Merge pull request #9050 from ministryofjustice/feature/8345-further-…

…s3-permissions allow further roles to remove tf locks
ministryofjustice · Jan 23, 2025 · 7968fcb · 7968fcb
2 parents de4915f + 2ef50cc
commit 7968fcb
Showing 1 changed file with 70 additions and 2 deletions.
diff --git a/terraform/modernisation-platform-account/s3.tf b/terraform/modernisation-platform-account/s3.tf
@@ -197,6 +197,18 @@ data "aws_iam_policy_document" "allow-state-access-from-root-account" {
     }
   }
 
+  statement {
+    sid       = "AllowDeleteLockFromRootAccounts"
+    effect    = "Allow"
+    actions   = ["s3:DeleteObject"]
+    resources = ["${module.state-bucket.bucket.arn}/*.tflock"]
+
+    principals {
+      type        = "AWS"
+      identifiers = local.root_users_with_state_access
+    }
+  }
+
   statement {
     sid       = "ListBucketFromModernisationPlatformOU"
     effect    = "Allow"
@@ -236,6 +248,26 @@ data "aws_iam_policy_document" "allow-state-access-from-root-account" {
     }
   }
 
+  statement {
+    sid     = "DeleteLockFromModernisationPlatformOU"
+    effect  = "Allow"
+    actions = ["s3:GetObject"]
+    resources = [
+      "${module.state-bucket.bucket.arn}/*.tflock",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "aws:PrincipalOrgPaths"
+      values   = ["${data.aws_organizations_organization.root_account.id}/*/${local.environment_management.modernisation_platform_organisation_unit_id}/*"]
+    }
+  }
+
   statement {
     sid     = "AllowTestingCIUser"
     effect  = "Allow"
@@ -277,11 +309,11 @@ data "aws_iam_policy_document" "allow-state-access-from-root-account" {
   }
 
   statement {
-    sid     = "AllowGithubActionsRoleDeleteTFLock"
+    sid     = "AllowGithubActionsRoleDeleteLock"
     effect  = "Allow"
     actions = ["s3:DeleteObject"]
     resources = [
-      "${module.state-bucket.bucket.arn}/*/terraform.tfstate.tflock",
+      "${module.state-bucket.bucket.arn}/*/*.tflock",
     ]
 
     principals {
@@ -326,6 +358,30 @@ data "aws_iam_policy_document" "allow-state-access-from-root-account" {
     }
   }
 
+  statement {
+    sid       = "AllowAdministratorAccessRoleDeleteLock"
+    effect    = "Allow"
+    actions   = ["s3:DeleteObject"]
+    resources = ["${module.state-bucket.bucket.arn}/environments/members/*.tflock"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "aws:PrincipalOrgPaths"
+      values   = ["${data.aws_organizations_organization.root_account.id}/*/${local.environment_management.modernisation_platform_organisation_unit_id}/*"]
+    }
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "aws:PrincipalArn"
+      values   = ["arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AdministratorAccess_*"]
+    }
+  }
+
   statement {
     sid       = "AllowMPAdministratorAccessRole"
     effect    = "Allow"
@@ -338,6 +394,18 @@ data "aws_iam_policy_document" "allow-state-access-from-root-account" {
     }
   }
 
+  statement {
+    sid       = "AllowMPAdministratorAccessRoleDeleteLock"
+    effect    = "Allow"
+    actions   = ["s3:DeleteObject"]
+    resources = ["${module.state-bucket.bucket.arn}/environments/accounts/*.tflock", ]
+
+    principals {
+      type        = "AWS"
+      identifiers = tolist(data.aws_iam_roles.sso-admin-access.arns)
+    }
+  }
+
   statement {
     sid    = "AllowSprinklerGithubActionRole"
     effect = "Allow"