immunisation-fhir-api/terraform/s3_dq_reports.tf at b84a5775c739ac3d3b2e8488bb70d8cc2aa4ee46 · NHSDigital/immunisation-fhir-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# Create s3 Bucket with conditional destroy for pr environments
resource "aws_s3_bucket" "data_quality_reports_bucket" {
    bucket      = "imms-${local.resource_scope}-data-quality-reports"
    force_destroy = local.is_temp

}

# Block public access to the bucket
resource "aws_s3_bucket_public_access_block" "data_quality_reports_bucket_public_access_block" {
  bucket = aws_s3_bucket.data_quality_reports_bucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_lifecycle_configuration" "data_quality_reports" {
  bucket = aws_s3_bucket.data_quality_reports_bucket.id

  rule {
    id     = "GenericValidationReports"
    status = "Enabled"

    filter {
    }

    expiration {
      days = 14
    }
  }
}


# Add versioning to prevent against accidental deletes
resource "aws_s3_bucket_versioning" "dq_source_versioning" {
  bucket = aws_s3_bucket.data_quality_reports_bucket.bucket
  versioning_configuration {
    status = "Enabled"
  }
}


# If used should attach to lambda or any aws service that needs to perform any operation
resource "aws_iam_policy" "s3_dq_access" {
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect   = "Allow"
        Action   = ["s3:PutObject"]
        Resource = [
          aws_s3_bucket.data_quality_reports_bucket.arn,
          "${aws_s3_bucket.data_quality_reports_bucket.arn}/*"
        ]
      }
    ]
  })
}


resource "aws_s3_bucket_policy" "data_quality_bucket_policy" {
  bucket = aws_s3_bucket.data_quality_reports_bucket.id

  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "data_quality_bucket_policy"
    Statement = [
      {
        Sid    = "HTTPSOnly"
        Effect = "Deny"
        Principal = {
          AWS = "*"
        }
        Action = "s3:*"
        Resource = [
         aws_s3_bucket.data_quality_reports_bucket.arn,
         "${aws_s3_bucket.data_quality_reports_bucket.arn}/*"
        ]
        Condition = {
          Bool = {
            "aws:SecureTransport" = "false"
          }
        }
      },
    ]
  })
}