Chore: [AEA-0000] - fix sync role permissions so it does not clash with other pull requests (#448)

## Summary

- Routine Change

### Details

- give sync role permissions directly on bucket and kms key
- stagger dependabot updates

Author: anthony-nhs

.devcontainer/devcontainer.json

@@ -1,5 +1,5 @@
 {
-  "name": "Ubuntu",
+  "name": "eps-assist-me",
   "build": {
     "dockerfile": "Dockerfile",
     "context": "..",

.github/dependabot.yml

@@ -25,7 +25,7 @@ updates:
     schedule:
       interval: "weekly"
       day: "friday"
-      time: "18:00"
+      time: "20:00"
     open-pull-requests-limit: 20
     versioning-strategy: increase
     commit-message:
@@ -39,7 +39,7 @@ updates:
     schedule:
       interval: "weekly"
       day: "friday"
-      time: "18:00"
+      time: "22:00"
     open-pull-requests-limit: 20
     versioning-strategy: increase
     commit-message:

packages/cdk/constructs/S3Bucket.ts

@@ -14,6 +14,7 @@ import {
   AccountRootPrincipal,
   Effect,
   IPrincipal,
+  IRole,
   PolicyDocument,
   PolicyStatement
 } from "aws-cdk-lib/aws-iam"
@@ -23,6 +24,7 @@ export interface S3BucketProps {
   readonly versioned: boolean
   readonly deploymentRole: IPrincipal
   readonly auditLoggingBucket: IBucket
+  readonly documentSyncRole: IRole
 }
 
 export class S3Bucket extends Construct {
@@ -76,6 +78,19 @@ export class S3Bucket extends Construct {
       ]
     })
 
+    const syncPolicy = new PolicyStatement({
+      effect: Effect.ALLOW,
+      principals: [props.documentSyncRole!],
+      actions: [
+        "s3:GetBucket*",
+        "s3:GetObject*",
+        "s3:List*"
+      ],
+      resources: [
+        bucket.bucketArn,
+        bucket.arnForObjects("*")
+      ]
+    })
     const accountRootPrincipal = new AccountRootPrincipal()
     const kmsPolicy = new PolicyDocument({
       statements: [
@@ -93,11 +108,20 @@ export class S3Bucket extends Construct {
             "kms:GenerateDataKey"
           ],
           resources:["*"]
+        }),
+        new PolicyStatement({
+          effect: Effect.ALLOW,
+          principals: [props.documentSyncRole!],
+          actions: [
+            "kms:Decrypt"
+          ],
+          resources:["*"]
         })
       ]
     })
 
     bucket.addToResourcePolicy(deploymentPolicy)
+    bucket.addToResourcePolicy(syncPolicy)
 
     const contentBucketKmsKey = (kmsKey.node.defaultChild as CfnKey)
     contentBucketKmsKey.keyPolicy = kmsPolicy.toJSON()

packages/cdk/resources/Storage.ts

@@ -1,13 +1,14 @@
 import {Construct} from "constructs"
 import {S3Bucket} from "../constructs/S3Bucket"
-import {IPrincipal} from "aws-cdk-lib/aws-iam"
+import {IPrincipal, IRole} from "aws-cdk-lib/aws-iam"
 import {Key} from "aws-cdk-lib/aws-kms"
 import {Bucket, IBucket} from "aws-cdk-lib/aws-s3"
 
 export interface StorageProps {
   readonly stackName: string,
   readonly deploymentRole: IPrincipal
   readonly auditLoggingBucket: IBucket
+  readonly assistMeDocumentSyncRole: IRole
 }
 
 export class Storage extends Construct {
@@ -22,7 +23,8 @@ export class Storage extends Construct {
       bucketName: `${props.stackName}-Docs`,
       versioned: true,
       deploymentRole: props.deploymentRole,
-      auditLoggingBucket: props.auditLoggingBucket
+      auditLoggingBucket: props.auditLoggingBucket,
+      documentSyncRole: props.assistMeDocumentSyncRole
     })
     this.kbDocsBucket = kbDocsBucket.bucket
     this.kbDocsKmsKey = kbDocsBucket.kmsKey

packages/cdk/stacks/EpsAssistMeStack.ts

@@ -65,6 +65,11 @@ export class EpsAssistMeStack extends Stack {
     const deploymentRole = Role.fromRoleArn(this, "deploymentRole", deploymentRoleImport)
     const auditLoggingBucket = Bucket.fromBucketArn(
       this, "AuditLoggingBucket", auditLoggingBucketImport)
+    const assistMeDocumentSyncRole = Role.fromRoleArn(
+      this,
+      "AssistMeDocumentSyncRole",
+      assistMeDocumentSyncRoleArn
+    )
 
     if (!slackBotToken || !slackSigningSecret) {
       throw new Error("Missing required context variables. Please provide slackBotToken and slackSigningSecret")
@@ -95,7 +100,8 @@ export class EpsAssistMeStack extends Stack {
     const storage = new Storage(this, "Storage", {
       stackName: props.stackName,
       deploymentRole: deploymentRole,
-      auditLoggingBucket: auditLoggingBucket
+      auditLoggingBucket: auditLoggingBucket,
+      assistMeDocumentSyncRole: assistMeDocumentSyncRole
     })
 
     // initialize s3 folders for raw and processed documents
@@ -257,16 +263,6 @@ export class EpsAssistMeStack extends Stack {
       regressionTestRole.addManagedPolicy(regressionTestPolicy)
     }
 
-    // Grant Access to Document Sync Role
-    const assistMeDocumentSyncRole = Role.fromRoleArn(
-      this,
-      "AssistMeDocumentSyncRole",
-      assistMeDocumentSyncRoleArn
-    )
-
-    storage.kbDocsBucket.grantRead(assistMeDocumentSyncRole)
-    storage.kbDocsKmsKey.grantDecrypt(assistMeDocumentSyncRole)
-
     // Output: SlackBot Endpoint
     new CfnOutput(this, "SlackBotEventsEndpoint", {
       value: `https://${apis.apis["api"].api.domainName?.domainName}/slack/events`,