diff --git a/.github/workflows/cd-api-infra.yml b/.github/workflows/cd-api-infra.yml index c02677a2c..e843e05fe 100644 --- a/.github/workflows/cd-api-infra.yml +++ b/.github/workflows/cd-api-infra.yml @@ -9,6 +9,17 @@ on: - "infra/api/**" release: types: [published] + workflow_dispatch: + inputs: + environment: + description: "target environment" + required: true + default: "dev" + type: choice + options: + - dev + - staging + - prod jobs: build-repository: diff --git a/infra/api/service/draft_documents.tf b/infra/api/service/draft_documents.tf new file mode 100644 index 000000000..69a0904c7 --- /dev/null +++ b/infra/api/service/draft_documents.tf @@ -0,0 +1,83 @@ +resource "aws_s3_bucket" "draft_documents" { + bucket_prefix = "${var.service_name}-documents-draft" + force_destroy = false + # checkov:skip=CKV2_AWS_62:Event notification not necessary for this bucket especially due to likely use of lifecycle rules + # checkov:skip=CKV_AWS_18:Access logging was not considered necessary for this bucket + # checkov:skip=CKV_AWS_144:Not considered critical to the point of cross region replication + # checkov:skip=CKV_AWS_300:Known issue where Checkov gets confused by multiple rules + # checkov:skip=CKV_AWS_21:Bucket versioning is not worth it in this use case +} + +resource "aws_s3_bucket_public_access_block" "draft_documents" { + bucket = aws_s3_bucket.draft_documents.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +data "aws_iam_policy_document" "draft_documents_put_access" { + statement { + effect = "Allow" + resources = [ + aws_s3_bucket.draft_documents.arn, + "${aws_s3_bucket.draft_documents.arn}/*" + ] + actions = ["s3:*"] + + principals { + type = "AWS" + identifiers = [aws_iam_role.app_service.arn] + } + } + + statement { + sid = "AllowSSLRequestsOnly" + effect = "Deny" + resources = [ + aws_s3_bucket.draft_documents.arn, + "${aws_s3_bucket.draft_documents.arn}/*" + ] + actions = ["s3:*"] + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = [false] + } + principals { + type = "AWS" + identifiers = ["*"] + } + } +} + +resource "aws_s3_bucket_lifecycle_configuration" "draft_documents" { + bucket = aws_s3_bucket.draft_documents.id + + rule { + id = "AbortIncompleteUpload" + status = "Enabled" + abort_incomplete_multipart_upload { + days_after_initiation = 7 + } + } + + # checkov:skip=CKV_AWS_300:There is a known issue where this check brings up false positives +} + + +resource "aws_s3_bucket_server_side_encryption_configuration" "draft_documents_encryption" { + bucket = aws_s3_bucket.draft_documents.id + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + bucket_key_enabled = true + } +} + +resource "aws_s3_bucket_policy" "draft_documents" { + bucket = aws_s3_bucket.draft_documents.id + policy = data.aws_iam_policy_document.draft_documents_put_access.json +} \ No newline at end of file diff --git a/infra/api/service/main.tf b/infra/api/service/main.tf index 6573e0dae..02f4a482b 100644 --- a/infra/api/service/main.tf +++ b/infra/api/service/main.tf @@ -144,7 +144,11 @@ module "service" { } } : null - extra_environment_variables = merge(local.service_config.extra_environment_variables, { "ENVIRONMENT" : var.environment_name }) + extra_environment_variables = merge( + local.service_config.extra_environment_variables, + { "ENVIRONMENT" : var.environment_name }, + { "DRAFTS_S3_BUCKET_ARN" : aws_s3_bucket.draft_documents.arn } + ) secrets = concat( [for secret_name in keys(local.service_config.secrets) : {