Dl 42/nec migration resources (#2263)

timburke-hackit · web-flow · commit 018e7428453e · 2025-05-28T09:17:17.000+01:00
* add housing_nec_migration catalog database

* add nec housing data bucket

* config for allowing additional s3 dept access

* grant housing dept access to nec migration bucket

* remove experimental optional

* update s3 compliance rules
diff --git a/terraform/compliance/s3.feature b/terraform/compliance/s3.feature
@@ -1,10 +1,14 @@
+# buckets should only be excluded from one of these two rules
 Feature: S3
 
   @exclude_aws_s3_bucket.ssl_connection_resources\[0\]
   @exclude_module.qlik_server\[0\].aws_s3_bucket.qlik_alb_logs\[0\]
   @exclude_module.airflow.aws_s3_bucket.bucket
   @exclude_aws_s3_bucket.mwaa_bucket
   @exclude_aws_s3_bucket.mwaa_etl_scripts_bucket
+  @exclude_module.housing_nec_migration_storage.aws_s3_bucket.bucket
+
+  # This rule is in place for legacy buckets created with the deprecated block within the aws_s3_bucket resource 
   Scenario: Data must be encrypted at rest for buckets created using server_side_encryption_configuration property within bucket resource
     Given I have aws_s3_bucket defined
     Then it must have server_side_encryption_configuration
@@ -27,6 +31,7 @@ Feature: S3
   @exclude_module.db_snapshot_to_s3\[0\].module.rds_export_storage.aws_s3_bucket.bucket
   @exclude_module.liberator_dump_to_rds_snapshot\[0\].aws_s3_bucket.cloudtrail
   @exclude_module.liberator_db_snapshot_to_s3\[0\].module.rds_export_storage.aws_s3_bucket.bucket
+  # This rule checks for a separate sse block as supported by the s3 bucket module
   Scenario: Data must be encrypted at rest for buckets created using separate server side configuration resource
     Given I have aws_s3_bucket defined
     Then it must have aws_s3_bucket_server_side_encryption_configuration
diff --git a/terraform/core/05-departments.tf b/terraform/core/05-departments.tf
@@ -405,6 +405,14 @@ module "department_housing" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  additional_s3_access = [
+    {
+      bucket_arn  = module.housing_nec_migration_storage.bucket_arn
+      kms_key_arn = module.housing_nec_migration_storage.kms_key_arn
+      paths       = []
+      actions     = ["s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*"]
+    }
+  ]
 }
 
 module "department_children_and_education" {
@@ -572,4 +580,4 @@ module "department_children_family_services" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
-}
+}
diff --git a/terraform/core/10-aws-s3-buckets.tf b/terraform/core/10-aws-s3-buckets.tf
@@ -548,3 +548,15 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "addresses_api_rds
 
   provider = aws.aws_api_account
 }
+
+module "housing_nec_migration_storage" {
+  source = "../modules/s3-bucket"
+
+  tags                       = module.tags.values
+  project                    = var.project
+  environment                = var.environment
+  identifier_prefix          = local.identifier_prefix
+  bucket_name                = "Housing NEC Migration Storage"
+  bucket_identifier          = "housing-nec-migration-storage"
+  include_backup_policy_tags = false
+}
diff --git a/terraform/etl/61-aws-glue-catalog-database.tf b/terraform/etl/61-aws-glue-catalog-database.tf
@@ -13,3 +13,11 @@ resource "aws_glue_catalog_database" "hackney_casemanagement_live" {
     prevent_destroy = true
   }
 }
+
+resource "aws_glue_catalog_database" "housing_nec_migration_database" {
+  name = "housing_nec_migration"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
diff --git a/terraform/modules/department/02-inputs-optional.tf b/terraform/modules/department/02-inputs-optional.tf
@@ -42,3 +42,19 @@ variable "region" {
   type        = string
   default     = "eu-west-2"
 }
+
+variable "additional_s3_access" {
+  description = <<EOF
+    Additional s3 access to grant to the department.
+    To grant access to specific paths, provide a list of strings for 'paths'.
+    If 'paths' is null or an empty list, access will be granted to the entire bucket.
+  EOF
+  type = list(object({
+    bucket_arn  = string
+    kms_key_arn = string
+    actions     = list(string)
+    paths       = list(string)
+  }))
+  default = []
+}
+
diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf
@@ -32,6 +32,21 @@ data "aws_iam_policy_document" "read_only_s3_department_access" {
     ]
   }
 
