update policy statements, split out namespaces

ministryofjustice · Jun 4, 2024 · f215440 · f215440
1 parent e6e1474
commit f215440
Show file tree

Hide file tree

Showing 3 changed files with 82 additions and 64 deletions.
diff --git a/terraform/aws/analytical-platform-data-production/airflow/eks.tf b/terraform/aws/analytical-platform-data-production/airflow/eks.tf
@@ -145,19 +145,6 @@ resource "aws_eks_node_group" "new_dev_node_group_high_memory" {
   }
 }
 
-resource "kubernetes_namespace" "dev_kube2iam" {
-  provider = kubernetes.dev-airflow-cluster
-  metadata {
-    annotations = {
-      "iam.amazonaws.com/allowed-roles" = jsonencode(["*"])
-    }
-    labels = {
-      "app.kubernetes.io/managed-by" = "terraform"
-    }
-    name = "kube2iam-system"
-  }
-  timeouts {}
-}
 
 resource "kubernetes_config_map" "dev_aws_auth_configmap" {
   provider = kubernetes.dev-airflow-cluster
@@ -175,51 +162,6 @@ resource "kubernetes_config_map" "dev_aws_auth_configmap" {
 
 }
 
-resource "kubernetes_namespace" "dev_airflow" {
-  provider = kubernetes.dev-airflow-cluster
-  metadata {
-
-    name = "airflow"
-    annotations = {
-      "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow_dev*"])
-    }
-    labels = {
-      "app.kubernetes.io/managed-by" = "Terraform"
-    }
-  }
-  timeouts {}
-}
-
-resource "kubernetes_namespace" "kyverno_dev" {
-  provider = kubernetes.dev-airflow-cluster
-  metadata {
-    name = "kyverno"
-    labels = {
-      "app.kubernetes.io/managed-by" = "Terraform"
-    }
-  }
-  timeouts {}
-}
-
-resource "kubernetes_namespace" "cluster_autoscaler_system" {
-  provider = kubernetes.dev-airflow-cluster
-  metadata {
-    name = "cluster-autoscaler-system"
-    annotations = {
-      "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow-dev-cluster-autoscaler-role"])
-    }
-    labels = {
-      "app.kubernetes.io/managed-by" = "Terraform"
-    }
-  }
-  timeouts {}
-}
-
-moved {
-  from = kubernetes_namespace.cluster-autoscaler-system
-  to   = kubernetes_namespace.cluster_autoscaler_system
-}
-
 ######################################
 ########### EKS PRODUCTION ###########
 ######################################

diff --git a/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf b/terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf
@@ -264,15 +264,33 @@ data "aws_iam_policy_document" "airflow_dev_eks_assume_role_policy" {
 ##### Airflow Dev IRSA
 data "aws_iam_policy_document" "airflow_dev_monitoring_inline_role_policy" {
   statement {
-    sid    = ""
-    effect = "Allow"
-    resources = [
-      "arn:aws:s3:::airflow-monitoring/airflow-scheduling-testing/*",
-      "arn:aws:s3:::airflow-monitoring/"
+    sid = "readwrite"
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectAcl",
+      "s3:GetObjectVersion",
+      "s3:GetObjectTagging",
+      "s3:DeleteObject",
+      "s3:DeleteObjectVersion",
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:PutObjectTagging",
+      "s3:RestoreObject"
     ]
-    actions = ["s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:DeleteObject"]
+    effect    = "Allow"
+    resources = ["arn:aws:s3:::airflow-monitoring/airflow-scheduling-testing/*"]
   }
 
+  statement {
+    sid = "list"
+    actions = [
+      "s3:ListBucket",
+      "s3:ListAllMyBuckets",
+      "s3:GetBucketLocation"
+    ]
+    effect    = "Allow"
+    resources = ["arn:aws:s3:::airflow-monitoring/"]
+  }
 }
 
 module "airflow_dev_monitoring_iam_policy" {

diff --git a/terraform/aws/analytical-platform-data-production/airflow/kubernetes-namespaces.tf b/terraform/aws/analytical-platform-data-production/airflow/kubernetes-namespaces.tf
@@ -0,0 +1,58 @@
+resource "kubernetes_namespace" "dev_kube2iam" {
+  provider = kubernetes.dev-airflow-cluster
+  metadata {
+    annotations = {
+      "iam.amazonaws.com/allowed-roles" = jsonencode(["*"])
+    }
+    labels = {
+      "app.kubernetes.io/managed-by" = "terraform"
+    }
+    name = "kube2iam-system"
+  }
+  timeouts {}
+}
+
+resource "kubernetes_namespace" "dev_airflow" {
+  provider = kubernetes.dev-airflow-cluster
+  metadata {
+
+    name = "airflow"
+    annotations = {
+      "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow_dev*"])
+    }
+    labels = {
+      "app.kubernetes.io/managed-by" = "Terraform"
+    }
+  }
+  timeouts {}
+}
+
+resource "kubernetes_namespace" "kyverno_dev" {
+  provider = kubernetes.dev-airflow-cluster
+  metadata {
+    name = "kyverno"
+    labels = {
+      "app.kubernetes.io/managed-by" = "Terraform"
+    }
+  }
+  timeouts {}
+}
+
+resource "kubernetes_namespace" "cluster_autoscaler_system" {
+  provider = kubernetes.dev-airflow-cluster
+  metadata {
+    name = "cluster-autoscaler-system"
+    annotations = {
+      "iam.amazonaws.com/allowed-roles" = jsonencode(["airflow-dev-cluster-autoscaler-role"])
+    }
+    labels = {
+      "app.kubernetes.io/managed-by" = "Terraform"
+    }
+  }
+  timeouts {}
+}
+
+moved {
+  from = kubernetes_namespace.cluster-autoscaler-system
+  to   = kubernetes_namespace.cluster_autoscaler_system
+}