[Issue #3160] Give analytic access to the transfer bucket (#3384)

## Summary Relates to #3160 ### Time to review: __2 mins__ ## Changes proposed - Writes the iterative s3 bucket ids and arns to ssm params - Reads the api's variants of those ssm params into the analytics application - Gives the analytics application access to the api's s3 buckets ## ⚠️ Deploy Warning ⚠️ This creates a dependency between the API infra and Analytics infra. Because of this, there will be a race condition between the two deployments. If a deploy is broken, then the fix is just to deploy again.
HHS · Jan 3, 2025 · 1afd3d4 · 1afd3d4
1 parent 5880f47
commit 1afd3d4
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 0 deletions.
diff --git a/infra/analytics/service/transfer_access.tf b/infra/analytics/service/transfer_access.tf
@@ -0,0 +1,28 @@
+data "aws_ssm_parameter" "transfer_bucket_arn" {
+  name = "/buckets/api-${var.environment_name}/api-analytics-transfer/arn"
+}
+
+data "aws_ssm_parameter" "transfer_bucket_id" {
+  name = "/buckets/api-${var.environment_name}/api-analytics-transfer/id"
+}
+
+data "aws_iam_policy_document" "transfer_bucket_access" {
+  statement {
+    effect = "Allow"
+    resources = [
+      data.aws_ssm_parameter.transfer_bucket_arn.value,
+      "${data.aws_ssm_parameter.transfer_bucket_arn.value}/*",
+    ]
+    actions = ["s3:Get*", "s3:List*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [module.service.app_service_arn]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "transfer_bucket_access" {
+  bucket = data.aws_ssm_parameter.transfer_bucket_id.value
+  policy = data.aws_iam_policy_document.transfer_bucket_access.json
+}
diff --git a/infra/modules/service/outputs.tf b/infra/modules/service/outputs.tf
@@ -38,6 +38,10 @@ output "task_definition_arn" {
   value = aws_ecs_task_definition.app.arn
 }
 
+output "app_service_arn" {
+  value = aws_iam_role.app_service.arn
+}
+
 output "task_role_arn" {
   value = aws_iam_role.task_executor.arn
 }

diff --git a/infra/modules/service/s3_buckets.tf b/infra/modules/service/s3_buckets.tf
@@ -99,3 +99,21 @@ resource "aws_s3_bucket_policy" "s3_buckets" {
   bucket   = aws_s3_bucket.s3_buckets[each.key].id
   policy   = data.aws_iam_policy_document.s3_buckets_put_access[each.key].json
 }
+
+resource "aws_ssm_parameter" "s3_bucket_arns" {
+  for_each = var.s3_buckets
+
+  name  = "/buckets/${var.service_name}/${each.key}/arn"
+  type  = "SecureString"
+  value = aws_s3_bucket.s3_buckets[each.key].arn
+  # checkov:skip=CKV_AWS_337: KMS encryption is overkill here
+}
+
+resource "aws_ssm_parameter" "s3_bucket_ids" {
+  for_each = var.s3_buckets
+
+  name  = "/buckets/${var.service_name}/${each.key}/id"
+  type  = "SecureString"
+  value = aws_s3_bucket.s3_buckets[each.key].id
+  # checkov:skip=CKV_AWS_337: KMS encryption is overkill here
+}