Add mp ssm inventory resource data sync bucket and kms key

ministryofjustice · Nov 21, 2024 · 1256bf0 · 1256bf0
1 parent 2b7d7d7
commit 1256bf0
Showing 1 changed file with 112 additions and 0 deletions.
diff --git a/organisation-security/terraform/s3.tf b/organisation-security/terraform/s3.tf
@@ -110,3 +110,115 @@ module "athena_results_s3_bucket" {
     }
   }
 }
+
+# MP SSM Inventory Resource Data Sync S3 bucket - for syncing Modernisation Platform inventory data centrally (Similar to what's been built in organisation-security/terraform/ssm.tf but keeping this separate for now)
+module "mp_ssm_inventory_resource_data_sync_s3_bucket" {
+  source = "../../modules/s3"
+
+  bucket_name = "mp-ssm-inventory-resource-data-sync-${random_integer.suffix.result}"
+  bucket_acl  = "private"
+
+  attach_policy        = true
+  policy               = data.aws_iam_policy_document.mp_ssm_inventory_resource_data_sync_bucket.json
+  require_ssl_requests = true
+
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        sse_algorithm = "aws:kms"
+      }
+    }
+  }
+}
+
+# MP SSM Inventory Resource Data Sync S3 bucket policy
+data "aws_iam_policy_document" "mp_ssm_inventory_resource_data_sync_bucket" {
+  statement {
+    sid    = "SSMBucketPermissionsCheck"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["ssm.amazonaws.com"]
+    }
+    actions   = ["s3:GetBucketAcl"]
+    resources = ["arn:aws:s3:::ssm-inventory-sync-bucket-euw2"]
+  }
+
+  statement {
+    sid    = "SSMBucketDelivery"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["ssm.amazonaws.com"]
+    }
+    actions   = ["s3:PutObject"]
+    resources = ["arn:aws:s3:::ssm-inventory-sync-bucket-euw2/*/accountid=*/*"]
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceOrgID"
+      values   = [data.aws_organizations_organization.root_account.id]
+    }
+  }
+
+  statement {
+    sid    = "SSMBucketDeliveryTagging"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["ssm.amazonaws.com"]
+    }
+    actions   = ["s3:PutObjectTagging"]
+    resources = ["arn:aws:s3:::ssm-inventory-sync-bucket-euw2/*/accountid=*/*"]
+  }
+}
+
+# KMS key for encrypting contents of the MP SSM Inventory Resource Data Sync S3 bucket
+resource "aws_kms_key" "mp_ssm_inventory_resource_data_sync" {
+  description         = "Used for Inventory Resource Data Sync from org member accounts"
+  policy              = data.aws_iam_policy_document.mp_ssm_inventory_resource_data_sync_kms.json
+  is_enabled          = true
+  enable_key_rotation = true
+}
+
+resource "aws_kms_alias" "mp_ssm_inventory_resource_data_sync" {
+  name          = "alias/ssm-resource-sync"
+  target_key_id = aws_kms_key.mp_ssm_inventory_resource_data_sync.key_id
+}
+
+data "aws_iam_policy_document" "mp_ssm_inventory_resource_data_sync_kms" {
+  statement {
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+  }
+  statement {
+    sid       = "ssm-access-policy-statement"
+    effect    = "Allow"
+    actions   = ["kms:GenerateDataKey"]
+    resources = ["*"]
+    principals {
+      type        = "Service"
+      identifiers = ["ssm.amazonaws.com"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = local.organisation_account_numbers
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:ssm:*:*:resource-data-sync/*"]
+    }
+  }
+}