Remove unused policies and variables for state locking with dynamodb

infra/deployments/deploy/engineer-access/roles.tf

@@ -3,16 +3,15 @@ module "users" {
 }
 
 module "engineer_access" {
-  source                              = "../../../modules/engineer-access"
-  admins                              = module.users.with_role["deploy_admin"]
-  support                             = module.users.with_role["deploy_support"]
-  readonly                            = module.users.with_role["deploy_readonly"]
-  env_name                            = "deploy"
-  environment_type                    = "deploy"
-  codestar_connection_arn             = var.codestar_connection_arn
-  dynamodb_state_file_locks_table_arn = "arn:aws:dynamodb::${var.deploy_account_id}:table/*"
-  allow_ecs_task_usage                = false
-  allow_rds_data_api_access           = false
+  source                    = "../../../modules/engineer-access"
+  admins                    = module.users.with_role["deploy_admin"]
+  support                   = module.users.with_role["deploy_support"]
+  readonly                  = module.users.with_role["deploy_readonly"]
+  env_name                  = "deploy"
+  environment_type          = "deploy"
+  codestar_connection_arn   = var.codestar_connection_arn
+  allow_ecs_task_usage      = false
+  allow_rds_data_api_access = false
 
   # Pentesters may not have GDS domains so our pattern using the 'users' module
   # doesn't necessarily work.

infra/deployments/forms/account/deployer-access.tf

@@ -1,21 +1,11 @@
-locals {
-  # The user research account uses an underscore for environment type
-  # and a dash for environment name. This is a bug fix to get the user-research
-  # account Terraform working again while we determine what impact changing
-  # the values will have.
-  dynamodb_table_name = (var.environment_type == "user_research" ?
-    "govuk-forms-user-research-tfstate-locking" :
-  "govuk-forms-${var.environment_type}-tfstate-locking")
-}
 module "deployer_access" {
-  source                              = "../../../modules/deployer-access"
-  environment_name                    = var.environment_name
-  environment_type                    = replace(var.environment_type, "_", "-") # See comment about dynamodb table name
-  account_id                          = var.aws_account_id
-  deploy_account_id                   = var.deploy_account_id
-  hosted_zone_id                      = aws_route53_zone.public.id
-  codestar_connection_arn             = var.codestar_connection_arn
-  dynamodb_state_file_locks_table_arn = "arn:aws:dynamodb:eu-west-2:${var.aws_account_id}:table/*"
+  source                  = "../../../modules/deployer-access"
+  environment_name        = var.environment_name
+  environment_type        = replace(var.environment_type, "_", "-") # The user research account uses an underscore for environment type and a dash for environment name
+  account_id              = var.aws_account_id
+  deploy_account_id       = var.deploy_account_id
+  hosted_zone_id          = aws_route53_zone.public.id
+  codestar_connection_arn = var.codestar_connection_arn
 
   depends_on = [aws_route53_zone.public]
 }

infra/deployments/forms/account/engineer-access.tf

@@ -3,17 +3,16 @@ module "users" {
 }
 
 module "engineer_access" {
-  source                              = "../../../modules/engineer-access"
-  env_name                            = var.account_name
-  environment_type                    = var.environment_type
-  admins                              = module.users.with_role["${var.environment_type}_admin"]
-  support                             = module.users.with_role["${var.environment_type}_support"]
-  readonly                            = module.users.with_role["${var.environment_type}_readonly"]
-  pentesters                          = var.pentester_email_addresses
-  pentester_cidrs                     = var.pentester_cidr_ranges
-  vpn                                 = var.require_vpn_to_access
-  codestar_connection_arn             = var.codestar_connection_arn
-  dynamodb_state_file_locks_table_arn = "arn:aws:dynamodb:eu-west-2:${var.aws_account_id}:table/*"
-  allow_rds_data_api_access           = true
-  allow_ecs_task_usage                = true
+  source                    = "../../../modules/engineer-access"
+  env_name                  = var.account_name
+  environment_type          = var.environment_type
+  admins                    = module.users.with_role["${var.environment_type}_admin"]
+  support                   = module.users.with_role["${var.environment_type}_support"]
+  readonly                  = module.users.with_role["${var.environment_type}_readonly"]
+  pentesters                = var.pentester_email_addresses
+  pentester_cidrs           = var.pentester_cidr_ranges
+  vpn                       = var.require_vpn_to_access
+  codestar_connection_arn   = var.codestar_connection_arn
+  allow_rds_data_api_access = true
+  allow_ecs_task_usage      = true
 }

