Skip to content

Commit 176fc02

Browse files
timburke-hackittimburke-hackit
authored
housing register task role permissions (#2632)
* housing register task role permissions * remove unused athena permissions
1 parent afa17ce commit 176fc02

File tree

1 file changed

+166
-0
lines changed

1 file changed

+166
-0
lines changed

terraform/core/49-aws-ecs-iam.tf

Lines changed: 166 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -182,3 +182,169 @@ resource "aws_iam_role_policy_attachment" "cross_dept_glue_metadata_secrets_atta
182182
role = aws_iam_role.cross_department_glue_metadata_role.name
183183
policy_arn = aws_iam_policy.cross_dept_glue_metadata_secrets_permissions.arn
184184
}
185+
186+
# IAM Role for Housing Register ECS Task
187+
resource "aws_iam_role" "housing_register_task_role" {
188+
name = "${local.identifier_prefix}-housing-register-task-role"
189+
190+
assume_role_policy = jsonencode({
191+
Version = "2012-10-17"
192+
Statement = [
193+
{
194+
Effect = "Allow"
195+
Principal = {
196+
service = "ecs-tasks.amazonaws.com"
197+
}
198+
Action = "sts:AssumeRole"
199+
}
200+
]
201+
})
202+
203+
tags = module.tags.values
204+
}
205+
206+
data "aws_iam_policy_document" "housing_register_s3_permissions" {
207+
statement {
208+
sid = "S3ReadRawZone"
209+
effect = "Allow"
210+
actions = [
211+
"s3:GetObject",
212+
"s3:ListBucket"
213+
]
214+
resources = [
215+
module.raw_zone.bucket_arn,
216+
"${module.raw_zone.bucket_arn}/housing/mtfh/mtfh_housingregister/*",
217+
"${module.raw_zone.bucket_arn}/unrestricted/geolive/llpg/geolive_llpg_llpg_address/*"
218+
]
219+
}
220+
221+
statement {
222+
sid = "S3WriteRefinedZone"
223+
effect = "Allow"
224+
actions = [
225+
"s3:GetObject",
226+
"s3:PutObject",
227+
"s3:DeleteObject",
228+
"s3:ListBucket"
229+
]
230+
resources = [
231+
module.refined_zone.bucket_arn,
232+
"${module.refined_zone.bucket_arn}/bens-housing-needs/housing-register/*"
233+
]
234+
}
235+
236+
statement {
237+
sid = "S3WriteTrustedZone"
238+
effect = "Allow"
239+
actions = [
240+
"s3:GetObject",
241+
"s3:PutObject",
242+
"s3:DeleteObject",
243+
"s3:ListBucket"
244+
]
245+
resources = [
246+
module.trusted_zone.bucket_arn,
247+
"${module.trusted_zone.bucket_arn}/bens-housing-needs/housing-register/*"
248+
]
249+
}
250+
}
251+
252+
resource "aws_iam_policy" "housing_register_s3_permissions" {
253+
name = "${local.identifier_prefix}-housing-register-s3"
254+
policy = data.aws_iam_policy_document.housing_register_s3_permissions.json
255+
tags = module.tags.values
256+
}
257+
258+
resource "aws_iam_role_policy_attachment" "housing_register_s3_attach" {
259+
role = aws_iam_role.housing_register_task_role.name
260+
policy_arn = aws_iam_policy.housing_register_s3_permissions.arn
261+
}
262+
263+
data "aws_iam_policy_document" "housing_register_kms_permissions" {
264+
statement {
265+
sid = "KMSDecryptRawZone"
266+
effect = "Allow"
267+
actions = [
268+
"kms:Decrypt"
269+
]
270+
resources = [
271+
module.raw_zone.kms_key_arn
272+
]
273+
}
274+
275+
statement {
276+
sid = "KMSEncryptDecrypt"
277+
effect = "Allow"
278+
actions = [
279+
"kms:Encrypt",
280+
"kms:Decrypt",
281+
"kms:GenerateDataKey"
282+
]
283+
resources = [
284+
module.refined_zone.kms_key_arn,
285+
module.trusted_zone.kms_key_arn
286+
]
287+
}
288+
}
289+
290+
resource "aws_iam_policy" "housing_register_kms_permissions" {
291+
name = "${local.identifier_prefix}-housing-register-kms"
292+
policy = data.aws_iam_policy_document.housing_register_kms_permissions.json
293+
tags = module.tags.values
294+
}
295+
296+
resource "aws_iam_role_policy_attachment" "housing_register_kms_attach" {
297+
role = aws_iam_role.housing_register_task_role.name
298+
policy_arn = aws_iam_policy.housing_register_kms_permissions.arn
299+
}
300+
301+
data "aws_iam_policy_document" "housing_register_glue_permissions" {
302+
statement {
303+
sid = "GlueCatalogRead"
304+
effect = "Allow"
305+
actions = [
306+
"glue:GetTable",
307+
"glue:GetDatabase"
308+
]
309+
resources = [
310+
"arn:aws:glue:${var.aws_deploy_region}:${var.aws_deploy_account_id}:catalog",
311+
"arn:aws:glue:${var.aws_deploy_region}:${var.aws_deploy_account_id}:database/housing-refined-zone",
312+
"arn:aws:glue:${var.aws_deploy_region}:${var.aws_deploy_account_id}:database/housing-trusted-zone",
313+
"arn:aws:glue:${var.aws_deploy_region}:${var.aws_deploy_account_id}:table/housing-refined-zone/*",
314+
"arn:aws:glue:${var.aws_deploy_region}:${var.aws_deploy_account_id}:table/housing-trusted-zone/*"
315+
]
316+
}
317+
318+
statement {
319+
sid = "GlueCatalogWrite"
320+
effect = "Allow"
321+
actions = [
322+
"glue:CreateTable",
323+
"glue:UpdateTable",
324+
"glue:BatchCreatePartition",
325+
"glue:CreatePartition",
326+
"glue:UpdatePartition",
327+
"glue:GetPartition",
328+
"glue:GetPartitions"
329+
]
330+
resources = [
331+
"arn:aws:glue:${var.aws_deploy_region}:${var.aws_deploy_account_id}:catalog",
332+
"arn:aws:glue:${var.aws_deploy_region}:${var.aws_deploy_account_id}:database/bens-housing-needs-refined-zone",
333+
"arn:aws:glue:${var.aws_deploy_region}:${var.aws_deploy_account_id}:database/bens-housing-needs-trusted-zone",
334+
"arn:aws:glue:${var.aws_deploy_region}:${var.aws_deploy_account_id}:table/bens-housing-needs-refined-zone/*",
335+
"arn:aws:glue:${var.aws_deploy_region}:${var.aws_deploy_account_id}:table/bens-housing-needs-trusted-zone/*"
336+
]
337+
}
338+
}
339+
340+
resource "aws_iam_policy" "housing_register_glue_permissions" {
341+
name = "${local.identifier_prefix}-housing-register-glue"
342+
policy = data.aws_iam_policy_document.housing_register_glue_permissions.json
343+
tags = module.tags.values
344+
}
345+
346+
resource "aws_iam_role_policy_attachment" "housing_register_glue_attach" {
347+
role = aws_iam_role.housing_register_task_role.name
348+
policy_arn = aws_iam_policy.housing_register_glue_permissions.arn
349+
}
350+

0 commit comments

Comments
 (0)