From 350aa4557646c34eebf84a25a109e36067e389bf Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Sep 2024 11:33:37 +0100 Subject: [PATCH 1/8] CC-2812: laa-oem: Added the S3 bucket, and the SSM document. --- terraform/environments/laa-oem/oem_iam.tf | 26 +++++++++++++++++++ terraform/environments/laa-oem/oem_s3.tf | 3 +++ terraform/environments/laa-oem/oem_ssm.tf | 7 +++++ .../laa-oem/oem_ssm_oracle_lms_cpuq.yaml | 15 +++++++++++ 4 files changed, 51 insertions(+) create mode 100644 terraform/environments/laa-oem/oem_s3.tf create mode 100644 terraform/environments/laa-oem/oem_ssm.tf create mode 100644 terraform/environments/laa-oem/oem_ssm_oracle_lms_cpuq.yaml diff --git a/terraform/environments/laa-oem/oem_iam.tf b/terraform/environments/laa-oem/oem_iam.tf index e1572bff755..eeadba2e4c0 100644 --- a/terraform/environments/laa-oem/oem_iam.tf +++ b/terraform/environments/laa-oem/oem_iam.tf @@ -99,3 +99,29 @@ resource "aws_iam_instance_profile" "iam_instace_profile_oem_base" { { Name = lower(format("IamProfile-%s-%s-OEM-Base", local.application_name, local.environment)) } ) } + +data "aws_iam_policy_document" "laa_oem_shared_s3" { + statement { + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ] + resources = [ + aws_s3_bucket.laa_oem_shared.arn, + "${aws_s3_bucket.laa_oem_shared.arn}/*" + ] + } +} + +resource "aws_iam_policy" "laa_oem_shared_s3" { + description = "Policy to allow operations in ${aws_s3_bucket.laa_oem_shared.name}" + name = "laa_oem_shared_s3-${local.environment}" + policy = data.aws_iam_policy_document.laa_oem_shared_s3.json +} + +resource "aws_iam_role_policy_attachment" "laa_oem_shared_s3" { + role = aws_iam_role.role_stsassume_oem_base.name + policy_arn = aws_iam_policy.laa_oem_shared_s3.arn +} diff --git a/terraform/environments/laa-oem/oem_s3.tf b/terraform/environments/laa-oem/oem_s3.tf new file mode 100644 index 00000000000..636794292c2 --- /dev/null +++ b/terraform/environments/laa-oem/oem_s3.tf @@ -0,0 +1,3 @@ +resource "aws_s3_bucket" "laa_oem_shared" { + bucket = "${local.application_name}-${local.environment}-shared" +} \ No newline at end of file diff --git a/terraform/environments/laa-oem/oem_ssm.tf b/terraform/environments/laa-oem/oem_ssm.tf new file mode 100644 index 00000000000..26dbf1e5ab1 --- /dev/null +++ b/terraform/environments/laa-oem/oem_ssm.tf @@ -0,0 +1,7 @@ +resource "aws_ssm_document" "oracle_lms_cpuq" { + name = "ServiceActions" + document_type = "Command" + document_format = "YAML" + + content = file("oem_ssm_oracle_lms_cpuq.yaml") +} \ No newline at end of file diff --git a/terraform/environments/laa-oem/oem_ssm_oracle_lms_cpuq.yaml b/terraform/environments/laa-oem/oem_ssm_oracle_lms_cpuq.yaml new file mode 100644 index 00000000000..96d10645911 --- /dev/null +++ b/terraform/environments/laa-oem/oem_ssm_oracle_lms_cpuq.yaml @@ -0,0 +1,15 @@ +# oem_ssm_oracle_lms_cpuq.yaml +--- +schemaVersion: "2.2" +description: Run the lms_cpuq.sh script. +mainSteps: + - name: OracleLMScpuq + action: aws:runShellScript + isEnd: true + precondition: + StringEquals: + - platformType + - Linux + inputs: + runCommand: + - "/usr/local/bin/lms_cpuq.sh" \ No newline at end of file From 7d8e24ce9c59caa5ae5bafe71ed19a3c9d2535f1 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Sep 2024 11:39:12 +0100 Subject: [PATCH 2/8] CC-2812: Fixed a typo. --- terraform/environments/laa-oem/oem_iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/laa-oem/oem_iam.tf b/terraform/environments/laa-oem/oem_iam.tf index eeadba2e4c0..f4ddc4cc6a8 100644 --- a/terraform/environments/laa-oem/oem_iam.tf +++ b/terraform/environments/laa-oem/oem_iam.tf @@ -116,7 +116,7 @@ data "aws_iam_policy_document" "laa_oem_shared_s3" { } resource "aws_iam_policy" "laa_oem_shared_s3" { - description = "Policy to allow operations in ${aws_s3_bucket.laa_oem_shared.name}" + description = "Policy to allow operations in ${aws_s3_bucket.laa_oem_shared.id}" name = "laa_oem_shared_s3-${local.environment}" policy = data.aws_iam_policy_document.laa_oem_shared_s3.json } From f4202180a262fa8b083e6f93f373a780f2700d76 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Sep 2024 12:30:54 +0100 Subject: [PATCH 3/8] CC-2812: Updated aws_iam_policy_document.laa_oem_shared_s3 --- terraform/environments/laa-oem/oem_iam.