Merge pull request #4230 from alphagov/add-ckan-output-bucket

AP-Hunt · web-flow · commit a4dc7a144e99 · 2026-05-22T13:52:19.000+01:00
Add output bucket to store check links reports
diff --git a/terraform/deployments/datagovuk-infrastructure/output-bucket.tf b/terraform/deployments/datagovuk-infrastructure/output-bucket.tf
@@ -0,0 +1,45 @@
+locals {
+  s3_bucket_datagovuk_bucket_name = "govuk-ckan-output-${var.govuk_environment}"
+  s3_bucket_datagovuk_bucket_arn  = "arn:aws:s3:::${local.s3_bucket_datagovuk_bucket_name}"
+}
+
+module "s3_bucket_datagovuk_bucket" {
+  source = "../../shared-modules/s3"
+
+  govuk_environment = var.govuk_environment
+  name              = local.s3_bucket_datagovuk_bucket_name
+
+  versioning_enabled   = true
+  versioning_suspended = true
+
+  enable_public_access_block = true
+  extra_bucket_policies      = [data.aws_iam_policy_document.datagovuk_bucket.json]
+
+  tags = {
+    System = "Data.gov.uk CKAN outputs"
+    Name   = "CKAN Output Bucket for ${var.govuk_environment}"
+  }
+}
+
+# TODO: instead of granting write access to nodes, use IRSA (IAM Roles for
+# Service Accounts aka pod identity) so that only Argo CD can write.
+data "aws_iam_policy_document" "datagovuk_bucket" {
+  statement {
+    sid = "EKSNodesCanList"
+    principals {
+      type        = "AWS"
+      identifiers = [data.tfe_outputs.cluster_infrastructure.nonsensitive_values.worker_iam_role_arn]
+    }
+    actions   = ["s3:ListBucket"]
+    resources = [local.s3_bucket_datagovuk_bucket_arn]
+  }
+  statement {
+    sid = "EKSNodesCanWrite"
+    principals {
+      type        = "AWS"
+      identifiers = [data.tfe_outputs.cluster_infrastructure.nonsensitive_values.worker_iam_role_arn]
+    }
+    actions   = ["s3:GetObject", "s3:PutObject"]
+    resources = ["${local.s3_bucket_datagovuk_bucket_arn}/*"]
+  }
+}
diff --git a/terraform/deployments/datagovuk-infrastructure/variables.tf b/terraform/deployments/datagovuk-infrastructure/variables.tf
@@ -28,8 +28,7 @@ variable "organogram_bucket_cors_origins" {
     "https://www.integration.data.gov.uk",
     "https://find.eks.production.govuk.digital",
     "https://find.eks.integration.govuk.digital",
-    "https://find.eks.staging.govuk.digital",
-    "https://find.eph-aaa113.ephemeral.govuk.digital"
+    "https://find.eks.staging.govuk.digital"
   ]
 }
 

Original file line number	Diff line number	Diff line change
`@@ -28,8 +28,7 @@ variable "organogram_bucket_cors_origins" {`
`28`	`28`	`"https://www.integration.data.gov.uk",`
`29`	`29`	`"https://find.eks.production.govuk.digital",`
`30`	`30`	`"https://find.eks.integration.govuk.digital",`
`31`		`- "https://find.eks.staging.govuk.digital",`
`32`		`- "https://find.eph-aaa113.ephemeral.govuk.digital"`
	`31`	`+ "https://find.eks.staging.govuk.digital"`
`33`	`32`	`]`
`34`	`33`	`}`
`35`	`34`