Configuring IAM role for frile transfer S3 Bucket

For use with RSD Admin Bastion instance profile
ministryofjustice · Nov 15, 2023 · a53825c · a53825c
1 parent 60139a1
commit a53825c
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 16 deletions.
diff --git a/locals.tf b/locals.tf
@@ -14,4 +14,8 @@ locals {
   development_kinesis_destination_arn    = nonsensitive(data.aws_secretsmanager_secret_version.development_kinesis_destination_arn.secret_string)
 
   production_account_id = nonsensitive(data.aws_secretsmanager_secret_version.production_account_id.secret_string)
+
+  development_account_id    = substr(local.dev_assume_role_arn, 13, 12)
+  pre-production_account_id = substr(local.pre_production_assume_role_arn, 13, 12)
+#  production_account_id     = substr(local.production_assume_role_arn, 13, 12)
 }
diff --git a/modules/s3-assume-role/main.tf b/modules/s3-assume-role/main.tf
@@ -8,8 +8,12 @@ resource "aws_iam_role" "this" {
     {
       "Effect": "Allow",
       "Principal": {
-        "Service": "ec2.amazonaws.com"
-      },
+        "AWS": [
+            "arn:aws:iam::068084030754:root",
+            "arn:aws:iam::473630360727:root",
+            "arn:aws:iam::037161842252:root"
+          ]
+        },
       "Action": "sts:AssumeRole"
     }
   ]
@@ -27,18 +31,13 @@ resource "aws_iam_role_policy" "this" {
 }
 
 data "aws_iam_policy_document" "this" {
-  statement {
-    actions   = ["sts:AssumeRole"]
-    resources = [var.account_role_arns]
-  }
-
   statement {
     actions = [
       "s3:*"
     ]
     resources = [
-      "var.s3_bucket_arn/*",
-      "var.s3_bucket_arn"
+      "${var.s3_bucket_arn}/*",
+      "${var.s3_bucket_arn}"
     ]
   }
 }

diff --git a/modules/s3-assume-role/variables.tf b/modules/s3-assume-role/variables.tf
@@ -2,9 +2,9 @@ variable "prefix_name" {
   type = string
 }
 
-variable "account_role_arns" {
-  type = list(string)
-}
+#variable "account_ids" {
+#  type = list(string)
+#}
 
 variable "s3_bucket_arn" {
   type = string

diff --git a/mojo_file_transfer.tf b/mojo_file_transfer.tf
@@ -69,10 +69,10 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "mojo_file_transfe
 module "s3-mojo_file_transfer_assume_role" {
   source = "./modules/s3-assume-role"
 
-  prefix_name      = "s3-mojo-file-transfer"
-  account_role_arns = [local.dev_assume_role_arn, local.pre_production_assume_role_arn, local.production_assume_role_arn]
-  s3_bucket_arn   = [aws_s3_bucket.mojo_file_transfer.arn]
+  prefix_name       = "s3-mojo-file-transfer"
+#  account_ids = [ local.development_account_id, local.production_account_id, local.production_account_id ]
+  s3_bucket_arn     = aws_s3_bucket.mojo_file_transfer.arn
   tags = merge(module.label_staff.tags, {
     Name = "mojo-file-transfer"
   })
-}
+}