chore: DBTP-1700 Deprecate cross_enviroment_service_access applicatio…

…n property (#345)

s3/main.tf

@@ -72,7 +72,7 @@ data "aws_iam_policy_document" "bucket-policy" {
       }
       condition {
         test     = "StringLike"
-        values   = ["arn:aws:iam::${statement.value.account}:role/${statement.value.application}-${statement.value.environment}-${statement.value.service}-TaskRole-*"]
+        values   = ["arn:aws:iam::${statement.value.account}:role/${var.application}-${statement.value.environment}-${statement.value.service}-TaskRole-*"]
         variable = "aws:PrincipalArn"
       }
       resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"]
@@ -162,7 +162,7 @@ data "aws_iam_policy_document" "key-policy" {
       }
       condition {
         test     = "StringLike"
-        values   = ["arn:aws:iam::${statement.value.account}:role/${statement.value.application}-${statement.value.environment}-${statement.value.service}-TaskRole-*"]
+        values   = ["arn:aws:iam::${statement.value.account}:role/${var.application}-${statement.value.environment}-${statement.value.service}-TaskRole-*"]
         variable = "aws:PrincipalArn"
       }
       resources = [aws_kms_key.kms-key[0].arn]

s3/tests/unit.tftest.hcl

@@ -521,7 +521,6 @@ run "aws_s3_bucket_cross_environment_service_access_read_write_unit_test" {
       "type"        = "s3",
       "cross_environment_service_access" = {
         "test-access" = {
-          "application"       = "app",
           "environment"       = "test",
           "account"           = "123456789012",
           "service"           = "service",
@@ -550,7 +549,7 @@ run "aws_s3_bucket_cross_environment_service_access_read_write_unit_test" {
 
   assert {
     condition = length([for item in data.aws_iam_policy_document.bucket-policy.statement[1].condition :
-    item if item.values == tolist(["arn:aws:iam::123456789012:role/app-test-service-TaskRole-*"])]) == 1
+    item if item.values == tolist(["arn:aws:iam::123456789012:role/s3-test-application-test-service-TaskRole-*"])]) == 1
     error_message = "condition should have a values: [bucket arn] attribute"
   }
 
@@ -573,7 +572,6 @@ run "aws_s3_bucket_cross_environment_service_access_read_only_unit_test" {
       "type"        = "s3",
       "cross_environment_service_access" = {
         "test-access" = {
-          "application"       = "app",
           "environment"       = "test",
           "account"           = "123456789012",
           "service"           = "service",
@@ -609,7 +607,6 @@ run "aws_s3_bucket_cross_environment_service_access_write_only_unit_test" {
       "type"        = "s3",
       "cross_environment_service_access" = {
         "test-access" = {
-          "application"       = "app",
           "environment"       = "test",
           "account"           = "123456789012",
           "service"           = "service",
@@ -645,7 +642,6 @@ run "aws_s3_bucket_cross_environment_service_access_invalid_cyber_sign_off" {
       "type"        = "s3",
       "cross_environment_service_access" = {
         "test-access" = {
-          "application"       = "app",
           "environment"       = "test",
           "account"           = "123456789012",
           "service"           = "service",

s3/variables.tf

@@ -43,7 +43,9 @@ variable "config" {
     })))
     # NOTE: allows access to S3 bucket from DBT Platform managed service roles, also generates Copilot addon for service access
     cross_environment_service_access = optional(map(object({
-      application       = string
+      # Deprecated: We didn't implement cross application access, no service teams are asking for it.
+      # application should be removed once we can confirm that no-one is using it.
+      application       = optional(string)
       account           = string
       environment       = string
       service           = string