Feature/DL-114-Create-bucket,-grant-permission,-create-database-for-manual-uploads (#2560)

Tian-2017 · web-flow · commit c8c0a32151e9 · 2025-11-14T11:57:32.000Z
* create "parking_user_uploads_db"

* create bucket

* add to compliance

* permission to access own departmental prefix

* add exclude to both

* allow put and delete in the new bucket

* remove exclude from second section
diff --git a/terraform/compliance/s3.feature b/terraform/compliance/s3.feature
@@ -12,6 +12,7 @@ Feature: S3
   @exclude_module.file_sync_destination_nec.aws_s3_bucket.bucket
   @exclude_module.file_sync_destination_nec.aws_s3_bucket.log_bucket
   @exclude_module.arcus_data_storage.aws_s3_bucket.bucket
+  @exclude_module.user_uploads.aws_s3_bucket.bucket
 
   # This rule is in place for legacy buckets created with the deprecated block within the aws_s3_bucket resource
   Scenario: Data must be encrypted at rest for buckets created using server_side_encryption_configuration property within bucket resource
diff --git a/terraform/core/05-departments.tf b/terraform/core/05-departments.tf
@@ -39,6 +39,7 @@ module "department_housing_repairs" {
   google_group_admin_display_name = local.google_group_admin_display_name
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
 }
 
 module "department_parking" {
@@ -73,12 +74,14 @@ module "department_parking" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
   additional_glue_database_access = {
     read_only = [
       "${local.identifier_prefix}-liberator-raw-zone",
       "${local.identifier_prefix}-liberator-refined-zone",
       "${local.identifier_prefix}-liberator-trusted-zone",
       "parking-ringgo-sftp-raw-zone",
+      "parking_user_uploads_db",
     ]
     read_write = []
   }
@@ -114,6 +117,7 @@ module "department_finance" {
   google_group_admin_display_name = local.google_group_admin_display_name
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
 }
 
 module "department_data_and_insight" {
@@ -148,6 +152,7 @@ module "department_data_and_insight" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
   cloudtrail_bucket               = module.cloudtrail_storage
   additional_glue_database_access = {
     read_only  = []
@@ -193,6 +198,7 @@ module "department_env_enforcement" {
   google_group_admin_display_name = local.google_group_admin_display_name
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
 }
 
 module "department_planning" {
@@ -226,6 +232,7 @@ module "department_planning" {
   google_group_display_name       = "saml-aws-data-platform-collaborator-planning@hackney.gov.uk"
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
   additional_glue_database_access = {
     read_only  = ["${local.identifier_prefix}-tascomi*"]
     read_write = []
@@ -263,6 +270,7 @@ module "department_unrestricted" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
 }
 
 module "department_sandbox" {
@@ -296,6 +304,7 @@ module "department_sandbox" {
   google_group_display_name       = "saml-aws-data-platform-collaborator-sandbox@hackney.gov.uk"
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
 }
 
 module "department_benefits_and_housing_needs" {
@@ -330,6 +339,7 @@ module "department_benefits_and_housing_needs" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
   additional_glue_database_access = {
     read_only  = ["hben_raw_zone"]
     read_write = []
@@ -368,6 +378,7 @@ module "department_revenues" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
   additional_glue_database_access = {
     read_only = [
       "nndr_raw_zone",
@@ -409,6 +420,7 @@ module "department_environmental_services" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
 }
 
 module "department_housing" {
@@ -443,6 +455,7 @@ module "department_housing" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
   additional_s3_access = [
     {
       bucket_arn  = module.housing_nec_migration_storage.bucket_arn
@@ -500,6 +513,7 @@ module "department_children_and_education" {
   google_group_display_name       = "saml-aws-data-platform-collaborator-children-and-family-services@hackney.gov.uk"
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
 }
 
 module "department_customer_services" {
@@ -533,6 +547,7 @@ module "department_customer_services" {
   google_group_display_name       = "saml-aws-data-platform-collaborator-customer-services@hackney.gov.uk"
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
 }
 
