DL-167 grant data and insight ecs role to write to datahub config bucket

Author: Tian-2017

terraform/core/05-departments.tf

@@ -154,6 +154,7 @@ module "department_data_and_insight" {
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
   user_uploads_bucket             = module.user_uploads
   cloudtrail_bucket               = module.cloudtrail_storage
+  datahub_config_bucket           = module.datahub_config
   additional_glue_database_access = {
     read_only  = []
     read_write = ["arcus_archive", "metastore"]

terraform/modules/department/02-inputs-optional.tf

@@ -68,6 +68,16 @@ variable "cloudtrail_bucket" {
   default = null
 }
 
+variable "datahub_config_bucket" {
+  description = "DataHub config S3 bucket"
+  type = object({
+    bucket_id   = string
+    bucket_arn  = string
+    kms_key_arn = string
+  })
+  default = null
+}
+
 variable "additional_glue_database_access" {
   description = <<EOF
     Additional Glue database access to grant to the department.

terraform/modules/department/50-aws-iam-policies.tf

@@ -1425,3 +1425,45 @@ resource "aws_iam_policy" "cloudtrail_access_policy" {
   description = "Allows ${local.department_identifier} department read-only access to CloudTrail bucket"
   policy      = data.aws_iam_policy_document.cloudtrail_access[0].json
 }
+
+// Write access to DataHub config bucket for Data and Insight department only
+data "aws_iam_policy_document" "datahub_config_access" {
+  count = local.department_identifier == "data-and-insight" && var.datahub_config_bucket != null ? 1 : 0
+
+  statement {
+    sid    = "DataHubConfigKmsAccess"
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = [var.datahub_config_bucket.kms_key_arn]
+  }
+
+  statement {
+    sid    = "DataHubConfigS3WriteAccess"
+    effect = "Allow"
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+      "s3:ListBucket",
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:DeleteObject"
+    ]
+    resources = [
+      var.datahub_config_bucket.bucket_arn,
+      "${var.datahub_config_bucket.bucket_arn}/*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "datahub_config_access_policy" {
+  count       = local.department_identifier == "data-and-insight" && var.datahub_config_bucket != null ? 1 : 0
+  name        = lower("${var.identifier_prefix}-${local.department_identifier}-datahub-config-access-policy")
+  description = "Allows ${local.department_identifier} department write access to DataHub config bucket"
+  policy      = data.aws_iam_policy_document.datahub_config_access[0].json
+}

terraform/modules/department/50-aws-iam-roles.tf

@@ -175,3 +175,9 @@ resource "aws_iam_role_policy_attachment" "ecs_parameter_store_access" {
   role       = aws_iam_role.department_ecs_role.name
   policy_arn = aws_iam_policy.parameter_store_read_only.arn
 }
+
+resource "aws_iam_role_policy_attachment" "datahub_config_access_attachment" {
+  count      = local.department_identifier == "data-and-insight" && var.datahub_config_bucket != null ? 1 : 0
+  role       = aws_iam_role.department_ecs_role.name
+  policy_arn = aws_iam_policy.datahub_config_access_policy[0].arn
+}