infra/deployments/forms/account/init-state-bucket/main.tf

@@ -9,30 +9,12 @@ variable "bucket_name" {
   description = "The name to give to the S3 bucket. Standard S3 bucket naming rules apply."
 }
 
-variable "dynamodb_table" {
-  type        = string
-  description = "The name to give to the DynamoDB table that will be used for state file locking."
-  default     = "tmp"
-}
-
 module "state_bucket" {
   source = "../../../../modules/state-bucket"
 
   bucket_name = var.bucket_name
 }
 
-resource "aws_dynamodb_table" "state_locking_table" {
-  #checkov:skip=CKV_AWS_28:we don't need point in time recovery on this table
-  #checkov:skip=CKV_AWS_119:we don't require encryption on this table
-  name         = var.dynamodb_table
-  hash_key     = "LockID"
-  billing_mode = "PAY_PER_REQUEST"
-
-  attribute {
-    name = "LockID"
-    type = "S"
-  }
-}
 
 output "bucket_name" {
   value = module.state_bucket.bucket_name

infra/deployments/forms/account/inputs.tf

@@ -24,13 +24,6 @@ variable "bucket" {
   nullable    = false
 }
 
-variable "dynamodb_table" {
-  description = "Name of the DynamoDB table used for state file locking. This is named to match the key in the S3 type backend"
-  type        = string
-  nullable    = false
-  default     = "tmp"
-}
-
 variable "environment_name" {
   description = "The name of the environment. This is distinct from the environment type, but is likely to share the same name in cases like production or staging."
   type        = string

infra/deployments/forms/inputs.tf

@@ -54,13 +54,6 @@ variable "bucket" {
   nullable    = false
 }
 
-variable "dynamodb_table" {
-  description = "Name of the DynamoDB table used for state file locking. This is named to match the key in the S3 type backend"
-  type        = string
-  nullable    = false
-  default     = "tmp"
-}
-
 variable "dlq_arn" {
   description = "The ARN of the dead letter queue for paused pipeline detection"
   type        = string

infra/deployments/integration/account/engineer-access.tf

@@ -51,7 +51,6 @@ module "support_role" {
   email       = "${each.value}@digital.cabinet-office.gov.uk"
   role_suffix = "support"
   iam_policy_arns = [
-    aws_iam_policy.lock_state_files.id
   ]
   ip_restrictions = local.ip_restrictions
 }
@@ -64,7 +63,6 @@ module "readonly_role" {
   role_suffix = "readonly"
   iam_policy_arns = [
     "arn:aws:iam::aws:policy/ReadOnlyAccess",
-    aws_iam_policy.lock_state_files.id
   ]
   ip_restrictions = local.ip_restrictions
 }
@@ -82,27 +80,3 @@ module "pentester_role" {
   ]
   ip_restrictions = var.pentester_cidr_ranges
 }
-
-
-resource "aws_iam_policy" "lock_state_files" {
-  name = "lock-state-files"
-  path = "/"
-
-  description = "Allow reading and writing from a DynamoDB table used for Terraform state file locking"
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "dynamodb:DescribeTable",
-          "dynamodb:GetItem",
-          "dynamodb:PutItem",
-          "dynamodb:DeleteItem"
-        ]
-        Resource = ["arn:aws:dynamodb:eu-west-2:${var.aws_account_id}:table/${var.dynamodb_table}"]
-      }
-    ]
-  })
-}

