(DL-22) Restrict Access to Glue Catalog Databases (#2502)

* refactor additional_glue_database implementation

* add liberator databases access to parking

* add tascomi db access to planning

* add database access to cfs dept

* add nndr access to revenues dept

* add hben_raw_zone access to bens and housing needs dept

* refactor additional_glue_database_access

* ro and rw required when adding additional db access

* restrict default permissions to department and undrestricted databases

* add ctax_raw_zone access to revenues

* move common department databases to local

* add parking-ringgo-sftp-raw-zone access to parking department

Author: timburke-hackit

terraform/core/05-departments.tf

@@ -73,6 +73,13 @@ module "department_parking" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  additional_glue_database_access = {
+    read_only  = [
+      "${local.identifier_prefix}-liberator*",
+      "parking-ringgo-sftp-raw-zone",
+    ]
+    read_write = []
+  }
 }
 
 module "department_finance" {
@@ -205,6 +212,10 @@ module "department_planning" {
   google_group_display_name       = "[email protected]"
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  additional_glue_database_access = {
+    read_only  = ["${local.identifier_prefix}-tascomi*"]
+    read_write = []
+  }
 }
 
 module "department_unrestricted" {
@@ -305,6 +316,10 @@ module "department_benefits_and_housing_needs" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  additional_glue_database_access = {
+    read_only  = ["hben_raw_zone"]
+    read_write = []
+  }
 }
 
 module "department_revenues" {
@@ -339,6 +354,13 @@ module "department_revenues" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  additional_glue_database_access = {
+    read_only = [
+      "nndr_raw_zone",
+      "ctax_raw_zone",
+    ]
+    read_write = []
+  }
 }
 
 module "department_environmental_services" {
@@ -421,16 +443,10 @@ module "department_housing" {
       actions     = ["s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*"]
     }
   ]
-  additional_glue_database_access = [
-    {
-      database_name = "housing_nec_migration"
-      actions       = ["glue:CreateTable", "glue:UpdateTable", "glue:DeleteTable", "glue:GetTable", "glue:GetTables", "glue:GetDatabase"]
-    },
-    {
-      database_name = "housing_nec_migration_outputs"
-      actions       = ["glue:CreateTable", "glue:UpdateTable", "glue:DeleteTable", "glue:GetTable", "glue:GetTables", "glue:GetDatabase"]
-    }
-  ]
+  additional_glue_database_access = {
+    read_only  = []
+    read_write = ["housing_nec_migration", "housing_nec_migration_outputs"]
+  }
 }
 
 module "department_children_and_education" {
@@ -598,4 +614,8 @@ module "department_children_family_services" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  additional_glue_database_access = {
+    read_only  = ["child_edu_refined", "hackney_casemanagement_live", "hackney_synergy_live"]
+    read_write = []
+  }
 }

terraform/modules/department/02-inputs-optional.tf

@@ -71,11 +71,24 @@ variable "cloudtrail_bucket" {
 variable "additional_glue_database_access" {
   description = <<EOF
     Additional Glue database access to grant to the department.
-    Allows specifying specific databases and the actions that can be performed on them.
+    Databases are grouped by permission level.
+    
+    Example:
+    additional_glue_database_access = {
+      read_only  = ["database1", "database2*"]
+      read_write = ["database3"]
+    }
+    
+    Permission levels:
+    - "read_only": Grants Get* and BatchGet* permissions (for reading databases, tables, partitions)
+    - "read_write": Grants Get*, BatchGet*, Create*, Update*, Delete*, BatchCreate*, BatchUpdate*, BatchDelete* permissions
   EOF
-  type = list(object({
-    database_name = string
-    actions       = list(string)
-  }))
-  default = []
+  type = object({
+    read_only  = list(string)
+    read_write = list(string)
+  })
+  default = {
+    read_only  = []
+    read_write = []
+  }
 }

terraform/modules/department/50-aws-iam-policies.tf

@@ -1,6 +1,33 @@
 // WARNING! All statement blocks MUST have a UNIQUE SID, this is to allow the individual documents to be merged.
 // Statement blocks with the same SID will replace each other when merged.
 
