NRL-1385 sort iam policies to allow ec2 access to Athena

jackleary · jackleary · commit 779b838186f9 · 2025-05-15T22:48:18.000+01:00
diff --git a/terraform/account-wide-infrastructure/dev/ec2.tf b/terraform/account-wide-infrastructure/dev/ec2.tf
@@ -8,10 +8,15 @@ module "vpc" {
 }
 
 
-module "web" {
-  source        = "../modules/ec2"
-  instance_type = var.instance_type
-  name_prefix   = "nhsd-nrlf--dev"
+module "ec2" {
+  source             = "../modules/ec2"
+  instance_type      = var.instance_type
+  name_prefix        = "nhsd-nrlf--dev"
+  target_bucket_arn  = module.dev-glue.target_bucket_arn
+  glue_kms_key_arn   = module.dev-glue.aws_kms_key_arn
+  athena_kms_key_arn = module.dev-athena.kms_key_arn
+  athena_bucket_arn  = module.dev-athena.bucket_arn
+
 
   subnet_id       = module.vpc.subnet_id
   security_groups = module.vpc.security_group
diff --git a/terraform/account-wide-infrastructure/modules/athena/outputs.tf b/terraform/account-wide-infrastructure/modules/athena/outputs.tf
@@ -5,3 +5,11 @@ output "workgroup" {
 output "bucket" {
   value = aws_s3_bucket.athena
 }
+
+output "bucket_arn" {
+  value = aws_s3_bucket.athena.arn
+}
+
+output "kms_key_arn" {
+  value = aws_kms_key.athena.arn
+}
diff --git a/terraform/account-wide-infrastructure/modules/athena/s3.tf b/terraform/account-wide-infrastructure/modules/athena/s3.tf
@@ -26,6 +26,23 @@ resource "aws_s3_bucket_policy" "athena" {
           }
         }
       },
+      {
+        Sid : "AllowAthenaAccess",
+        Effect : "Allow",
+        Principal : {
+          Service : "athena.amazonaws.com"
+        },
+        Action : [
+          "s3:PutObject",
+          "s3:GetBucketLocation",
+          "s3:GetObject",
+          "s3:ListBucket"
+        ],
+        Resource : [
+          aws_s3_bucket.athena.arn,
+          "${aws_s3_bucket.athena.arn}/*",
+        ]
+      },
     ]
   })
 }
diff --git a/terraform/account-wide-infrastructure/modules/ec2/data.tf b/terraform/account-wide-infrastructure/modules/ec2/data.tf
@@ -6,3 +6,12 @@ data "aws_ami" "windows-2019" {
     values = ["Windows_Server-2019-English-Full-Base*"]
   }
 }
+
+data "aws_ami" "PowerBI_Gateway" {
+  most_recent = true
+  owners      = ["self"]
+  filter {
+    name   = "name"
+    values = ["PowerBI_Gateway"]
+  }
+}
diff --git a/terraform/account-wide-infrastructure/modules/ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/ec2/ec2.tf
@@ -1,11 +1,11 @@
-# Create the Linux EC2 Web server
 resource "aws_instance" "web" {
-  #   associate_public_ip_address = false
-  ami             = data.aws_ami.windows-2019.id
-  instance_type   = var.instance_type
-  key_name        = aws_key_pair.ec2_key_pair.key_name
-  subnet_id       = var.subnet_id
-  security_groups = var.security_groups
+  #   associate_public_ip_address =
+  iam_instance_profile = aws_iam_instance_profile.powerbi_profile.name
+  ami                  = data.aws_ami.PowerBI_Gateway.id
+  instance_type        = var.instance_type
+  key_name             = aws_key_pair.ec2_key_pair.key_name
+  subnet_id            = var.subnet_id
+  security_groups      = var.security_groups
 
   user_data = file("${path.module}/scripts/user_data.tpl")
 
