Merge pull request #9121 from ministryofjustice/feature/8345-remove-o…

…ld-state-locking-config Remove dynamodb table and legacy role for state access
ministryofjustice · Jan 30, 2025 · 260837c · 260837c
2 parents 347449c + feadab6
commit 260837c
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 158 deletions.
diff --git a/terraform/modernisation-platform-account/dynamodb.tf b/terraform/modernisation-platform-account/dynamodb.tf
diff --git a/terraform/modernisation-platform-account/iam.tf b/terraform/modernisation-platform-account/iam.tf
@@ -193,81 +193,6 @@ resource "aws_iam_role_policy_attachment" "modernisation_account_limited_read" {
   policy_arn = aws_iam_policy.modernisation_account_limited_read.arn
 }
 
-# Modernisation Platform Environments Terraform backend role
-
-data "aws_iam_policy_document" "modernisation_account_terraform_state_role" {
-  version = "2012-10-17"
-  statement {
-    sid    = "AllowDynamoDBAccess"
-    effect = "Allow"
-    actions = [
-      "dynamodb:DescribeTable",
-      "dynamodb:GetItem",
-      "dynamodb:PutItem",
-      "dynamodb:DeleteItem"
-    ]
-    resources = ["arn:aws:dynamodb:eu-west-2:${data.aws_caller_identity.current.account_id}:table/modernisation-platform-terraform-state-lock"]
-  }
-  statement {
-    sid       = "AllowS3AccessList"
-    effect    = "Allow"
-    actions   = ["s3:ListBucket"]
-    resources = ["arn:aws:s3:::modernisation-platform-terraform-state"]
-  }
-  statement {
-    sid    = "AllowS3AccessActions"
-    effect = "Allow"
-    actions = [
-      "s3:DeleteObject",
-      "s3:GetObject",
-      "s3:PutObject",
-    ]
-    resources = [
-      "arn:aws:s3:::modernisation-platform-terraform-state/environments/members/*",
-      "arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*"
-    ]
-  }
-}
-
-data "aws_iam_policy_document" "modernisation_account_terraform_state_assume_role" {
-  version = "2012-10-17"
-
-  statement {
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-
-    condition {
-      test     = "ForAnyValue:StringLike"
-      variable = "aws:PrincipalOrgPaths"
-      values   = ["${data.aws_organizations_organization.root_account.id}/*/${local.modernisation_platform_ou_id}/*"]
-    }
-  }
-}
-
-resource "aws_iam_role" "modernisation_account_terraform_state" {
-  name                 = "modernisation-account-terraform-state-member-access"
-  max_session_duration = 3600
-  assume_role_policy   = data.aws_iam_policy_document.modernisation_account_terraform_state_assume_role.json
-
-  tags = local.tags
-}
-
-resource "aws_iam_policy" "modernisation_account_terraform_state" {
-  name        = "ModernisationAccountTerraformState"
-  description = "Role allowing Modernisation Platform customers access to Terraform state backend resources"
-  policy      = data.aws_iam_policy_document.modernisation_account_terraform_state_role.json
-}
-
-resource "aws_iam_role_policy_attachment" "modernisation_account_terraform_state" {
-  role       = aws_iam_role.modernisation_account_terraform_state.id
-  policy_arn = aws_iam_policy.modernisation_account_terraform_state.arn
-}
-
 # OIDC Provider for GitHub Actions Plan
 
 module "github_actions_plan_role" {