Merge pull request #8812 from ministryofjustice/style/improve-naming-…

…for-cadet-metadata-copy-to-compute style: AP-6133 clearer role and policy names for APDP metadata-copy-to-compute assumable role & add `lakeformation:*LFTag*` perms
ministryofjustice · Nov 27, 2024 · d71bc28 · d71bc28
2 parents 526a457 + bd459bd
commit d71bc28
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 7 deletions.
diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf
@@ -350,7 +350,7 @@ module "data_production_mojap_derived_bucket_lake_formation_policy" {
   tags = local.tags
 }
 
-data "aws_iam_policy_document" "analytical_platform_cadet_runner_compute_policy" {
+data "aws_iam_policy_document" "copy_apdp_cadet_metadata_to_compute_policy" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
   statement {
@@ -422,18 +422,33 @@ data "aws_iam_policy_document" "analytical_platform_cadet_runner_compute_policy"
       "${module.mojap_compute_athena_query_results_bucket_eu_west_2.s3_bucket_arn}/*"
     ]
   }
+  statement {
+    sid    = "AlterLFTags"
+    effect = "Allow"
+    actions = [
+      "lakeformation:AddLFTagsToResource",
+      "lakeformation:RemoveLFTagsFromResource",
+      "lakeformation:GetResourceLFTags",
+      "lakeformation:ListLFTags",
+      "lakeformation:GetLFTag",
+      "lakeformation:SearchTablesByLFTags",
+      "lakeformation:SearchDatabasesByLFTags",
+    ]
+    resources = ["*"]
+  }
+
 }
 
-module "analytical_platform_cadet_runner_compute_policy" {
+module "copy_apdp_cadet_metadata_to_compute_policy" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
   version = "5.48.0"
 
-  name_prefix = "analytical-platform-cadet-runner-compute-policy"
+  name_prefix = "copy-apdp-cadet-metadata-to-compute-"
 
-  policy = data.aws_iam_policy_document.analytical_platform_cadet_runner_compute_policy.json
+  policy = data.aws_iam_policy_document.copy_apdp_cadet_metadata_to_compute_policy.json
 
   tags = local.tags
 }
diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf
@@ -374,7 +374,7 @@ module "lake_formation_to_data_production_mojap_derived_tables_role" {
   tags = local.tags
 }
 
-module "analytical_platform_cadet_runner" {
+module "copy_apdp_cadet_metadata_to_compute_assumable_role" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
@@ -384,9 +384,13 @@ module "analytical_platform_cadet_runner" {
   trusted_role_arns      = ["arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/create-a-derived-table"]
   create_role            = true
   role_requires_mfa      = false
-  role_name              = "analytical-platform-cadet-runner-assumable"
+  role_name              = "copy-apdp-cadet-metadata-to-compute"
 
-  custom_role_policy_arns = [module.analytical_platform_cadet_runner_compute_policy.arn]
+  custom_role_policy_arns = [module.copy_apdp_cadet_metadata_to_compute_policy.arn]
   # number_of_custom_role_policy_arns = 1
+}
 
+moved {
+  from = module.analytical_platform_cadet_runner
+  to   = module.copy_apdp_cadet_metadata_to_compute_assumable_role
 }