From f3ca44c1e1b018ef7526d167ea6849d9a8e0b0d7 Mon Sep 17 00:00:00 2001 From: Will Gibson <8738245+WillGibson@users.noreply.github.com> Date: Thu, 20 Feb 2025 17:38:17 +0000 Subject: [PATCH] chore: DBTP-1700 Deprecate cross_enviroment_service_access application property (#345) --- s3/main.tf | 4 ++-- s3/tests/unit.tftest.hcl | 6 +----- s3/variables.tf | 4 +++- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/s3/main.tf b/s3/main.tf index bd6373e1..964d96f8 100644 --- a/s3/main.tf +++ b/s3/main.tf @@ -72,7 +72,7 @@ data "aws_iam_policy_document" "bucket-policy" { } condition { test = "StringLike" - values = ["arn:aws:iam::${statement.value.account}:role/${statement.value.application}-${statement.value.environment}-${statement.value.service}-TaskRole-*"] + values = ["arn:aws:iam::${statement.value.account}:role/${var.application}-${statement.value.environment}-${statement.value.service}-TaskRole-*"] variable = "aws:PrincipalArn" } resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"] @@ -162,7 +162,7 @@ data "aws_iam_policy_document" "key-policy" { } condition { test = "StringLike" - values = ["arn:aws:iam::${statement.value.account}:role/${statement.value.application}-${statement.value.environment}-${statement.value.service}-TaskRole-*"] + values = ["arn:aws:iam::${statement.value.account}:role/${var.application}-${statement.value.environment}-${statement.value.service}-TaskRole-*"] variable = "aws:PrincipalArn" } resources = [aws_kms_key.kms-key[0].arn] diff --git a/s3/tests/unit.tftest.hcl b/s3/tests/unit.tftest.hcl index c01b14a0..bfb51ea6 100644 --- a/s3/tests/unit.tftest.hcl +++ b/s3/tests/unit.tftest.hcl @@ -521,7 +521,6 @@ run "aws_s3_bucket_cross_environment_service_access_read_write_unit_test" { "type" = "s3", "cross_environment_service_access" = { "test-access" = { - "application" = "app", "environment" = "test", "account" = "123456789012", "service" = "service", @@ -550,7 +549,7 @@ run "aws_s3_bucket_cross_environment_service_access_read_write_unit_test" { assert { condition = length([for item in data.aws_iam_policy_document.bucket-policy.statement[1].condition : - item if item.values == tolist(["arn:aws:iam::123456789012:role/app-test-service-TaskRole-*"])]) == 1 + item if item.values == tolist(["arn:aws:iam::123456789012:role/s3-test-application-test-service-TaskRole-*"])]) == 1 error_message = "condition should have a values: [bucket arn] attribute" } @@ -573,7 +572,6 @@ run "aws_s3_bucket_cross_environment_service_access_read_only_unit_test" { "type" = "s3", "cross_environment_service_access" = { "test-access" = { - "application" = "app", "environment" = "test", "account" = "123456789012", "service" = "service", @@ -609,7 +607,6 @@ run "aws_s3_bucket_cross_environment_service_access_write_only_unit_test" { "type" = "s3", "cross_environment_service_access" = { "test-access" = { - "application" = "app", "environment" = "test", "account" = "123456789012", "service" = "service", @@ -645,7 +642,6 @@ run "aws_s3_bucket_cross_environment_service_access_invalid_cyber_sign_off" { "type" = "s3", "cross_environment_service_access" = { "test-access" = { - "application" = "app", "environment" = "test", "account" = "123456789012", "service" = "service", diff --git a/s3/variables.tf b/s3/variables.tf index b596843d..8a016480 100644 --- a/s3/variables.tf +++ b/s3/variables.tf @@ -43,7 +43,9 @@ variable "config" { }))) # NOTE: allows access to S3 bucket from DBT Platform managed service roles, also generates Copilot addon for service access cross_environment_service_access = optional(map(object({ - application = string + # Deprecated: We didn't implement cross application access, no service teams are asking for it. + # application should be removed once we can confirm that no-one is using it. + application = optional(string) account = string environment = string service = string