 module "department_hr_and_od" {
@@ -566,6 +581,7 @@ module "department_hr_and_od" {
   google_group_display_name       = "saml-aws-data-platform-collaborator-hr-and-od@hackney.gov.uk"
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
 }
 
 module "department_streetscene" {
@@ -600,6 +616,7 @@ module "department_streetscene" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
 }
 
 module "department_children_family_services" {
@@ -634,6 +651,7 @@ module "department_children_family_services" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  user_uploads_bucket             = module.user_uploads
   additional_glue_database_access = {
     read_only  = ["child_edu_refined", "hackney_casemanagement_live", "hackney_synergy_live"]
     read_write = []
diff --git a/terraform/core/10-aws-s3-utility-buckets.tf b/terraform/core/10-aws-s3-utility-buckets.tf
@@ -148,6 +148,22 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "addresses_api_rds
   provider = aws.aws_api_account
 }
 
+#===============================================================================
+# User Uploads Bucket
+#===============================================================================
+
+module "user_uploads" {
+  source = "../modules/s3-bucket"
+
+  tags                       = module.tags.values
+  project                    = var.project
+  environment                = var.environment
+  identifier_prefix          = local.identifier_prefix
+  bucket_name                = "user-uploads"
+  bucket_identifier          = "user-uploads"
+  include_backup_policy_tags = false
+}
+
 #===============================================================================
 # MWAA Buckets
 #===============================================================================
diff --git a/terraform/etl/61-aws-glue-catalog-database.tf b/terraform/etl/61-aws-glue-catalog-database.tf
@@ -85,3 +85,11 @@ resource "aws_glue_catalog_database" "arcus_archive" {
     prevent_destroy = true
   }
 }
+
+resource "aws_glue_catalog_database" "parking_user_uploads" {
+  name = "parking_user_uploads_db"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
diff --git a/terraform/modules/department/01-inputs-required.tf b/terraform/modules/department/01-inputs-required.tf
@@ -140,3 +140,12 @@ variable "mwaa_etl_scripts_bucket_arn" {
 variable "mwaa_key_arn" {
   type = string
 }
+
+variable "user_uploads_bucket" {
+  description = "User uploads S3 bucket"
+  type = object({
+    bucket_id   = string
+    bucket_arn  = string
+    kms_key_arn = string
+  })
+}
diff --git a/terraform/modules/department/02-inputs-optional.tf b/terraform/modules/department/02-inputs-optional.tf
@@ -72,13 +72,13 @@ variable "additional_glue_database_access" {
   description = <<EOF
     Additional Glue database access to grant to the department.
     Databases are grouped by permission level.
-    
+
     Example:
     additional_glue_database_access = {
       read_only  = ["database1", "database2*"]
       read_write = ["database3"]
     }
-    
+
     Permission levels:
     - "read_only": Grants Get* and BatchGet* permissions (for reading databases, tables, partitions)
     - "read_write": Grants Get*, BatchGet*, Create*, Update*, Delete*, BatchCreate*, BatchUpdate*, BatchDelete* permissions
diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf
@@ -60,7 +60,8 @@ data "aws_iam_policy_document" "read_only_s3_department_access" {
       var.trusted_zone_bucket.kms_key_arn,
       var.athena_storage_bucket.kms_key_arn,
       var.glue_scripts_bucket.kms_key_arn,
-      var.spark_ui_output_storage_bucket.kms_key_arn
+      var.spark_ui_output_storage_bucket.kms_key_arn,
+      var.user_uploads_bucket.kms_key_arn
     ]
   }
 
@@ -91,7 +92,6 @@ data "aws_iam_policy_document" "read_only_s3_department_access" {
       "s3:List*",
     ]
     resources = [
-
       var.athena_storage_bucket.bucket_arn,
       "${var.athena_storage_bucket.bucket_arn}/${local.department_identifier}/*",
 