+  dynamic "statement" {
+    for_each = var.additional_s3_access
+    iterator = additional_access_item
+    content {
+      sid    = "AdditionalKmsReadOnlyAccess${replace(additional_access_item.value.bucket_arn, "/[^a-zA-Z0-9]/", "")}"
+      effect = "Allow"
+      actions = [
+        "kms:Decrypt",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey",
+      ]
+      resources = [additional_access_item.value.kms_key_arn]
+    }
+  }
+
   statement {
     sid    = "S3ReadAllDepartmentAreasInBuckets"
     effect = "Allow"
@@ -75,6 +90,27 @@ data "aws_iam_policy_document" "read_only_s3_department_access" {
     ]
   }
 
+  dynamic "statement" {
+    for_each = var.additional_s3_access
+    iterator = additional_access_item
+    content {
+      sid    = "AdditionalS3ReadOnlyAccess${replace(additional_access_item.value.bucket_arn, "/[^a-zA-Z0-9]/", "")}"
+      effect = "Allow"
+      actions = [
+        "s3:Get*",
+        "s3:List*",
+      ]
+      resources = concat(
+        [additional_access_item.value.bucket_arn],
+        additional_access_item.value.paths == null ? [
+          "${additional_access_item.value.bucket_arn}/*"
+        ] : [
+          for path in additional_access_item.value.paths : "${additional_access_item.value.bucket_arn}/${path}/*"
+        ]
+      )
+    }
+  }
+
   statement {
     sid    = "S3WriteToManualFolder"
     effect = "Allow"
@@ -179,6 +215,25 @@ data "aws_iam_policy_document" "s3_department_access" {
     ]
   }
 
+  dynamic "statement" {
+    for_each = var.additional_s3_access
+    iterator = additional_access_item
+    content {
+      sid    = "AdditionalKmsFullAccess${replace(additional_access_item.value.bucket_arn, "/[^a-zA-Z0-9]/", "")}"
+      effect = "Allow"
+      actions = [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey",
+        "kms:CreateGrant",
+        "kms:RetireGrant"
+      ]
+      resources = [additional_access_item.value.kms_key_arn]
+    }
+  }
+
   statement {
     sid    = "S3ReadAndWrite"
     effect = "Allow"
@@ -226,6 +281,24 @@ data "aws_iam_policy_document" "s3_department_access" {
     ]
   }
 
+  dynamic "statement" {
+    for_each = var.additional_s3_access
+    iterator = additional_access_item
+    content {
+      sid    = "AdditionalS3FullAccess${replace(additional_access_item.value.bucket_arn, "/[^a-zA-Z0-9]/", "")}"
+      effect = "Allow"
+      actions = additional_access_item.value.actions
+      resources = concat(
+        [additional_access_item.value.bucket_arn],
+        additional_access_item.value.paths == null ? [
+          "${additional_access_item.value.bucket_arn}/*"
+        ] : [
+          for path in additional_access_item.value.paths : "${additional_access_item.value.bucket_arn}/${path}/*"
+        ]
+      )
+    }
+  }
+
   statement {
     sid    = "ReadAllScripts"
     effect = "Allow"

Original file line number	Diff line number	Diff line change
`@@ -13,3 +13,11 @@ resource "aws_glue_catalog_database" "hackney_casemanagement_live" {`
`13`	`13`	`prevent_destroy = true`
`14`	`14`	`}`
`15`	`15`	`}`
	`16`	`+`
	`17`	`+resource "aws_glue_catalog_database" "housing_nec_migration_database" {`
	`18`	`+ name = "housing_nec_migration"`
	`19`	`+`
	`20`	`+ lifecycle {`
	`21`	`+ prevent_destroy = true`
	`22`	`+ }`
	`23`	`+}`