" + } + Action = [ + "s3:ReplicateObject", + "s3:ObjectOwnerOverrideToBucketOwner", + "s3:GetObjectVersionTagging", + "s3:ReplicateTags", + "s3:ReplicateDelete" + ] + Resource = [ + "arn:aws:s3:::mojap-land-dev/*" + ] + }, { Sid = "ListBucketAccessElectronicMonitoringService" Effect = "Allow" From 0f66925a978cfe037dde232855825995342df722 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 17:08:27 +0000 Subject: [PATCH 2/3] Add production Signed-off-by: Jacob Woffenden --- .../data-engineering-pipelines/kms-keys.tf | 36 ++++++++++++++++--- .../data-engineering-pipelines/locals.tf | 17 +++++++++ 2 files changed, 48 insertions(+), 5 deletions(-) diff --git a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/kms-keys.tf b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/kms-keys.tf index 8144d55bce..89c7303892 100644 --- a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/kms-keys.tf +++ b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/kms-keys.tf @@ -1,3 +1,31 @@ +module "mojap_land_dev_datasync_replication_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/kms/aws" + version = "3.1.0" + + aliases = ["s3/mojap-land-dev-datasync-replication"] + enable_default_policy = true + key_statements = [ + { + sid = "AllowAnalyticalPlatformIngestionDevelopment" + actions = [ + "kms:Encrypt", + "kms:GenerateDataKey" + ] + resources = ["*"] + effect = "Allow" + principals = [ + { + type = "AWS" + identifiers = ["arn:aws:iam::730335344807:role/datasync-replication"] + } + ] + } + ] + deletion_window_in_days = 7 +} + module "mojap_land_datasync_replication_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions @@ -8,7 +36,7 @@ module "mojap_land_datasync_replication_kms" { enable_default_policy = true key_statements = [ { - sid = "AllowAnalyticalPlatformIngestion" + sid = "AllowAnalyticalPlatformIngestionProduction" actions = [ "kms:Encrypt", "kms:GenerateDataKey" @@ -17,10 +45,8 @@ module "mojap_land_datasync_replication_kms" { effect = "Allow" principals = [ { - type = "AWS" - identifiers = [ - "arn:aws:iam::730335344807:role/datasync-replication" // analytical-platform-ingestion-development - ] + type = "AWS" + identifiers = ["arn:aws:iam::471112983409:role/datasync-replication"] } ] } diff --git a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/locals.tf b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/locals.tf index 608310781a..ffa114bd9c 100644 --- a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/locals.tf +++ b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/locals.tf @@ -707,6 +707,23 @@ locals { "arn:aws:s3:::mojap-land/bold/essex-police/*" ] }, + { + Sid = "AllowAnalyticalPlatformIngestionDataSyncReplication" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::471112983409:role/datasync-replication" + } + Action = [ + "s3:ReplicateObject", + "s3:ObjectOwnerOverrideToBucketOwner", + "s3:GetObjectVersionTagging", + "s3:ReplicateTags", + "s3:ReplicateDelete" + ] + Resource = [ + "arn:aws:s3:::mojap-land/*" + ] + }, { Sid = "ListBucketAccessElectronicMonitoringService" Effect = "Allow" From 15dbaef3f9950650a2a3d25807c88042ac8c96d4 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 17:10:38 +0000 Subject: [PATCH 3/3] SCA SCA SCA Signed-off-by: Jacob Woffenden --- .../data-engineering-pipelines/buckets.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/buckets.tf b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/buckets.tf index 0ca9ad35bf..05be24d886 100644 --- a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/buckets.tf +++ b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/buckets.tf @@ -1,4 +1,6 @@ module "data_engineering_pipeline_buckets" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + for_each = local.data_engineering_buckets source = "terraform-aws-modules/s3-bucket/aws" version = "4.2.2"