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/environments/laa-oem/oem_iam.tf b/terraform/environments/laa-oem/oem_iam.tf index f4ddc4cc6a8..1531c48089b 100644 --- a/terraform/environments/laa-oem/oem_iam.tf +++ b/terraform/environments/laa-oem/oem_iam.tf @@ -104,7 +104,12 @@ data "aws_iam_policy_document" "laa_oem_shared_s3" { statement { effect = "Allow" actions = [ + "s3:CopyObject", + "s3:DeleteObject", + "s3:DeleteObjects", "s3:GetObject", + "s3:ListObjects", + "s3:ListObjectsV2", "s3:ListBucket", "s3:PutObject" ] From 78c3f45d46156b089b97694807816b8bf7f4ec01 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Sep 2024 13:08:16 +0100 Subject: [PATCH 4/8] CC-2812: Updated script location. --- terraform/environments/laa-oem/oem_ssm_oracle_lms_cpuq.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/laa-oem/oem_ssm_oracle_lms_cpuq.yaml b/terraform/environments/laa-oem/oem_ssm_oracle_lms_cpuq.yaml index 96d10645911..e92d589485c 100644 --- a/terraform/environments/laa-oem/oem_ssm_oracle_lms_cpuq.yaml +++ b/terraform/environments/laa-oem/oem_ssm_oracle_lms_cpuq.yaml @@ -12,4 +12,4 @@ mainSteps: - Linux inputs: runCommand: - - "/usr/local/bin/lms_cpuq.sh" \ No newline at end of file + - "bash /mnt/s3-shared/lms_cpuq.sh" \ No newline at end of file From ddc3347393066a1947b5b41ac9b79538e4522f2c Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Sep 2024 13:40:28 +0100 Subject: [PATCH 5/8] CC-2812: Fixed a typo. --- terraform/environments/laa-oem/oem_ssm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/laa-oem/oem_ssm.tf b/terraform/environments/laa-oem/oem_ssm.tf index 26dbf1e5ab1..51e74bf8e62 100644 --- a/terraform/environments/laa-oem/oem_ssm.tf +++ b/terraform/environments/laa-oem/oem_ssm.tf @@ -1,5 +1,5 @@ resource "aws_ssm_document" "oracle_lms_cpuq" { - name = "ServiceActions" + name = "Oracle-lms_cpuq" document_type = "Command" document_format = "YAML" From 32fe26d4f6f27f55043e445848f455e7bbdc3a12 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Sep 2024 13:45:22 +0100 Subject: [PATCH 6/8] CC-2812: Fixed a typo. --- terraform/environments/laa-oem/oem_ssm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/laa-oem/oem_ssm.tf b/terraform/environments/laa-oem/oem_ssm.tf index 51e74bf8e62..9a7ee423b0e 100644 --- a/terraform/environments/laa-oem/oem_ssm.tf +++ b/terraform/environments/laa-oem/oem_ssm.tf @@ -1,5 +1,5 @@ resource "aws_ssm_document" "oracle_lms_cpuq" { - name = "Oracle-lms_cpuq" + name = "Oracle-lms-cpuq" document_type = "Command" document_format = "YAML" From 6c7574c1b2f0b59359964f23413e5adda262d875 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Sep 2024 15:32:59 +0100 Subject: [PATCH 7/8] CC-2812: ccms-ebs, ccms-ebs-upgrade: Added the S3 bucket, and the SSM document. --- .../environments/ccms-ebs-upgrade/iam.tf | 33 +++++++++++++++++++ terraform/environments/ccms-ebs-upgrade/s3.tf | 4 +++ .../environments/ccms-ebs-upgrade/ssm.tf | 7 ++++ .../ccms-ebs-upgrade/ssm_oracle_lms_cpuq.yaml | 15 +++++++++ terraform/environments/ccms-ebs/ccms-iam.tf | 32 ++++++++++++++++++ terraform/environments/ccms-ebs/ccms-s3.tf | 4 +++ .../ccms-ssm-document-oracle-lms-cpuq.yaml | 15 +++++++++ .../ccms-ebs/ccms-ssm-documents.tf | 8 +++++ 8 files changed, 118 insertions(+) create mode 100644 terraform/environments/ccms-ebs-upgrade/ssm.