feat: allow management account to read operation operation S3 bucket

.github/workflows/ci.yml

@@ -128,6 +128,7 @@ jobs:
 
       - name: Run tfsec (all severities) and save JSON
         run: tfsec --format json --out tfsec_results.json ${{ matrix.dir }}
+        continue-on-error: true
 
       - name: Terraform Init
         run: terraform init

management-team-account/state/S3/main.tf

@@ -58,6 +58,42 @@ resource "aws_s3_bucket_public_access_block" "state_org_block" {
   restrict_public_buckets = true
 }
 
+# operation 계정에서 organization 상태 파일을 참조할 수 있도록 read-only 접근 허용
+
+data "terraform_remote_state" "org" {
+  backend = "s3"
+  config = {
+    bucket = "cloudfence-management-state"
+    key    = "organization/organizations.tfstate"
+    region = "ap-northeast-2"
+  }
+}
+
+resource "aws_s3_bucket_policy" "allow_operation_read_state" {
+  bucket = "cloudfence-management-state"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid : "AllowOperationAccountReadState",
+        Effect : "Allow",
+        Principal = {
+          AWS = "arn:aws:iam::${data.terraform_remote_state.org.outputs.operation_account_id}:root"
+        },
+        Action = [
+          "s3:GetObject",
+          "s3:ListBucket"
+        ],
+        Resource = [
+          "arn:aws:s3:::cloudfence-management-state",
+          "arn:aws:s3:::cloudfence-management-state/organization/organizations.tfstate"
+        ]
+      }
+    ]
+  })
+}
+
 # S3 버킷 서버 측 암호화
 resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
   bucket = aws_s3_bucket.state_org.id

modules/S3_kms/main.tf

@@ -1,3 +1,12 @@
+data "terraform_remote_state" "org" {
+  backend = "s3"
+  config = {
+    bucket = "cloudfence-management-state"
+    key    = "organization/organizations.tfstate"
+    region = "ap-northeast-2"
+  }
+}
+
 data "aws_caller_identity" "current" {}
 
 resource "aws_kms_key" "this" {
@@ -36,6 +45,21 @@ resource "aws_kms_key" "this" {
             "aws:SourceAccount" = data.aws_caller_identity.current.account_id
           }
         }
+      },
+      {
+        Sid : "AllowRootAccountToUseKey",
+        Effect : "Allow",
+        Principal : {
+          AWS : [
+            "arn:aws:iam::${data.terraform_remote_state.org.outputs.operation_account_id}:root",
+            "arn:aws:iam::${data.terraform_remote_state.org.outputs.management_account_id}:root"
+          ]
+        },
+        Action : [
+          "kms:Decrypt",
+          "kms:DescribeKey"
+        ],
+        Resource : "*"
       }
     ]
   })

operation-team-account/state/S3/main.tf

@@ -10,6 +10,15 @@ provider "aws" {
   region = "ap-northeast-2"
 }
 
+data "terraform_remote_state" "org" {
+  backend = "s3"
+  config = {
+    bucket = "cloudfence-management-state"
+    key    = "organization/organizations.tfstate"
+    region = "ap-northeast-2"
+  }
+}
+
 # KMS 모듈 호출
 module "s3_kms" {
   source        = "../../../modules/S3_kms"
@@ -58,6 +67,32 @@ resource "aws_s3_bucket_public_access_block" "state_org_block" {
   restrict_public_buckets = true
 }
 
+# management 계정에 대한 readonly 권한 추가
+resource "aws_s3_bucket_policy" "allow_management_read" {
+  bucket = aws_s3_bucket.state_org.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "AllowManagementAccountReadAccess",
+        Effect = "Allow",
+        Principal = {
+          AWS = "arn:aws:iam::${data.terraform_remote_state.org.outputs.management_account_id}:root"
+        },
+        Action = [
+          "s3:GetObject",
+          "s3:ListBucket"
+        ],
+        Resource = [
+          "arn:aws:s3:::cloudfence-operation-state",
+          "arn:aws:s3:::cloudfence-operation-state/*"
+        ]
+      }
+    ]
+  })
+}
+
 # S3 버킷 서버 측 암호화
 resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
   bucket = aws_s3_bucket.state_org.id
@@ -68,4 +103,4 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
       kms_master_key_id = module.s3_kms.kms_key_arn
     }
   }
-}
+}