Merge pull request #8533 from ministryofjustice/fix/sso-issues

changes to role and policy for S3 malware protection
ministryofjustice · Nov 20, 2024 · b93581f · b93581f
2 parents 08c7d46 + 6a82771
commit b93581f
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 37 deletions.
diff --git a/terraform/environments/bootstrap/member-bootstrap/iam.tf b/terraform/environments/bootstrap/member-bootstrap/iam.tf
@@ -780,29 +780,30 @@ resource "aws_iam_account_alias" "alias" {
   count         = (local.account_data.account-type != "member-unrestricted") && !(contains(local.skip_alias, terraform.workspace)) ? 1 : 0
   account_alias = terraform.workspace
 }
-# GuardDuty Malware Protection Role
-module "guardduty_malware_protection_role" {
-  # checkov:skip=CKV_TF_1:
-
-  count  = local.account_data.account-type == "member" ? 1 : 0
-  source = "github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-role?ref=e20e0b9a42084bbc885fd5abb18b8744810bd567" # v5.48.0
 
-  trusted_role_services = [
-    "malware-protection-plan.guardduty.amazonaws.com"
-  ]
-  trusted_role_arns = [
-    local.modernisation_platform_account.id
-  ]
-  create_role       = true
-  role_name         = "GuardDutyMalwareProtectionRole"
-  role_requires_mfa = false
+# GuardDuty Malware Protection For S3 Role
+resource "aws_iam_role" "guardduty_malware_protection_role" {
+  count             = local.account_data.account-type == "member" ? 1 : 0
+  name              = "MalwareProtectionForS3"
+  assume_role_policy = data.aws_iam_policy_document.malware_protection_assume_role_policy.json
 
-  custom_role_policy_arns = [
-    data.aws_iam_policy.guardduty_malware.arn
-  ]
-  number_of_custom_role_policy_arns = 1
 }
-
-data "aws_iam_policy" "guardduty_malware" {
-  name = "GuardDutyMalwareProtectionPolicy"
+data "aws_iam_policy_document" "malware_protection_assume_role_policy" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["malware-protection-plan.guardduty.amazonaws.com"]
+    }
+    actions = ["sts:AssumeRole"]
+  }
 }
+data "aws_iam_policy" "guardduty_policy" {
+  name = "MalwareProtectionForS3Policy"
+}
+resource "aws_iam_role_policy_attachment" "guardduty_malware_policy_attachment" {
+  count     = local.account_data.account-type == "member" ? 1 : 0
+  role      = aws_iam_role.guardduty_malware_protection_role[0].name
+  policy_arn = data.aws_iam_policy.guardduty_policy.arn
+}
+
diff --git a/terraform/environments/bootstrap/single-sign-on/policies.tf b/terraform/environments/bootstrap/single-sign-on/policies.tf
@@ -1392,12 +1392,12 @@ data "aws_iam_policy_document" "s3_upload_policy_document" {
 }
 # IAM Policy for GuardDuty Malware Protection
 resource "aws_iam_policy" "guardduty_policy" {
-  name        = "GuardDutyMalwareProtectionPolicy"
-  description = "Policy for GuardDuty Malware Protection Plan"
+  name        = "MalwareProtectionForS3Policy"
+  description = "Policy for GuardDuty S3 Malware Protection Plan"
   policy      = data.aws_iam_policy_document.guardduty_policy_document.json
 }
 
-# IAM Policy Document for GuardDuty Malware Protection
+# IAM Policy Document for GuardDuty Malware Protection For S3
 data "aws_iam_policy_document" "guardduty_policy_document" {
   statement {
     sid    = "EventBridgeActionsForGuardDuty"
@@ -1451,16 +1451,4 @@ data "aws_iam_policy_document" "guardduty_policy_document" {
       values   = ["s3.eu-west-2.amazonaws.com"]
     }
   }
-
-  statement {
-    sid       = "AllowPassGuardDutyRole"
-    effect    = "Allow"
-    actions   = ["iam:PassRole"]
-    resources = ["arn:aws:iam::*:role/GuardDutyMalwareProtectionRole"]
-    condition {
-      test     = "StringEqualsIfExists"
-      variable = "iam:PassedToService"
-      values   = ["malware-protection-plan.guardduty.amazonaws.com"]
-    }
-  }
 }