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ssm_oracle_lms_cpuq.yaml create mode 100644 terraform/environments/ccms-ebs/ccms-ssm-document-oracle-lms-cpuq.yaml diff --git a/terraform/environments/ccms-ebs-upgrade/iam.tf b/terraform/environments/ccms-ebs-upgrade/iam.tf index f57a522fb20..6c646f5e80f 100644 --- a/terraform/environments/ccms-ebs-upgrade/iam.tf +++ b/terraform/environments/ccms-ebs-upgrade/iam.tf @@ -276,3 +276,36 @@ resource "aws_iam_role_policy_attachment" "ec2_operations_policy_att" { role = aws_iam_role.role_stsassume_oracle_base.name policy_arn = aws_iam_policy.ec2_operations_policy.arn } + +# S3 shared bucket + +data "aws_iam_policy_document" "ccms_ebs_shared_s3" { + statement { + effect = "Allow" + actions = [ + "s3:CopyObject", + "s3:DeleteObject", + "s3:DeleteObjects", + "s3:GetObject", + "s3:ListObjects", + "s3:ListObjectsV2", + "s3:ListBucket", + "s3:PutObject" + ] + resources = [ + aws_s3_bucket.ccms_ebs_shared.arn, + "${aws_s3_bucket.ccms_ebs_shared.arn}/*" + ] + } +} + +resource "aws_iam_policy" "ccms_ebs_shared_s3" { + description = "Policy to allow operations in ${aws_s3_bucket.ccms_ebs_shared.id}" + name = "ccms_ebs_shared_s3-${local.environment}" + policy = data.aws_iam_policy_document.ccms_ebs_shared_s3.json +} + +resource "aws_iam_role_policy_attachment" "ccms_ebs_shared_s3" { + role = aws_iam_role.role_stsassume_oem_base.name + policy_arn = aws_iam_policy.ccms_ebs_shared_s3.arn +} diff --git a/terraform/environments/ccms-ebs-upgrade/s3.tf b/terraform/environments/ccms-ebs-upgrade/s3.tf index 83148792a49..7be816cd670 100644 --- a/terraform/environments/ccms-ebs-upgrade/s3.tf +++ b/terraform/environments/ccms-ebs-upgrade/s3.tf @@ -276,3 +276,7 @@ data "aws_iam_policy_document" "dbbackup_s3_policy" { resources = ["${module.s3-bucket-dbbackup.bucket.arn}/*"] } } + +resource "aws_s3_bucket" "ccms_ebs_shared" { + bucket = "${local.application_name}-${local.environment}-shared" +} diff --git a/terraform/environments/ccms-ebs-upgrade/ssm.tf b/terraform/environments/ccms-ebs-upgrade/ssm.tf new file mode 100644 index 00000000000..998822fc365 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ssm.tf @@ -0,0 +1,7 @@ +resource "aws_ssm_document" "oracle_lms_cpuq" { + name = "Oracle-lms-cpuq" + document_type = "Command" + document_format = "YAML" + + content = file("ssm_oracle_lms_cpuq.yaml") +} \ No newline at end of file diff --git a/terraform/environments/ccms-ebs-upgrade/ssm_oracle_lms_cpuq.yaml b/terraform/environments/ccms-ebs-upgrade/ssm_oracle_lms_cpuq.yaml new file mode 100644 index 00000000000..34c48983324 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ssm_oracle_lms_cpuq.yaml @@ -0,0 +1,15 @@ +# ssm_oracle_lms_cpuq.yaml +--- +schemaVersion: "2.2" +description: Run the lms_cpuq.sh script. +mainSteps: + - name: OracleLMScpuq + action: aws:runShellScript + isEnd: true + precondition: + StringEquals: + - platformType + - Linux + inputs: + runCommand: + - "bash /mnt/s3-shared/lms_cpuq.sh" \ No newline at end of file diff --git a/terraform/environments/ccms-ebs/ccms-iam.tf b/terraform/environments/ccms-ebs/ccms-iam.tf index a3c08d3e62b..9515c13107e 100644 --- a/terraform/environments/ccms-ebs/ccms-iam.tf +++ b/terraform/environments/ccms-ebs/ccms-iam.tf @@ -311,3 +311,35 @@ data "aws_iam_policy_document" "email" { resources = ["*"] } } + +# S3 shared bucket +data "aws_iam_policy_document" "ccms_ebs_shared_s3" { + statement { + effect = "Allow" + actions = [ + "s3:CopyObject", + "s3:DeleteObject", + "s3:DeleteObjects", + "s3:GetObject", + "s3:ListObjects", + "s3:ListObjectsV2", + "s3:ListBucket", + "s3:PutObject" + ] + resources = [ + aws_s3_bucket.ccms_ebs_shared.arn, + "${aws_s3_bucket.ccms_ebs_shared.arn}/*" + ] + } +} + +resource "aws_iam_policy" "ccms_ebs_shared_s3" { + description = "Policy to allow operations in ${aws_s3_bucket.ccms_ebs_shared.id}" + name = "ccms_ebs_shared_s3-${local.environment}" + policy = data.aws_iam_policy_document.ccms_ebs_shared_s3.json +} + +resource "aws_iam_role_policy_attachment" "ccms_ebs_shared_s3" { + role = aws_iam_role.role_stsassume_oem_base.name + policy_arn = aws_iam_policy.ccms_ebs_shared_s3.arn +} diff --git a/terraform/environments/ccms-ebs/ccms-s3.tf b/terraform/environments/ccms-ebs/ccms-s3.tf index fff2c34a842..068692ea2e9 100644 --- a/terraform/environments/ccms-ebs/ccms-s3.tf +++ b/terraform/environments/ccms-ebs/ccms-s3.tf @@ -281,4 +281,8 @@ data "aws_iam_policy_document" "dbbackup_s3_policy" { ] resources = ["${module.s3-bucket-dbbackup.bucket.arn}/*"] } +} + +resource "aws_s3_bucket" "ccms_ebs_shared" { + bucket = "${local.application_name}-${local.environment}-shared" } \ No newline at end of file diff --git a/terraform/environments/ccms-ebs/ccms-ssm-document-oracle-lms-cpuq.yaml b/terraform/environments/ccms-ebs/ccms-ssm-document-oracle-lms-cpuq.yaml new file mode 100644 index 00000000000..6572f6751a2 --- /dev/null +++ b/terraform/environments/ccms-ebs/ccms-ssm-document-oracle-lms-cpuq.yaml @@ -0,0 +1,15 @@ +# ccms-ssm-document-oracle-lms-cpuq.yaml +--- +schemaVersion: "2.2" +description: Run the lms_cpuq.sh script. +mainSteps: + - name: OracleLMScpuq + action: aws:runShellScript + isEnd: true + precondition: + StringEquals: + - platformType + - Linux + inputs: + runCommand: + - "bash /mnt/s3-shared/lms_cpuq.sh" \ No newline at end of file diff --git a/terraform/environments/ccms-ebs/ccms-ssm-documents.tf b/terraform/environments/ccms-ebs/ccms-ssm-documents.tf index 81f3f3d5353..8d3d96b2276 100644 --- a/terraform/environments/ccms-ebs/ccms-ssm-documents.tf +++ b/terraform/environments/ccms-ebs/ccms-ssm-documents.tf @@ -4,4 +4,12 @@ resource "aws_ssm_document" "service_actions" { document_format = "YAML" content = file("ccms-ssm-document-service-actions.yaml") +} + +resource "aws_ssm_document" "oracle_lms_cpuq" { + name = "Oracle-lms-cpuq" + document_type = "Command" + document_format = "YAML" + + content = file("ccms-ssm-document-oracle-lms-cpuq.yaml") } \ No newline at end of file From b501d73789d885af70c7c502c2e7b13154602d17 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 12 Sep 2024 15:50:50 +0100 Subject: [PATCH 8/8] CC-2812: Fixed typos. --- terraform/environments/ccms-ebs-upgrade/iam.tf | 2 +- terraform/environments/ccms-ebs/ccms-iam.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/iam.tf b/terraform/environments/ccms-ebs-upgrade/iam.tf index 6c646f5e80f..b35bbd63146 100644 --- a/terraform/environments/ccms-ebs-upgrade/iam.tf +++ b/terraform/environments/ccms-ebs-upgrade/iam.tf @@ -306,6 +306,6 @@ resource "aws_iam_policy" "ccms_ebs_shared_s3" { } resource "aws_iam_role_policy_attachment" "ccms_ebs_shared_s3" { - role = aws_iam_role.role_stsassume_oem_base.name + role = aws_iam_role.role_stsassume_oracle_base.name policy_arn = aws_iam_policy.ccms_ebs_shared_s3.arn } diff --git a/terraform/environments/ccms-ebs/ccms-iam.tf b/terraform/environments/ccms-ebs/ccms-iam.tf index 9515c13107e..f6aef0762c2 100644 --- a/terraform/environments/ccms-ebs/ccms-iam.tf +++ b/terraform/environments/ccms-ebs/ccms-iam.tf @@ -340,6 +340,6 @@ resource "aws_iam_policy" "ccms_ebs_shared_s3" { } resource "aws_iam_role_policy_attachment" "ccms_ebs_shared_s3" { - role = aws_iam_role.role_stsassume_oem_base.name + role = aws_iam_role.role_stsassume_oracle_base.name policy_arn = aws_iam_policy.ccms_ebs_shared_s3.arn }