@@ -120,7 +120,10 @@ data "aws_iam_policy_document" "read_only_s3_department_access" {
       "${var.trusted_zone_bucket.bucket_arn}/unrestricted/*",
 
       var.spark_ui_output_storage_bucket.bucket_arn,
-      "${var.spark_ui_output_storage_bucket.bucket_arn}/${local.department_identifier}/*"
+      "${var.spark_ui_output_storage_bucket.bucket_arn}/${local.department_identifier}/*",
+
+      var.user_uploads_bucket.bucket_arn,
+      "${var.user_uploads_bucket.bucket_arn}/${local.department_identifier}/*"
     ]
   }
 
@@ -158,6 +161,18 @@ data "aws_iam_policy_document" "read_only_s3_department_access" {
       "${var.landing_zone_bucket.bucket_arn}/${local.department_identifier}/manual/*",
     ]
   }
+
+  statement {
+    sid    = "S3WriteToUserUploads"
+    effect = "Allow"
+    actions = [
+      "s3:Put*",
+      "s3:Delete*"
+    ]
+    resources = [
+      "${var.user_uploads_bucket.bucket_arn}/${local.department_identifier}/*",
+    ]
+  }
 }
 
 resource "aws_iam_policy" "read_only_s3_access" {
@@ -276,7 +291,8 @@ data "aws_iam_policy_document" "s3_department_access" {
       var.glue_scripts_bucket.kms_key_arn,
       var.spark_ui_output_storage_bucket.kms_key_arn,
       var.glue_temp_storage_bucket.kms_key_arn,
-      var.mwaa_key_arn
+      var.mwaa_key_arn,
+      var.user_uploads_bucket.kms_key_arn
     ]
   }
 
@@ -344,7 +360,10 @@ data "aws_iam_policy_document" "s3_department_access" {
       var.mwaa_etl_scripts_bucket_arn,
       "${var.mwaa_etl_scripts_bucket_arn}/${replace(local.department_identifier, "-", "_")}/*",
       "${var.mwaa_etl_scripts_bucket_arn}/unrestricted/*",
-      "${var.mwaa_etl_scripts_bucket_arn}/shared/*"
+      "${var.mwaa_etl_scripts_bucket_arn}/shared/*",
+
+      var.user_uploads_bucket.bucket_arn,
+      "${var.user_uploads_bucket.bucket_arn}/${local.department_identifier}/*"
     ]
   }
 
@@ -401,6 +420,8 @@ data "aws_iam_policy_document" "s3_department_access" {
 
       "${var.trusted_zone_bucket.bucket_arn}/${local.department_identifier}/*",
       "${var.trusted_zone_bucket.bucket_arn}/quality-metrics/department=${local.department_identifier}/*",
+
+      "${var.user_uploads_bucket.bucket_arn}/${local.department_identifier}/*"
     ]
   }
 

