Merge pull request #7750 from ministryofjustice/CC-2812/ssm-command-o…

…racle-script CC-2812: laa-oem: Added the S3 bucket, and the SSM document.
ministryofjustice · Sep 12, 2024 · 9b8283f · 9b8283f
2 parents 64ce08f + b501d73
commit 9b8283f
Show file tree

Hide file tree

Showing 12 changed files with 174 additions and 0 deletions.
diff --git a/terraform/environments/ccms-ebs-upgrade/iam.tf b/terraform/environments/ccms-ebs-upgrade/iam.tf
@@ -276,3 +276,36 @@ resource "aws_iam_role_policy_attachment" "ec2_operations_policy_att" {
   role       = aws_iam_role.role_stsassume_oracle_base.name
   policy_arn = aws_iam_policy.ec2_operations_policy.arn
 }
+
+# S3 shared bucket
+
+data "aws_iam_policy_document" "ccms_ebs_shared_s3" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:CopyObject",
+      "s3:DeleteObject",
+      "s3:DeleteObjects",
+      "s3:GetObject",
+      "s3:ListObjects",
+      "s3:ListObjectsV2",
+      "s3:ListBucket",
+      "s3:PutObject"
+    ]
+    resources = [
+      aws_s3_bucket.ccms_ebs_shared.arn,
+      "${aws_s3_bucket.ccms_ebs_shared.arn}/*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "ccms_ebs_shared_s3" {
+  description = "Policy to allow operations in ${aws_s3_bucket.ccms_ebs_shared.id}"
+  name        = "ccms_ebs_shared_s3-${local.environment}"
+  policy      = data.aws_iam_policy_document.ccms_ebs_shared_s3.json
+}
+
+resource "aws_iam_role_policy_attachment" "ccms_ebs_shared_s3" {
+  role       = aws_iam_role.role_stsassume_oracle_base.name
+  policy_arn = aws_iam_policy.ccms_ebs_shared_s3.arn
+}
diff --git a/terraform/environments/ccms-ebs-upgrade/s3.tf b/terraform/environments/ccms-ebs-upgrade/s3.tf
@@ -276,3 +276,7 @@ data "aws_iam_policy_document" "dbbackup_s3_policy" {
     resources = ["${module.s3-bucket-dbbackup.bucket.arn}/*"]
   }
 }
+
+resource "aws_s3_bucket" "ccms_ebs_shared" {
+  bucket = "${local.application_name}-${local.environment}-shared"
+}
diff --git a/terraform/environments/ccms-ebs-upgrade/ssm.tf b/terraform/environments/ccms-ebs-upgrade/ssm.tf
@@ -0,0 +1,7 @@
+resource "aws_ssm_document" "oracle_lms_cpuq" {
+  name            = "Oracle-lms-cpuq"
+  document_type   = "Command"
+  document_format = "YAML"
+
+  content = file("ssm_oracle_lms_cpuq.yaml")
+}
diff --git a/terraform/environments/ccms-ebs-upgrade/ssm_oracle_lms_cpuq.yaml b/terraform/environments/ccms-ebs-upgrade/ssm_oracle_lms_cpuq.yaml
@@ -0,0 +1,15 @@
+# ssm_oracle_lms_cpuq.yaml
+---
+schemaVersion: "2.2"
+description: Run the lms_cpuq.sh script.
+mainSteps:
+  - name: OracleLMScpuq
+    action: aws:runShellScript
+    isEnd: true
+    precondition:
+      StringEquals:
+        - platformType
+        - Linux
+    inputs:
+      runCommand:
+        - "bash /mnt/s3-shared/lms_cpuq.sh"
diff --git a/terraform/environments/ccms-ebs/ccms-iam.tf b/terraform/environments/ccms-ebs/ccms-iam.tf
@@ -311,3 +311,35 @@ data "aws_iam_policy_document" "email" {
     resources = ["*"]
   }
 }
+
+# S3 shared bucket
+data "aws_iam_policy_document" "ccms_ebs_shared_s3" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:CopyObject",
+      "s3:DeleteObject",
+      "s3:DeleteObjects",
+      "s3:GetObject",
+      "s3:ListObjects",
+      "s3:ListObjectsV2",
+      "s3:ListBucket",
+      "s3:PutObject"
+    ]
+    resources = [
+      aws_s3_bucket.ccms_ebs_shared.arn,
+      "${aws_s3_bucket.ccms_ebs_shared.arn}/*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "ccms_ebs_shared_s3" {
+  description = "Policy to allow operations in ${aws_s3_bucket.ccms_ebs_shared.id}"
+  name        = "ccms_ebs_shared_s3-${local.environment}"
+  policy      = data.aws_iam_policy_document.ccms_ebs_shared_s3.json
+}
+
+resource "aws_iam_role_policy_attachment" "ccms_ebs_shared_s3" {
+  role       = aws_iam_role.role_stsassume_oracle_base.name
+  policy_arn = aws_iam_policy.ccms_ebs_shared_s3.arn
+}
diff --git a/terraform/environments/ccms-ebs/ccms-s3.tf b/terraform/environments/ccms-ebs/ccms-s3.tf
@@ -281,4 +281,8 @@ data "aws_iam_policy_document" "dbbackup_s3_policy" {
     ]
     resources = ["${module.s3-bucket-dbbackup.bucket.arn}/*"]
   }
+}
+
+resource "aws_s3_bucket" "ccms_ebs_shared" {
+  bucket = "${local.application_name}-${local.environment}-shared"
 }
diff --git a/terraform/environments/ccms-ebs/ccms-ssm-document-oracle-lms-cpuq.yaml b/terraform/environments/ccms-ebs/ccms-ssm-document-oracle-lms-cpuq.yaml
@@ -0,0 +1,15 @@
+# ccms-ssm-document-oracle-lms-cpuq.yaml
+---
+schemaVersion: "2.2"
+description: Run the lms_cpuq.sh script.
+mainSteps:
+  - name: OracleLMScpuq
+    action: aws:runShellScript
+    isEnd: true
+    precondition:
+      StringEquals:
+        - platformType
+        - Linux
+    inputs:
+      runCommand:
+        - "bash /mnt/s3-shared/lms_cpuq.sh"
diff --git a/terraform/environments/ccms-ebs/ccms-ssm-documents.tf b/terraform/environments/ccms-ebs/ccms-ssm-documents.tf
@@ -4,4 +4,12 @@ resource "aws_ssm_document" "service_actions" {
   document_format = "YAML"
 