@@ -27,6 +27,6 @@ resource "aws_key_pair" "ec2_key_pair" {
 
 # Saving Key Pair for ssh login for Client if needed
 resource "local_file" "ssh_key" {
-  filename = "${aws_key_pair.ec2_key_pair.key_name}.pem"
+  filename = "${path.module}/keys/${aws_key_pair.ec2_key_pair.key_name}.pem"
   content  = tls_private_key.instance_key_pair.private_key_pem
 }
diff --git a/terraform/account-wide-infrastructure/modules/ec2/iam.tf b/terraform/account-wide-infrastructure/modules/ec2/iam.tf
@@ -0,0 +1,105 @@
+resource "aws_iam_role" "ec2_service_role" {
+  name = "${var.name_prefix}-ec2_service_role"
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "ec2.amazonaws.com"
+        },
+        "Action" : "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+data "aws_iam_policy_document" "ec2_service" {
+  statement {
+    actions = [
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads",
+      "s3:ListMultipartUploadParts",
+      "s3:AbortMultipartUpload",
+      "s3:CreateBucket",
+      "s3:PutObject",
+      "s3:PutBucketPublicAccessBlock"
+    ]
+
+    resources = compact([
+      var.target_bucket_arn,
+      "${var.target_bucket_arn}/*",
+      var.athena_bucket_arn,
+      "${var.athena_bucket_arn}/*",
+    ])
+    effect = "Allow"
+  }
+
+  statement {
+    actions = [
+      "s3:ListBucket",
+      "s3:GetBucketLocation",
+      "s3:ListAllMyBuckets"
+    ]
+
+    resources = compact([
+      "*"
+    ])
+    effect = "Allow"
+  }
+
+  statement {
+    actions = [
+      "kms:DescribeKey",
+      "kms:GenerateDataKey*",
+      "kms:Encrypt",
+      "kms:ReEncrypt*",
+      "kms:Decrypt",
+    ]
+
+    resources = [
+      var.glue_kms_key_arn,
+      var.athena_kms_key_arn,
+    ]
+
+    effect = "Allow"
+  }
+
+  statement {
+    actions = [
+      "athena:*",
+    ]
+    effect = "Allow"
+    resources = [
+      "*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "glue:*",
+    ]
+    effect = "Allow"
+    resources = [
+      "*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "ec2_service" {
+  name   = "${var.name_prefix}-ec2"
+  policy = data.aws_iam_policy_document.ec2_service.json
+}
+
+resource "aws_iam_role_policy_attachment" "ec2_service" {
+  role       = aws_iam_role.ec2_service_role.name
+  policy_arn = aws_iam_policy.ec2_service.arn
+}
+
+resource "aws_iam_instance_profile" "powerbi_profile" {
+  name = "powerbi_profile"
+  role = aws_iam_role.ec2_service_role.name
+}
diff --git a/terraform/account-wide-infrastructure/modules/ec2/vars.tf b/terraform/account-wide-infrastructure/modules/ec2/vars.tf
@@ -1,7 +1,8 @@
-variable "name_prefix" {
-  type        = string
-  description = "The prefix to apply to all resources in the module."
-}
+variable "name_prefix" {}
 variable "instance_type" {}
 variable "security_groups" {}
 variable "subnet_id" {}
+variable "glue_kms_key_arn" {}
+variable "athena_kms_key_arn" {}
+variable "target_bucket_arn" {}
+variable "athena_bucket_arn" {}
diff --git a/terraform/account-wide-infrastructure/modules/glue/outputs.tf b/terraform/account-wide-infrastructure/modules/glue/outputs.tf
@@ -3,11 +3,21 @@ output "target_bucket_name" {
   value       = aws_s3_bucket.target-data-bucket.id
 }
 
+output "target_bucket_arn" {
+  description = "Arn of destination bucket"
+  value       = aws_s3_bucket.target-data-bucket.arn
+}
+
 output "source_bucket_name" {
   description = "Name of source bucket"
   value       = aws_s3_bucket.source-data-bucket.id
 }
 
+output "aws_kms_key_arn" {
+  description = "Arn of kms key"
+  value       = aws_kms_key.glue.arn
+}
+
 output "glue_crawler_name" {
   value = "s3//${aws_s3_bucket.source-data-bucket.id}/"
 }

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,23 @@ resource "aws_s3_bucket_policy" "athena" {`
`26`	`26`	`}`
`27`	`27`	`}`
`28`	`28`	`},`
	`29`	`+ {`
	`30`	`+ Sid : "AllowAthenaAccess",`
	`31`	`+ Effect : "Allow",`
	`32`	`+ Principal : {`
	`33`	`+ Service : "athena.amazonaws.com"`
	`34`	`+ },`
	`35`	`+ Action : [`
	`36`	`+ "s3:PutObject",`
	`37`	`+ "s3:GetBucketLocation",`
	`38`	`+ "s3:GetObject",`
	`39`	`+ "s3:ListBucket"`
	`40`	`+ ],`
	`41`	`+ Resource : [`
	`42`	`+ aws_s3_bucket.athena.arn,`
	`43`	`+ "${aws_s3_bucket.athena.arn}/*",`
	`44`	`+ ]`
	`45`	`+ },`
`29`	`46`	`]`
`30`	`47`	`})`
`31`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,3 +6,12 @@ data "aws_ami" "windows-2019" {`
`6`	`6`	`values = ["Windows_Server-2019-English-Full-Base*"]`
`7`	`7`	`}`
`8`	`8`	`}`
	`9`	`+`
	`10`	`+data "aws_ami" "PowerBI_Gateway" {`
	`11`	`+ most_recent = true`
	`12`	`+ owners = ["self"]`
	`13`	`+ filter {`
	`14`	`+ name = "name"`
	`15`	`+ values = ["PowerBI_Gateway"]`
	`16`	`+ }`
	`17`	`+}`