eli-327 fixing SSL transport as default, changing arn to id to avoid terraform constantly updating CMKs

Author: eddalmond1

infrastructure/modules/s3/outputs.tf

@@ -21,3 +21,7 @@ output "storage_bucket_id" {
 output "storage_bucket_kms_key_arn" {
   value = aws_kms_key.storage_bucket_cmk.arn
 }
+
+output "storage_bucket_kms_key_id" {
+  value = aws_kms_key.storage_bucket_cmk.id
+}

infrastructure/modules/s3/s3.tf

@@ -14,39 +14,6 @@ resource "aws_s3_bucket_versioning" "storage_bucket_versioning_config" {
   }
 }
 
-# ensure only secure transport is allowed
-
-resource "aws_s3_bucket_policy" "storage_bucket" {
-  bucket = aws_s3_bucket.storage_bucket.id
-  policy = data.aws_iam_policy_document.storage_s3_bucket_policy.json
-}
-
-data "aws_iam_policy_document" "storage_s3_bucket_policy" {
-  statement {
-    sid = "AllowSslRequestsOnly"
-    actions = [
-      "s3:*",
-    ]
-    effect = "Deny"
-    resources = [
-      aws_s3_bucket.storage_bucket.arn,
-      "${aws_s3_bucket.storage_bucket.arn}/*",
-    ]
-    principals {
-      type        = "*"
-      identifiers = ["*"]
-    }
-    condition {
-      test = "Bool"
-      values = [
-        "false",
-      ]
-
-      variable = "aws:SecureTransport"
-    }
-  }
-}
-
 # Block public access to the bucket
 resource "aws_s3_bucket_public_access_block" "storage_bucket_block_public_access" {
   bucket = aws_s3_bucket.storage_bucket.id

infrastructure/stacks/api-layer/iam_policies.tf

@@ -71,6 +71,70 @@ data "aws_iam_policy_document" "s3_rules_bucket_policy" {
   }
 }
 
+# ensure only secure transport is allowed
+
+resource "aws_s3_bucket_policy" "rules_s3_bucket" {
+  bucket = module.s3_rules_bucket.storage_bucket_id
+  policy = data.aws_iam_policy_document.rules_s3_bucket_policy.json
+}
+
+data "aws_iam_policy_document" "rules_s3_bucket_policy" {
+  statement {
+    sid = "AllowSslRequestsOnly"
+    actions = [
+      "s3:*",
+    ]
+    effect = "Deny"
+    resources = [
+      module.s3_rules_bucket.storage_bucket_arn,
+      "${module.s3_rules_bucket.storage_bucket_arn}/*",
+    ]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    condition {
+      test = "Bool"
+      values = [
+        "false",
+      ]
+
+      variable = "aws:SecureTransport"
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "audit_s3_bucket" {
+  bucket = module.s3_audit_bucket.storage_bucket_id
+  policy = data.aws_iam_policy_document.audit_s3_bucket_policy.json
+}
+
+data "aws_iam_policy_document" "audit_s3_bucket_policy" {
+  statement {
+    sid = "AllowSslRequestsOnly"
+    actions = [
+      "s3:*",
+    ]
+    effect = "Deny"
+    resources = [
+      module.s3_audit_bucket.storage_bucket_arn,
+      "${module.s3_audit_bucket.storage_bucket_arn}/*",
+    ]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    condition {
+      test = "Bool"
+      values = [
+        "false",
+      ]
+
+      variable = "aws:SecureTransport"
+    }
+  }
+}
+
 # Attach s3 read policy to Lambda role
 resource "aws_iam_role_policy" "lambda_s3_read_policy" {
   name   = "S3ReadAccess"
@@ -216,7 +280,7 @@ data "aws_iam_policy_document" "s3_rules_kms_key_policy" {
 }
 
 resource "aws_kms_key_policy" "s3_rules_kms_key" {
-  key_id = module.s3_rules_bucket.storage_bucket_kms_key_arn
+  key_id = module.s3_rules_bucket.storage_bucket_kms_key_id
   policy = data.aws_iam_policy_document.s3_rules_kms_key_policy.json
 }
 
@@ -253,7 +317,7 @@ data "aws_iam_policy_document" "s3_audit_kms_key_policy" {
 }
 
 resource "aws_kms_key_policy" "s3_audit_kms_key" {
-  key_id = module.s3_audit_bucket.storage_bucket_kms_key_arn
+  key_id = module.s3_audit_bucket.storage_bucket_kms_key_id
   policy = data.aws_iam_policy_document.s3_audit_kms_key_policy.json
 }