   content = file("ccms-ssm-document-service-actions.yaml")
+}
+
+resource "aws_ssm_document" "oracle_lms_cpuq" {
+  name            = "Oracle-lms-cpuq"
+  document_type   = "Command"
+  document_format = "YAML"
+
+  content = file("ccms-ssm-document-oracle-lms-cpuq.yaml")
 }
diff --git a/terraform/environments/laa-oem/oem_iam.tf b/terraform/environments/laa-oem/oem_iam.tf
@@ -99,3 +99,34 @@ resource "aws_iam_instance_profile" "iam_instace_profile_oem_base" {
     { Name = lower(format("IamProfile-%s-%s-OEM-Base", local.application_name, local.environment)) }
   )
 }
+
+data "aws_iam_policy_document" "laa_oem_shared_s3" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:CopyObject",
+      "s3:DeleteObject",
+      "s3:DeleteObjects",
+      "s3:GetObject",
+      "s3:ListObjects",
+      "s3:ListObjectsV2",
+      "s3:ListBucket",
+      "s3:PutObject"
+    ]
+    resources = [
+      aws_s3_bucket.laa_oem_shared.arn,
+      "${aws_s3_bucket.laa_oem_shared.arn}/*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "laa_oem_shared_s3" {
+  description = "Policy to allow operations in ${aws_s3_bucket.laa_oem_shared.id}"
+  name        = "laa_oem_shared_s3-${local.environment}"
+  policy      = data.aws_iam_policy_document.laa_oem_shared_s3.json
+}
+
+resource "aws_iam_role_policy_attachment" "laa_oem_shared_s3" {
+  role       = aws_iam_role.role_stsassume_oem_base.name
+  policy_arn = aws_iam_policy.laa_oem_shared_s3.arn
+}
diff --git a/terraform/environments/laa-oem/oem_s3.tf b/terraform/environments/laa-oem/oem_s3.tf
@@ -0,0 +1,3 @@
+resource "aws_s3_bucket" "laa_oem_shared" {
+  bucket = "${local.application_name}-${local.environment}-shared"
+}
diff --git a/terraform/environments/laa-oem/oem_ssm.tf b/terraform/environments/laa-oem/oem_ssm.tf
@@ -0,0 +1,7 @@
+resource "aws_ssm_document" "oracle_lms_cpuq" {
+  name            = "Oracle-lms-cpuq"
+  document_type   = "Command"
+  document_format = "YAML"
+
+  content = file("oem_ssm_oracle_lms_cpuq.yaml")
+}
diff --git a/terraform/environments/laa-oem/oem_ssm_oracle_lms_cpuq.yaml b/terraform/environments/laa-oem/oem_ssm_oracle_lms_cpuq.yaml
@@ -0,0 +1,15 @@
+# oem_ssm_oracle_lms_cpuq.yaml
+---
+schemaVersion: "2.2"
+description: Run the lms_cpuq.sh script.
+mainSteps:
+  - name: OracleLMScpuq
+    action: aws:runShellScript
+    isEnd: true
+    precondition:
+      StringEquals:
+        - platformType
+        - Linux
+    inputs:
+      runCommand:
+        - "bash /mnt/s3-shared/lms_cpuq.sh"