diff --git a/infra/deployments/deploy/engineer-access/roles.tf b/infra/deployments/deploy/engineer-access/roles.tf index d4aa4b914..de2cf8b01 100644 --- a/infra/deployments/deploy/engineer-access/roles.tf +++ b/infra/deployments/deploy/engineer-access/roles.tf @@ -3,16 +3,15 @@ module "users" { } module "engineer_access" { - source = "../../../modules/engineer-access" - admins = module.users.with_role["deploy_admin"] - support = module.users.with_role["deploy_support"] - readonly = module.users.with_role["deploy_readonly"] - env_name = "deploy" - environment_type = "deploy" - codestar_connection_arn = var.codestar_connection_arn - dynamodb_state_file_locks_table_arn = "arn:aws:dynamodb::${var.deploy_account_id}:table/*" - allow_ecs_task_usage = false - allow_rds_data_api_access = false + source = "../../../modules/engineer-access" + admins = module.users.with_role["deploy_admin"] + support = module.users.with_role["deploy_support"] + readonly = module.users.with_role["deploy_readonly"] + env_name = "deploy" + environment_type = "deploy" + codestar_connection_arn = var.codestar_connection_arn + allow_ecs_task_usage = false + allow_rds_data_api_access = false # Pentesters may not have GDS domains so our pattern using the 'users' module # doesn't necessarily work. diff --git a/infra/deployments/forms/account/deployer-access.tf b/infra/deployments/forms/account/deployer-access.tf index 512bcf658..766e93d1e 100644 --- a/infra/deployments/forms/account/deployer-access.tf +++ b/infra/deployments/forms/account/deployer-access.tf @@ -1,21 +1,11 @@ -locals { - # The user research account uses an underscore for environment type - # and a dash for environment name. This is a bug fix to get the user-research - # account Terraform working again while we determine what impact changing - # the values will have. - dynamodb_table_name = (var.environment_type == "user_research" ? - "govuk-forms-user-research-tfstate-locking" : - "govuk-forms-${var.environment_type}-tfstate-locking") -} module "deployer_access" { - source = "../../../modules/deployer-access" - environment_name = var.environment_name - environment_type = replace(var.environment_type, "_", "-") # See comment about dynamodb table name - account_id = var.aws_account_id - deploy_account_id = var.deploy_account_id - hosted_zone_id = aws_route53_zone.public.id - codestar_connection_arn = var.codestar_connection_arn - dynamodb_state_file_locks_table_arn = "arn:aws:dynamodb:eu-west-2:${var.aws_account_id}:table/*" + source = "../../../modules/deployer-access" + environment_name = var.environment_name + environment_type = replace(var.environment_type, "_", "-") # The user research account uses an underscore for environment type and a dash for environment name + account_id = var.aws_account_id + deploy_account_id = var.deploy_account_id + hosted_zone_id = aws_route53_zone.public.id + codestar_connection_arn = var.codestar_connection_arn depends_on = [aws_route53_zone.public] } diff --git a/infra/deployments/forms/account/engineer-access.tf b/infra/deployments/forms/account/engineer-access.tf index ae54ca4be..d86c5cfdd 100644 --- a/infra/deployments/forms/account/engineer-access.tf +++ b/infra/deployments/forms/account/engineer-access.tf @@ -3,17 +3,16 @@ module "users" { } module "engineer_access" { - source = "../../../modules/engineer-access" - env_name = var.account_name - environment_type = var.environment_type - admins = module.users.with_role["${var.environment_type}_admin"] - support = module.users.with_role["${var.environment_type}_support"] - readonly = module.users.with_role["${var.environment_type}_readonly"] - pentesters = var.pentester_email_addresses - pentester_cidrs = var.pentester_cidr_ranges - vpn = var.require_vpn_to_access - codestar_connection_arn = var.codestar_connection_arn - dynamodb_state_file_locks_table_arn = "arn:aws:dynamodb:eu-west-2:${var.aws_account_id}:table/*" - allow_rds_data_api_access = true - allow_ecs_task_usage = true + source = "../../../modules/engineer-access" + env_name = var.account_name + environment_type = var.environment_type + admins = module.users.with_role["${var.environment_type}_admin"] + support = module.users.with_role["${var.environment_type}_support"] + readonly = module.users.with_role["${var.environment_type}_readonly"] + pentesters = var.pentester_email_addresses + pentester_cidrs = var.pentester_cidr_ranges + vpn = var.require_vpn_to_access + codestar_connection_arn = var.codestar_connection_arn + allow_rds_data_api_access = true + allow_ecs_task_usage = true } diff --git a/infra/deployments/forms/account/init-state-bucket/main.tf b/infra/deployments/forms/account/init-state-bucket/main.tf index 59b1fbd4d..2dd9a2035 100644 --- a/infra/deployments/forms/account/init-state-bucket/main.tf +++ b/infra/deployments/forms/account/init-state-bucket/main.tf @@ -9,30 +9,12 @@ variable "bucket_name" { description = "The name to give to the S3 bucket. Standard S3 bucket naming rules apply." } -variable "dynamodb_table" { - type = string - description = "The name to give to the DynamoDB table that will be used for state file locking." - default = "tmp" -} - module "state_bucket" { source = "../../../../modules/state-bucket" bucket_name = var.bucket_name } -resource "aws_dynamodb_table" "state_locking_table" { - #checkov:skip=CKV_AWS_28:we don't need point in time recovery on this table - #checkov:skip=CKV_AWS_119:we don't require encryption on this table - name = var.dynamodb_table - hash_key = "LockID" - billing_mode = "PAY_PER_REQUEST" - - attribute { - name = "LockID" - type = "S" - } -} output "bucket_name" { value = module.state_bucket.bucket_name diff --git a/infra/deployments/forms/account/inputs.tf b/infra/deployments/forms/account/inputs.tf index d4d37debb..4c0c6a440 100644 --- a/infra/deployments/forms/account/inputs.tf +++ b/infra/deployments/forms/account/inputs.tf @@ -24,13 +24,6 @@ variable "bucket" { nullable = false } -variable "dynamodb_table" { - description = "Name of the DynamoDB table used for state file locking. This is named to match the key in the S3 type backend" - type = string - nullable = false - default = "tmp" -} - variable "environment_name" { description = "The name of the environment. This is distinct from the environment type, but is likely to share the same name in cases like production or staging." type = string diff --git a/infra/deployments/forms/inputs.tf b/infra/deployments/forms/inputs.tf index caa739dff..f19cba1ae 100644 --- a/infra/deployments/forms/inputs.tf +++ b/infra/deployments/forms/inputs.tf @@ -54,13 +54,6 @@ variable "bucket" { nullable = false } -variable "dynamodb_table" { - description = "Name of the DynamoDB table used for state file locking. This is named to match the key in the S3 type backend" - type = string - nullable = false - default = "tmp" -} - variable "dlq_arn" { description = "The ARN of the dead letter queue for paused pipeline detection" type = string diff --git a/infra/deployments/integration/account/engineer-access.tf b/infra/deployments/integration/account/engineer-access.tf index d6f64547b..abdc8c8a7 100644 --- a/infra/deployments/integration/account/engineer-access.tf +++ b/infra/deployments/integration/account/engineer-access.tf @@ -51,7 +51,6 @@ module "support_role" { email = "${each.value}@digital.cabinet-office.gov.uk" role_suffix = "support" iam_policy_arns = [ - aws_iam_policy.lock_state_files.id ] ip_restrictions = local.ip_restrictions } @@ -64,7 +63,6 @@ module "readonly_role" { role_suffix = "readonly" iam_policy_arns = [ "arn:aws:iam::aws:policy/ReadOnlyAccess", - aws_iam_policy.lock_state_files.id ] ip_restrictions = local.ip_restrictions } @@ -82,27 +80,3 @@ module "pentester_role" { ] ip_restrictions = var.pentester_cidr_ranges } - - -resource "aws_iam_policy" "lock_state_files" { - name = "lock-state-files" - path = "/" - - description = "Allow reading and writing from a DynamoDB table used for Terraform state file locking" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "dynamodb:DescribeTable", - "dynamodb:GetItem", - "dynamodb:PutItem", - "dynamodb:DeleteItem" - ] - Resource = ["arn:aws:dynamodb:eu-west-2:${var.aws_account_id}:table/${var.dynamodb_table}"] - } - ] - }) -} diff --git a/infra/deployments/integration/inputs.tf b/infra/deployments/integration/inputs.tf index fd3595b85..aa6d6297c 100644 --- a/infra/deployments/integration/inputs.tf +++ b/infra/deployments/integration/inputs.tf @@ -24,13 +24,6 @@ variable "bucket" { nullable = false } -variable "dynamodb_table" { - description = "Name of the DynamoDB table used for state file locking. This is named to match the key in the S3 type backend" - type = string - nullable = false - default = "tmp" -} - variable "require_vpn_to_access" { type = bool description = "Whether this AWS account will require users to be on the VPN to access it" diff --git a/infra/modules/deployer-access/policy.tf b/infra/modules/deployer-access/policy.tf index 535dec20b..41de64a0b 100644 --- a/infra/modules/deployer-access/policy.tf +++ b/infra/modules/deployer-access/policy.tf @@ -5,7 +5,6 @@ ## data "aws_iam_policy_document" "forms_infra" { source_policy_documents = [ - data.aws_iam_policy_document.lock_state_files.json, data.aws_iam_policy_document.alerts.json, data.aws_iam_policy_document.dns.json, data.aws_iam_policy_document.monitoring.json, @@ -81,19 +80,6 @@ resource "aws_iam_role_policy_attachment" "full_read_only" { role = aws_iam_role.deployer.id } -data "aws_iam_policy_document" "lock_state_files" { - statement { - sid = "AllowStateFileLocking" - effect = "Allow" - actions = [ - "dynamodb:DescribeTable", - "dynamodb:GetItem", - "dynamodb:PutItem", - "dynamodb:DeleteItem" - ] - resources = [var.dynamodb_state_file_locks_table_arn] - } -} data "aws_iam_policy_document" "alerts" { statement { sid = "ManageKMSKeyAlerts" diff --git a/infra/modules/deployer-access/variables.tf b/infra/modules/deployer-access/variables.tf index d9c88e7fa..3439000c6 100644 --- a/infra/modules/deployer-access/variables.tf +++ b/infra/modules/deployer-access/variables.tf @@ -28,8 +28,3 @@ variable "codestar_connection_arn" { type = string description = "ARN of the CodeStar connection in the account" } - -variable "dynamodb_state_file_locks_table_arn" { - type = string - description = "The arn of the DynamoDB table being used for state file locking" -} diff --git a/infra/modules/engineer-access/policies.tf b/infra/modules/engineer-access/policies.tf index 548390a4e..b5bfc0b1b 100644 --- a/infra/modules/engineer-access/policies.tf +++ b/infra/modules/engineer-access/policies.tf @@ -289,29 +289,6 @@ resource "aws_iam_policy" "deny_parameter_store" { }) } -resource "aws_iam_policy" "lock_state_files" { - name = "lock-state-files" - path = "/" - - description = "Allow reading and writing from a DynamoDB table used for Terraform state file locking" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "dynamodb:DescribeTable", - "dynamodb:GetItem", - "dynamodb:PutItem", - "dynamodb:DeleteItem" - ] - Resource = [var.dynamodb_state_file_locks_table_arn] - } - ] - }) -} - resource "aws_iam_policy" "release_lock_on_state_files" { name = "release-lock-on-state-files" path = "/" diff --git a/infra/modules/engineer-access/roles.tf b/infra/modules/engineer-access/roles.tf index 9844b0e79..ad15e8f1f 100644 --- a/infra/modules/engineer-access/roles.tf +++ b/infra/modules/engineer-access/roles.tf @@ -28,7 +28,6 @@ module "support_role" { aws_iam_policy.manage_dashboards.arn, aws_iam_policy.manage_deployments.arn, aws_iam_policy.manage_maintenance_page.arn, - aws_iam_policy.lock_state_files.arn, aws_iam_policy.release_lock_on_state_files.arn, var.allow_rds_data_api_access ? [aws_iam_policy.query_rds_with_data_api[0].arn] : [], var.allow_ecs_task_usage ? [aws_iam_policy.run_task[0].arn, aws_iam_policy.stop_task[0].arn] : [] @@ -44,7 +43,6 @@ module "readonly_role" { role_suffix = "readonly" iam_policy_arns = [ "arn:aws:iam::aws:policy/ReadOnlyAccess", - aws_iam_policy.lock_state_files.arn, ] ip_restrictions = local.vpn_ip_restrictions } diff --git a/infra/modules/engineer-access/variables.tf b/infra/modules/engineer-access/variables.tf index 9f28a3aaf..050be4d93 100644 --- a/infra/modules/engineer-access/variables.tf +++ b/infra/modules/engineer-access/variables.tf @@ -49,11 +49,6 @@ variable "codestar_connection_arn" { description = "The arn of the github connection to use" } -variable "dynamodb_state_file_locks_table_arn" { - type = string - description = "The arn of the DynamoDB table being used for state file locking" -} - variable "allow_rds_data_api_access" { type = bool description = "Whether appropriate engineer roles should have access to the AWS RDS Data API"