Skip to content

Commit

Permalink
feat: add dynamic s3Locations statements to allow oidc roles access…
Browse files Browse the repository at this point in the history 
… to specified s3 paths

Required for `analytics-platform-helm-charts` role to deposit artefacts
  • Loading branch information
@tom-webber
tom-webber committed Jan 16, 2025
1 parent 688ca19 commit e641978
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 0 deletions.
6 changes: 6 additions & 0 deletions terraform/aws/analytical-platform/oidc/configuration/assumable-roles.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,12 @@
"analytics-platform-helm-charts": {
"account": "analytical-platform-data-production",
"stateConfig": [],
"s3Locations": [
{
"bucket": "moj-analytics-helm-repo",
"keys": [""]
}
],
"repositories": ["ministryofjustice/analytics-platform-helm-charts"],
"targets": ["analytical-platform-data-production"],
"stateLockingDetails": [],
Expand Down
32 changes: 32 additions & 0 deletions terraform/aws/analytical-platform/oidc/oidc-roles.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,38 @@ data "aws_iam_policy_document" "github_oidc_role" {
resources = ["arn:aws:s3:::${statement.value.stateBucket}${statement.value.stateBucketKey}*"]
}
}
dynamic "statement" {
for_each = each.value.s3Locations

content {
sid = "AllowS3LocationRead"
effect = "Allow"
actions = [
"s3:Get*",
"s3:List*"
]
resources = [
"arn:aws:s3:::${statement.value.bucket}"
]
}
}
dynamic "statement" {
for_each = each.value.s3Locations

content {
#checkov:skip=CKV_AWS_111: skip requires access to multiple resources
sid = "AllowS3LocationWrite"
effect = "Allow"
actions = [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
]
resources = [
for key in statement.value.keys : "arn:aws:s3:::${statement.value.bucket}/${key}*"
]
}
}
dynamic "statement" {
for_each = each.value.stateLockingDetails

Expand Down

0 comments on commit e641978

Please sign in to comment.