Skip to content

Commit c204262

Browse files
Tian-2017Tian-2017
authored
Allow-departmental-ecs-role-access-the-etl-bucket (#2115)
* add departmental ecs role access the etl bucket * pass to main * allow departmental ecs role to access teh etl bucket
1 parent b923169 commit c204262

File tree

4 files changed

+59
-3
lines changed

4 files changed

+59
-3
lines changed

terraform/core/05-departments.tf

Lines changed: 36 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,8 @@ module "department_housing_repairs" {
3737
sso_instance_arn = local.sso_instance_arn
3838
identity_store_id = local.identity_store_id
3939
google_group_admin_display_name = local.google_group_admin_display_name
40+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
41+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
4042
}
4143

4244
module "department_parking" {
@@ -69,6 +71,8 @@ module "department_parking" {
6971
google_group_admin_display_name = local.google_group_admin_display_name
7072
google_group_display_name = "[email protected]"
7173
departmental_airflow_user = true
74+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
75+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
7276
}
7377

7478
module "department_finance" {
@@ -99,6 +103,8 @@ module "department_finance" {
99103
sso_instance_arn = local.sso_instance_arn
100104
identity_store_id = local.identity_store_id
101105
google_group_admin_display_name = local.google_group_admin_display_name
106+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
107+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
102108
}
103109

104110
module "department_data_and_insight" {
@@ -130,6 +136,8 @@ module "department_data_and_insight" {
130136
identity_store_id = local.identity_store_id
131137
google_group_admin_display_name = local.google_group_admin_display_name
132138
google_group_display_name = "[email protected]"
139+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
140+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
133141
}
134142

135143
module "department_env_enforcement" {
@@ -160,6 +168,8 @@ module "department_env_enforcement" {
160168
sso_instance_arn = local.sso_instance_arn
161169
identity_store_id = local.identity_store_id
162170
google_group_admin_display_name = local.google_group_admin_display_name
171+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
172+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
163173
}
164174

165175
module "department_planning" {
@@ -191,6 +201,8 @@ module "department_planning" {
191201
identity_store_id = local.identity_store_id
192202
google_group_admin_display_name = local.google_group_admin_display_name
193203
google_group_display_name = "[email protected]"
204+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
205+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
194206
}
195207

196208
module "department_unrestricted" {
@@ -222,6 +234,8 @@ module "department_unrestricted" {
222234
identity_store_id = local.identity_store_id
223235
google_group_admin_display_name = local.google_group_admin_display_name
224236
departmental_airflow_user = true
237+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
238+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
225239
}
226240

227241
module "department_sandbox" {
@@ -253,6 +267,8 @@ module "department_sandbox" {
253267
identity_store_id = local.identity_store_id
254268
google_group_admin_display_name = local.google_group_admin_display_name
255269
google_group_display_name = "[email protected]"
270+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
271+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
256272
}
257273

258274
module "department_benefits_and_housing_needs" {
@@ -284,6 +300,8 @@ module "department_benefits_and_housing_needs" {
284300
identity_store_id = local.identity_store_id
285301
google_group_admin_display_name = local.google_group_admin_display_name
286302
google_group_display_name = "saml-aws-data-platform-collaborator-benefits-housing-needs@hackney.gov.uk"
303+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
304+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
287305
}
288306

289307
module "department_revenues" {
@@ -315,6 +333,9 @@ module "department_revenues" {
315333
identity_store_id = local.identity_store_id
316334
google_group_admin_display_name = local.google_group_admin_display_name
317335
google_group_display_name = "[email protected]"
336+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
337+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
338+
318339
}
319340

320341
module "department_environmental_services" {
@@ -347,6 +368,8 @@ module "department_environmental_services" {
347368
google_group_admin_display_name = local.google_group_admin_display_name
348369
google_group_display_name = "saml-aws-data-platform-collaborator-environmental-services@hackney.gov.uk"
349370
departmental_airflow_user = true
371+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
372+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
350373
}
351374

