Merge pull request #1 from companieshouse/implementation

Initial implementation

Author: marcransome

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @companieshouse/platform-admin

.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "terraform"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    reviewers:
+      - "companieshouse/platform-admin"

README.md

@@ -1 +1,31 @@
 # physical-media-backup-terraform
+
+Infrastructure code for the provisioning of object storage for physical media backups (CD-ROM, DVD-ROM, and floppy disk).
+
+## Overview
+
+An S3 bucket is provisioned, along with an IAM user with suitable policy and credentials, for use with client applications such as [WinSCP](https://winscp.net/eng/index.php) and [Cyberduck](https://cyberduck.io/).
+
+Data is encrypted at rest using [server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) with Amazon S3 managed encryption keys (SSE-S3). Server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) or customer-provided keys (SSE-C) is explicitly blocked via an S3 bucket policy—by denying `PutObject` requests with the `aws:kms` header—to ensure that objects in the S3 bucket use the same server-side encryption method (i.e. SSE-S3).
+
+## Branching Strategy
+
+This project uses a trunk-based branching strategy and infrastructure changes are versioned and applied from the `main` branch after merge via the [infrastructure pipeline](https://github.com/companieshouse/ci-pipelines/blob/master/pipelines/platform/team-platform/physical-media-backup-terraform):
+
+```mermaid
+%%{init: { 'logLevel': 'debug', 'theme': 'default' , 'themeVariables': {
+    'git0': '#4585ed',
+    'git1': '#edad45'
+} } }%%
+gitGraph
+commit
+branch feature
+commit
+commit
+commit
+checkout main
+merge feature tag: "1.0.0"
+```
+## License
+
+This project is subject to the terms of the [MIT License](/LICENSE).

groups/storage/.terraform.lock.hcl

@@ -0,0 +1,59 @@
+data "aws_iam_policy_document" "data" {
+  statement {
+    sid = "AllowDataUserToListBucket"
+
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket"
+    ]
+
+    resources = [
+      aws_s3_bucket.data.arn
+    ]
+  }
+
+  statement {
+    sid = "AllowDataUserToPutAndGetObjectsInBucket"
+
+    effect = "Allow"
+
+    actions = [
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:GetObject",
+      "s3:GetObjectAcl"
+    ]
+
+    resources = [
+      "${aws_s3_bucket.data.arn}/*"
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "bucket" {
+  statement {
+    sid = "DenyPutObjectWithKmsEncryptionHeader"
+
+    effect = "Deny"
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "s3:PutObject"
+    ]
+
+    resources = [
+      "${aws_s3_bucket.data.arn}/*"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-server-side-encryption"
+      values   = ["aws:kms"]
+    }
+  }
+}

groups/storage/data.tf

@@ -0,0 +1,22 @@
+resource "aws_iam_user" "data" {
+  name = "${var.service}-${var.environment}"
+
+  tags = merge(local.common_tags, {
+    Name = "${var.service}-${var.environment}-data-user"
+  })
+}
+
+resource "aws_iam_access_key" "data" {
+  user = aws_iam_user.data.name
+}
+
+resource "aws_iam_policy" "data" {
+  name        = "${var.service}-${var.environment}-data-user-policy"
+  description = "IAM policy for data user to access objects in physical media backup bucket"
+  policy      = data.aws_iam_policy_document.data.json
+}
+
+resource "aws_iam_user_policy_attachment" "data" {
+  user       = aws_iam_user.data.name
+  policy_arn = aws_iam_policy.data.arn
+}

groups/storage/iam.tf

@@ -0,0 +1,8 @@
+locals {
+  common_tags = {
+    Environment = var.environment
+    Provisioner = "Terraform"
+    Repository  = var.repository
+    Service     = var.service
+  }
+}

groups/storage/locals.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.3.0, < 1.4.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+terraform {
+  backend "s3" {}
+}

groups/storage/main.tf

@@ -0,0 +1,2 @@
+aws_account = "heritage-live"
+environment = "live"

groups/storage/profiles/heritage-live-eu-west-2/live/vars

@@ -0,0 +1,2 @@
+aws_account = "heritage-staging"
+environment = "staging"