VED-Add-Lambda-s3 Policy (#894)

* add kms encryption for s3

* VED-863: Attach Policy for kms and s3 to ecs task policy

Author: Akol125

terraform/ecs_batch_processor_config.tf

@@ -157,7 +157,14 @@ resource "aws_iam_policy" "ecs_task_exec_policy" {
           "firehose:PutRecordBatch"
         ],
         "Resource" : "arn:aws:firehose:*:*:deliverystream/${module.splunk.firehose_stream_name}"
-      }
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "s3:PutObject",
+        ],
+        Resource = "${aws_s3_bucket.data_quality_reports_bucket.arn}/*"
+      },
     ]
   })
 }

terraform/endpoints.tf

@@ -4,6 +4,7 @@ locals {
   policy_path = "${path.root}/policies"
 }
 
+# Select the Policy folder
 data "aws_iam_policy_document" "logs_policy_document" {
   source_policy_documents = [templatefile("${local.policy_path}/log.json", {})]
 }
@@ -57,6 +58,20 @@ data "aws_iam_policy_document" "imms_policy_document" {
   ]
 }
 
+data "aws_iam_policy_document" "imms_data_quality_s3_doc" {
+  source_policy_documents = [
+    templatefile("${local.policy_path}/s3_data_quality_access.json", {
+      s3_bucket_arn = aws_s3_bucket.data_quality_reports_bucket.arn
+      kms_key_arn   = data.aws_kms_key.existing_s3_encryption_key.arn
+    })
+  ]
+}
+
+resource "aws_iam_policy" "imms_s3_kms_policy" {
+  name   = "${local.short_prefix}-s3-kms-policy"
+  policy = data.aws_iam_policy_document.imms_data_quality_s3_doc.json
+}
+
 module "imms_event_endpoint_lambdas" {
   source = "./modules/lambda"
   count  = length(local.imms_endpoints)
@@ -71,6 +86,19 @@ module "imms_event_endpoint_lambdas" {
   vpc_security_group_ids = [data.aws_security_group.existing_securitygroup.id]
 }
 
+
+# Attach data quality report S3 bucket and KMS policy only to "create_imms" and "update_imms" endpoints
+resource "aws_iam_role_policy_attachment" "attach_data_quality_s3_to_specific_lambdas" {
+  for_each = {
+    for i, mod in module.imms_event_endpoint_lambdas :
+    local.imms_endpoints[i] => mod
+    if local.imms_endpoints[i] == "create_imms" || local.imms_endpoints[i] == "update_imms"
+  }
+
+  role       = each.value.lambda_role_name
+  policy_arn = aws_iam_policy.imms_s3_kms_policy.arn
+}
+
 locals {
   # Mapping outputs with each called lambda
   imms_lambdas = {

terraform/modules/lambda/outputs.tf

@@ -7,3 +7,6 @@ output "lambda_arn" {
 output "invoke_arn" {
   value = module.lambda_function_container_image.lambda_function_invoke_arn
 }
+output "lambda_role_name" {
+  value = aws_iam_role.lambda_role.name
+}

terraform/policies/s3_data_quality_access.json

@@ -0,0 +1,23 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "S3Access",
+      "Effect": "Allow",
+      "Action": ["s3:PutObject"],
+      "Resource": ["${s3_bucket_arn}/*"]
+    },
+    {
+      "Sid": "KMSAccessForS3Encryption",
+      "Effect": "Allow",
+      "Action": [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey"
+      ],
+      "Resource": "${kms_key_arn}"
+    }
+  ]
+}

terraform/s3_dq_reports.tf

@@ -85,4 +85,15 @@ resource "aws_s3_bucket_policy" "data_quality_bucket_policy" {
       },
     ]
   })
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_data_quality_encryption" {
+  bucket = aws_s3_bucket.data_quality_reports_bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = data.aws_kms_key.existing_s3_encryption_key.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
 }