immunisation-fhir-api/terraform/s3_dq_reports.tf at dd696df291b349665d15fa5bd4a4db1fecc0499e · NHSDigital/immunisation-fhir-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Create s3 Bucket with conditional destroy for pr environments
resource "aws_s3_bucket" "data_quality_reports_bucket" {
    bucket      = "${local.short_prefix}-data-quality-reports"
    force_destroy = local.is_temp

}

# Block public access to the bucket
resource "aws_s3_bucket_public_access_block" "data_quality_reports_bucket_public_access_block" {
  bucket = aws_s3_bucket.data_quality_reports_bucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_lifecycle_configuration" "data_quality_reports" {
  bucket = aws_s3_bucket.data_quality_reports_bucket.id

  rule {
    id     = "GenericValidationReports"
    status = "Enabled"

    filter {
    }

    expiration {
      days = 14
    }
  }
}


# Add versioning to prevent against accidental deletes
resource "aws_s3_bucket_versioning" "dq_source_versioning" {
  bucket = aws_s3_bucket.data_quality_reports_bucket.bucket
  versioning_configuration {
    status = "Enabled"
  }
}


# If used should attached to lambda or any aws service that needs to perform any operation
resource "aws_iam_policy" "s3_dq_access" {
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect   = "Allow"
        Action   = ["s3:GetObject", "s3:PutObject", "s3:ListBucket"]
        Resource = [
          aws_s3_bucket.data_quality_reports_bucket.arn,
          "${aws_s3_bucket.data_quality_reports_bucket.arn}/*"
        ]
      }
    ]
  })
}