+locals {
+  glue_access_presets = {
+    read_only = [
+      "glue:Get*",
+      "glue:BatchGet*",
+    ]
+    read_write = [
+      "glue:Get*",
+      "glue:BatchGet*",
+      "glue:Create*",
+      "glue:Update*",
+      "glue:Delete*",
+      "glue:BatchCreate*",
+      "glue:BatchUpdate*",
+      "glue:BatchDelete*",
+    ]
+  }
+
+  common_department_databases = [
+    aws_glue_catalog_database.raw_zone_catalog_database.name,
+    aws_glue_catalog_database.refined_zone_catalog_database.name,
+    aws_glue_catalog_database.trusted_zone_catalog_database.name,
+    "unrestricted-*-zone",
+    "${var.identifier_prefix}-raw-zone-unrestricted-addresses-api"
+  ]
+}
+
 // S3 read only access policy
 data "aws_iam_policy_document" "read_only_s3_department_access" {
   # Include CloudTrail bucket access for data-and-insight department
@@ -176,21 +203,28 @@ data "aws_iam_policy_document" "read_only_glue_access" {
       "glue:SearchTables",
       "glue:Query*",
     ]
-    resources = ["*"]
+    resources = flatten([
+      ["arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"],
+      [for db in local.common_department_databases : "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:database/${db}"],
+      [for db in local.common_department_databases : "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${db}/*"]
+    ])
   }
 
   dynamic "statement" {
-    for_each = var.additional_glue_database_access
-    iterator = additional_db_access
+    for_each = {
+      read_only  = var.additional_glue_database_access.read_only
+      read_write = var.additional_glue_database_access.read_write
+    }
+    iterator = access_level
     content {
-      sid     = "AdditionalGlueDatabaseAccess${replace(additional_db_access.value.database_name, "/[^a-zA-Z0-9]/", "")}"
+      sid     = "AdditionalGlueDatabaseAccess${title(replace(access_level.key, "_", ""))}"
       effect  = "Allow"
-      actions = additional_db_access.value.actions
-      resources = [
-        "arn:aws:glue:eu-west-2:${data.aws_caller_identity.current.account_id}:catalog",
-        "arn:aws:glue:eu-west-2:${data.aws_caller_identity.current.account_id}:database/${additional_db_access.value.database_name}",
-        "arn:aws:glue:eu-west-2:${data.aws_caller_identity.current.account_id}:table/${additional_db_access.value.database_name}/*"
-      ]
+      actions = local.glue_access_presets[access_level.key]
+      resources = length(access_level.value) > 0 ? flatten([
+        ["arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"],
+        [for db in access_level.value : "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:database/${db}"],
+        [for db in access_level.value : "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${db}/*"]
+      ]) : []
     }
   }
 }
@@ -521,7 +555,29 @@ data "aws_iam_policy_document" "glue_access" {
       "glue:GetDatabases",
       "glue:Query*",
     ]
-    resources = ["*"]
+    resources = flatten([
+      ["arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"],
+      [for db in local.common_department_databases : "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:database/${db}"],
+      [for db in local.common_department_databases : "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${db}/*"]
+    ])
+  }
+
+  dynamic "statement" {
+    for_each = {
+      read_only  = var.additional_glue_database_access.read_only
+      read_write = var.additional_glue_database_access.read_write
+    }
+    iterator = access_level
+    content {
+      sid     = "AdditionalGlueDatabaseFullAccess${title(replace(access_level.key, "_", ""))}"
+      effect  = "Allow"
+      actions = local.glue_access_presets[access_level.key]
+      resources = length(access_level.value) > 0 ? flatten([
+        ["arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"],
+        [for db in access_level.value : "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:database/${db}"],
+        [for db in access_level.value : "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${db}/*"]
+      ]) : []
+    }
   }
 }