Manage DGU static data bucket

Imported from infra-datagovuk-static-bucket in govuk-aws
alphagov · Apr 2, 2024 · ef99285 · ef99285
1 parent 0f8fe08
commit ef99285
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 2 deletions.
diff --git a/terraform/deployments/datagovuk-infrastructure/main.tf b/terraform/deployments/datagovuk-infrastructure/main.tf
@@ -55,3 +55,5 @@ provider "helm" {
 }
 
 provider "fastly" { api_key = "test" }
+
+data "fastly_ip_ranges" "fastly" {}
diff --git a/terraform/deployments/datagovuk-infrastructure/organogram_bucket.tf b/terraform/deployments/datagovuk-infrastructure/organogram_bucket.tf
@@ -1,5 +1,3 @@
-data "fastly_ip_ranges" "fastly" {}
-
 data "aws_iam_policy_document" "s3_fastly_read_policy_doc" {
   statement {
     sid     = "S3FastlyReadBucket"

diff --git a/terraform/deployments/datagovuk-infrastructure/static_data_bucket.tf b/terraform/deployments/datagovuk-infrastructure/static_data_bucket.tf
@@ -0,0 +1,57 @@
+resource "aws_s3_bucket" "datagovuk_static" {
+  bucket = "datagovuk-${var.govuk_environment}-ckan-static-data"
+}
+
+resource "aws_s3_bucket_versioning" "datagovuk_static" {
+  bucket = aws_s3_bucket.datagovuk_static.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_logging" "datagovuk_static" {
+  bucket        = aws_s3_bucket.datagovuk_static.id
+  target_bucket = "govuk-${var.govuk_environment}-aws-logging"
+  target_prefix = "s3/datagovuk-${var.govuk_environment}-ckan-static-data/"
+}
+
+data "aws_iam_policy_document" "datagovuk_static" {
+  statement {
+    sid     = "S3FastlyReadBucket"
+    actions = ["s3:GetObject"]
+
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.datagovuk_static.id}",
+      "arn:aws:s3:::${aws_s3_bucket.datagovuk_static.id}/*",
+    ]
+
+    condition {
+      test     = "IpAddress"
+      variable = "aws:SourceIp"
+
+      values = data.fastly_ip_ranges.fastly.cidr_blocks
+    }
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "govuk_datagovuk_static_read_policy" {
+  bucket = aws_s3_bucket.datagovuk_static.id
+  policy = data.aws_iam_policy_document.datagovuk_static.json
+}
+
+// Imports (temporary)
+
+import {
+  to = aws_s3_bucket.datagovuk_static
+  id = "datagovuk-${var.govuk_environment}-ckan-static-data"
+}
+
+import {
+  to = aws_s3_bucket_policy.govuk_datagovuk_static_read_policy
+  id = "datagovuk-${var.govuk_environment}-ckan-static-data"
+}