diff --git a/root.tf b/root.tf index 0064fce..a468f96 100644 --- a/root.tf +++ b/root.tf @@ -144,7 +144,10 @@ module "upload_file_cloudfront_dirty_s3" { cloudfront_oai = module.cloudfront_upload.cloudfront_oai_iam_arn cloudfront_distribution_arns = [module.cloudfront_upload.cloudfront_arn] } - +# This is the only module that uses the canonical user grants in the tdr-terraform-modules/s3 module +# Grants are no longer the recommended way to grant access to a bucket, so the s3 module will use the canonical user grants id +# in the bucket policy with permissions equivalent to 'FULL_CONTROL' +# Tdr-terraform-modules/s3 module will be deprecated in the future. module "upload_file_cloudfront_logs" { source = "./tdr-terraform-modules/s3" project = var.project diff --git a/root_draft_metadata.tf b/root_draft_metadata.tf index 0bd8ecd..0e9a838 100644 --- a/root_draft_metadata.tf +++ b/root_draft_metadata.tf @@ -48,11 +48,22 @@ module "draft_metadata_api_gateway" { resource "aws_iam_role" "draft_metadata_api_gateway_execution_role" { name = "TDRMetadataChecksAPIGatewayExecutionRole${title(local.environment)}" assume_role_policy = templatefile("./templates/iam_policy/assume_role_policy.json.tpl", { service = "apigateway.amazonaws.com" }) +} - inline_policy { - name = "TDRMetadataChecksAPIGatewayStepFunctionExecutionPolicy${title(local.environment)}" - policy = templatefile("./templates/iam_policy/api_gateway_state_machine_policy.json.tpl", { account_id = data.aws_caller_identity.current.account_id, state_machine_arn = module.draft_metadata_checks.step_function_arn }) - } +resource "aws_iam_policy" "api_gateway_execution_policy" { + name = "TDRMetadataChecksAPIGatewayStepFunctionExecutionPolicy${title(local.environment)}" + policy = templatefile( + "./templates/iam_policy/api_gateway_state_machine_policy.json.tpl", + { + account_id = data.aws_caller_identity.current.account_id, + state_machine_arn = module.draft_metadata_checks.step_function_arn + } + ) +} + +resource "aws_iam_role_policy_attachment" "api_gateway_execution_policy" { + role = aws_iam_role.draft_metadata_api_gateway_execution_role.name + policy_arn = aws_iam_policy.api_gateway_execution_policy.arn } module "draft_metadata_bucket" { diff --git a/root_keycloak.tf b/root_keycloak.tf index 292e70a..3602279 100644 --- a/root_keycloak.tf +++ b/root_keycloak.tf @@ -166,7 +166,7 @@ module "keycloak_database_instance" { availability_zone = local.database_availability_zone common_tags = local.common_tags database_name = "keycloak" - database_version = "14.12" + database_version = local.environment == "prod" ? "14.12" : "16.3" environment = local.environment kms_key_id = module.encryption_key.kms_key_arn private_subnets = module.shared_vpc.private_subnets diff --git a/tdr-terraform-modules b/tdr-terraform-modules index 6053124..35ae4f7 160000 --- a/tdr-terraform-modules +++ b/tdr-terraform-modules @@ -1 +1 @@ -Subproject commit 6053124b7c995a6e572cdf54edfcab50b23e421f +Subproject commit 35ae4f7c652c2d764f82391e28c17091676348b4