infra/deployments/integration/inputs.tf

@@ -24,13 +24,6 @@ variable "bucket" {
   nullable    = false
 }
 
-variable "dynamodb_table" {
-  description = "Name of the DynamoDB table used for state file locking. This is named to match the key in the S3 type backend"
-  type        = string
-  nullable    = false
-  default     = "tmp"
-}
-
 variable "require_vpn_to_access" {
   type        = bool
   description = "Whether this AWS account will require users to be on the VPN to access it"

infra/modules/deployer-access/policy.tf

@@ -5,7 +5,6 @@
 ##
 data "aws_iam_policy_document" "forms_infra" {
   source_policy_documents = [
-    data.aws_iam_policy_document.lock_state_files.json,
     data.aws_iam_policy_document.alerts.json,
     data.aws_iam_policy_document.dns.json,
     data.aws_iam_policy_document.monitoring.json,
@@ -81,19 +80,6 @@ resource "aws_iam_role_policy_attachment" "full_read_only" {
   role       = aws_iam_role.deployer.id
 }
 
-data "aws_iam_policy_document" "lock_state_files" {
-  statement {
-    sid    = "AllowStateFileLocking"
-    effect = "Allow"
-    actions = [
-      "dynamodb:DescribeTable",
-      "dynamodb:GetItem",
-      "dynamodb:PutItem",
-      "dynamodb:DeleteItem"
-    ]
-    resources = [var.dynamodb_state_file_locks_table_arn]
-  }
-}
 data "aws_iam_policy_document" "alerts" {
   statement {
     sid = "ManageKMSKeyAlerts"

infra/modules/deployer-access/variables.tf

@@ -28,8 +28,3 @@ variable "codestar_connection_arn" {
   type        = string
   description = "ARN of the CodeStar connection in the account"
 }
-
-variable "dynamodb_state_file_locks_table_arn" {
-  type        = string
-  description = "The arn of the DynamoDB table being used for state file locking"
-}

infra/modules/engineer-access/policies.tf

@@ -289,29 +289,6 @@ resource "aws_iam_policy" "deny_parameter_store" {
   })
 }
 
-resource "aws_iam_policy" "lock_state_files" {
-  name = "lock-state-files"
-  path = "/"
-
-  description = "Allow reading and writing from a DynamoDB table used for Terraform state file locking"
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "dynamodb:DescribeTable",
-          "dynamodb:GetItem",
-          "dynamodb:PutItem",
-          "dynamodb:DeleteItem"
-        ]
-        Resource = [var.dynamodb_state_file_locks_table_arn]
-      }
-    ]
-  })
-}
-
 resource "aws_iam_policy" "release_lock_on_state_files" {
   name = "release-lock-on-state-files"
   path = "/"

infra/modules/engineer-access/roles.tf

@@ -28,7 +28,6 @@ module "support_role" {
     aws_iam_policy.manage_dashboards.arn,
     aws_iam_policy.manage_deployments.arn,
     aws_iam_policy.manage_maintenance_page.arn,
-    aws_iam_policy.lock_state_files.arn,
     aws_iam_policy.release_lock_on_state_files.arn,
     var.allow_rds_data_api_access ? [aws_iam_policy.query_rds_with_data_api[0].arn] : [],
     var.allow_ecs_task_usage ? [aws_iam_policy.run_task[0].arn, aws_iam_policy.stop_task[0].arn] : []
@@ -44,7 +43,6 @@ module "readonly_role" {
   role_suffix = "readonly"
   iam_policy_arns = [
     "arn:aws:iam::aws:policy/ReadOnlyAccess",
-    aws_iam_policy.lock_state_files.arn,
   ]
   ip_restrictions = local.vpn_ip_restrictions
 }

infra/modules/engineer-access/variables.tf

@@ -49,11 +49,6 @@ variable "codestar_connection_arn" {
   description = "The arn of the github connection to use"
 }
 
-variable "dynamodb_state_file_locks_table_arn" {
-  type        = string
-  description = "The arn of the DynamoDB table being used for state file locking"
-}
-
 variable "allow_rds_data_api_access" {
   type        = bool
   description = "Whether appropriate engineer roles should have access to the AWS RDS Data API"