352375
module "department_housing" {
@@ -379,6 +402,8 @@ module "department_housing" {
379402
google_group_admin_display_name = local.google_group_admin_display_name
380403
google_group_display_name = "[email protected]"
381404
departmental_airflow_user = true
405+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
406+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
382407
}
383408

384409
module "department_children_and_education" {
@@ -410,6 +435,8 @@ module "department_children_and_education" {
410435
identity_store_id = local.identity_store_id
411436
google_group_admin_display_name = local.google_group_admin_display_name
412437
google_group_display_name = "saml-aws-data-platform-collaborator-children-and-family-services@hackney.gov.uk"
438+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
439+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
413440
}
414441

415442
module "department_customer_services" {
@@ -441,6 +468,8 @@ module "department_customer_services" {
441468
identity_store_id = local.identity_store_id
442469
google_group_admin_display_name = local.google_group_admin_display_name
443470
google_group_display_name = "saml-aws-data-platform-collaborator-customer-services@hackney.gov.uk"
471+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
472+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
444473
}
445474

446475
module "department_hr_and_od" {
@@ -472,6 +501,8 @@ module "department_hr_and_od" {
472501
identity_store_id = local.identity_store_id
473502
google_group_admin_display_name = local.google_group_admin_display_name
474503
google_group_display_name = "[email protected]"
504+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
505+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
475506
}
476507

477508
module "department_streetscene" {
@@ -504,6 +535,8 @@ module "department_streetscene" {
504535
google_group_admin_display_name = local.google_group_admin_display_name
505536
google_group_display_name = "[email protected]"
506537
departmental_airflow_user = true
538+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
539+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
507540
}
508541

509542
module "department_children_family_services" {
@@ -536,4 +569,6 @@ module "department_children_family_services" {
536569
google_group_admin_display_name = local.google_group_admin_display_name
537570
google_group_display_name = "[email protected]"
538571
departmental_airflow_user = true
539-
}
572+
mwaa_etl_scripts_bucket_arn = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
573+
mwaa_key_arn = aws_kms_key.mwaa_key.arn
574+
}

terraform/core/99-outputs.tf

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,3 +32,11 @@ output "identity_store_id" {
3232
output "arn" {
3333
value = local.sso_instance_arn
3434
}
35+
36+
output "mwaa_etl_scripts_bucket_arn" {
37+
value = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
38+
}
39+
40+
output "mwaa_key_arn" {
41+
value = aws_kms_key.mwaa_key.arn
42+
}

terraform/modules/department/01-inputs-required.tf

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,3 +132,11 @@ variable "redshift_port" {
132132
description = "Port that the redshift cluster is running on"
133133
type = number
134134
}
135+
136+
variable "mwaa_etl_scripts_bucket_arn" {
137+
type = string
138+
}
139+
140+
variable "mwaa_key_arn" {
141+
type = string
142+
}

terraform/modules/department/50-aws-iam-policies.tf

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,8 @@ data "aws_iam_policy_document" "s3_department_access" {
174174
var.athena_storage_bucket.kms_key_arn,
175175
var.glue_scripts_bucket.kms_key_arn,
176176
var.spark_ui_output_storage_bucket.kms_key_arn,
177-
var.glue_temp_storage_bucket.kms_key_arn
177+
var.glue_temp_storage_bucket.kms_key_arn,
178+
var.mwaa_key_arn
178179
]
179180
}
180181

@@ -216,7 +217,11 @@ data "aws_iam_policy_document" "s3_department_access" {
216217
var.glue_temp_storage_bucket.bucket_arn,
217218

218219
var.spark_ui_output_storage_bucket.bucket_arn,
219-
"${var.spark_ui_output_storage_bucket.bucket_arn}/${local.department_identifier}/*"
220+
"${var.spark_ui_output_storage_bucket.bucket_arn}/${local.department_identifier}/*",
221+
222+
var.mwaa_etl_scripts_bucket_arn,
223+
"${var.mwaa_etl_scripts_bucket_arn}/${local.department_identifier}/*",
224+
"${var.mwaa_etl_scripts_bucket_arn}/${local.department_identifier}/unrestricted/*",
220225
]
221226
}
222227

0 commit comments

Comments
 (0)