Original file line number	Diff line number	Diff line change
`@@ -85,3 +85,11 @@ resource "aws_glue_catalog_database" "arcus_archive" {`
`85`	`85`	`prevent_destroy = true`
`86`	`86`	`}`
`87`	`87`	`}`
	`88`	`+`
	`89`	`+resource "aws_glue_catalog_database" "parking_user_uploads" {`
	`90`	`+ name = "parking_user_uploads_db"`
	`91`	`+`
	`92`	`+ lifecycle {`
	`93`	`+ prevent_destroy = true`
	`94`	`+ }`
	`95`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,8 @@ data "aws_iam_policy_document" "read_only_s3_department_access" {`
`60`	`60`	`var.trusted_zone_bucket.kms_key_arn,`
`61`	`61`	`var.athena_storage_bucket.kms_key_arn,`
`62`	`62`	`var.glue_scripts_bucket.kms_key_arn,`
`63`		`- var.spark_ui_output_storage_bucket.kms_key_arn`
	`63`	`+ var.spark_ui_output_storage_bucket.kms_key_arn,`
	`64`	`+ var.user_uploads_bucket.kms_key_arn`
`64`	`65`	`]`
`65`	`66`	`}`
`66`	`67`
`@@ -91,7 +92,6 @@ data "aws_iam_policy_document" "read_only_s3_department_access" {`
`91`	`92`	`"s3:List*",`
`92`	`93`	`]`
`93`	`94`	`resources = [`
`94`		`-`
`95`	`95`	`var.athena_storage_bucket.bucket_arn,`
`96`	`96`	`"${var.athena_storage_bucket.bucket_arn}/${local.department_identifier}/*",`
`97`	`97`
`@@ -120,7 +120,10 @@ data "aws_iam_policy_document" "read_only_s3_department_access" {`
`120`	`120`	`"${var.trusted_zone_bucket.bucket_arn}/unrestricted/*",`
`121`	`121`
`122`	`122`	`var.spark_ui_output_storage_bucket.bucket_arn,`
`123`		`- "${var.spark_ui_output_storage_bucket.bucket_arn}/${local.department_identifier}/*"`
	`123`	`+ "${var.spark_ui_output_storage_bucket.bucket_arn}/${local.department_identifier}/*",`
	`124`	`+`
	`125`	`+ var.user_uploads_bucket.bucket_arn,`
	`126`	`+ "${var.user_uploads_bucket.bucket_arn}/${local.department_identifier}/*"`
`124`	`127`	`]`
`125`	`128`	`}`
`126`	`129`
`@@ -158,6 +161,18 @@ data "aws_iam_policy_document" "read_only_s3_department_access" {`
`158`	`161`	`"${var.landing_zone_bucket.bucket_arn}/${local.department_identifier}/manual/*",`
`159`	`162`	`]`
`160`	`163`	`}`
	`164`	`+`
	`165`	`+ statement {`
	`166`	`+ sid = "S3WriteToUserUploads"`
	`167`	`+ effect = "Allow"`
	`168`	`+ actions = [`
	`169`	`+ "s3:Put*",`
	`170`	`+ "s3:Delete*"`
	`171`	`+ ]`
	`172`	`+ resources = [`
	`173`	`+ "${var.user_uploads_bucket.bucket_arn}/${local.department_identifier}/*",`
	`174`	`+ ]`
	`175`	`+ }`
`161`	`176`	`}`
`162`	`177`
`163`	`178`	`resource "aws_iam_policy" "read_only_s3_access" {`
`@@ -276,7 +291,8 @@ data "aws_iam_policy_document" "s3_department_access" {`
`276`	`291`	`var.glue_scripts_bucket.kms_key_arn,`
`277`	`292`	`var.spark_ui_output_storage_bucket.kms_key_arn,`
`278`	`293`	`var.glue_temp_storage_bucket.kms_key_arn,`
`279`		`- var.mwaa_key_arn`
	`294`	`+ var.mwaa_key_arn,`
	`295`	`+ var.user_uploads_bucket.kms_key_arn`
`280`	`296`	`]`
`281`	`297`	`}`
`282`	`298`
`@@ -344,7 +360,10 @@ data "aws_iam_policy_document" "s3_department_access" {`
`344`	`360`	`var.mwaa_etl_scripts_bucket_arn,`
`345`	`361`	`"${var.mwaa_etl_scripts_bucket_arn}/${replace(local.department_identifier, "-", "_")}/*",`
`346`	`362`	`"${var.mwaa_etl_scripts_bucket_arn}/unrestricted/*",`
`347`		`- "${var.mwaa_etl_scripts_bucket_arn}/shared/*"`
	`363`	`+ "${var.mwaa_etl_scripts_bucket_arn}/shared/*",`
	`364`	`+`
	`365`	`+ var.user_uploads_bucket.bucket_arn,`
	`366`	`+ "${var.user_uploads_bucket.bucket_arn}/${local.department_identifier}/*"`
`348`	`367`	`]`
`349`	`368`	`}`
`350`	`369`
`@@ -401,6 +420,8 @@ data "aws_iam_policy_document" "s3_department_access" {`
`401`	`420`
`402`	`421`	`"${var.trusted_zone_bucket.bucket_arn}/${local.department_identifier}/*",`
`403`	`422`	`"${var.trusted_zone_bucket.bucket_arn}/quality-metrics/department=${local.department_identifier}/*",`
	`423`	`+`
	`424`	`+ "${var.user_uploads_bucket.bucket_arn}/${local.department_identifier}/*"`
`404`	`425`	`]`
`405`	`426`	`}`
`406`	`427`