Merge pull request #277 from NHSDigital/bugfix/eja-eli-388-enable-audit-logging-by-adding-permissions

eli-388 adding access log permissions for audit buckets

Author: eddalmond1

infrastructure/modules/s3/s3.tf

@@ -105,14 +105,57 @@ data "aws_iam_policy_document" "access_logs_s3_bucket_policy" {
       variable = "aws:SecureTransport"
     }
   }
+
+  # Allow S3 Log Delivery service to write access logs
+  statement {
+    sid    = "S3ServerAccessLogsPolicy"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "${aws_s3_bucket.storage_bucket_access_logs.arn}/*"
+    ]
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_s3_bucket.storage_bucket.arn]
+    }
+  }
+
+  # Allow S3 Log Delivery service to check bucket location and get bucket ACL
+  statement {
+    sid    = "S3ServerAccessLogsDeliveryRootAccess"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+    actions = [
+      "s3:GetBucketAcl",
+      "s3:ListBucket"
+    ]
+    resources = [
+      aws_s3_bucket.storage_bucket_access_logs.arn
+    ]
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_s3_bucket.storage_bucket.arn]
+    }
+  }
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "storage_bucket_access_logs_server_side_encryption_config" {
   bucket = aws_s3_bucket.storage_bucket_access_logs.id
 
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
+      sse_algorithm     = "aws:kms"
       kms_master_key_id = aws_kms_key.storage_bucket_cmk.arn
     }
   }