terrform files

2026-06-08 11:17:27 +00:00 · 2026-02-10 15:49:04 +00:00 · 2026-02-10 15:49:04 +00:00 · 507ecfb8a1
commit 507ecfb8a1
parent 95dff50455
6 changed files with 170 additions and 24 deletions
--- a/infrastructure/terraform/lambda/_template/main.tf
+++ b/infrastructure/terraform/lambda/_template/main.tf
@ -1,3 +1,30 @@
+# ==============================================================================
+# TEMPLATE: Lambda Configuration with Optional S3 IAM Policy
+# ==============================================================================
+# Instructions:
+# 1. Replace "REPLACE ME" with your lambda name (e.g., "my-lambda-name")
+# 2. Add any additional environment variables as needed
+# 3. To attach S3 IAM policies from shared state:
+#    - Uncomment the S3 policy attachment section below
+#    - Update the policy_arn to match the output from shared/main.tf
+#    - Available shared outputs (examples):
+#      - data.terraform_remote_state.shared.outputs.condition_etl_s3_read_arn
+#      - data.terraform_remote_state.shared.outputs.postcode_splitter_s3_read_arn
+# 4. To create a NEW S3 policy:
+#    - Add a new module "lambda_s3_policy" in shared/main.tf using the
+#      s3_iam_policy module (see examples in shared/main.tf)
+#    - Then reference it here using data.terraform_remote_state.shared.outputs
+# ==============================================================================
+
+data "terraform_remote_state" "shared" {
+  backend = "s3"
+  config = {
+    bucket = "assessment-model-terraform-state"
+    key = "env:/${var.stage}/terraform.tfstate"
+    region = "eu-west-2"
+  }
+}
+
 module "lambda" {
  source = "../modules/lambda_with_sqs"

@ -12,3 +39,25 @@ module "lambda" {
    LOG_LEVEL = "info"
  }
 }
+
+# ======================================================================
+# OPTIONAL: Attach S3 IAM policy to Lambda execution role
+# ======================================================================
+# Uncomment and configure the resource below to attach S3 permissions
+#
+# Example 1: Attach existing policy from shared state
+# resource "aws_iam_role_policy_attachment" "lambda_s3_policy" {
+#   role       = module.lambda.lambda_role_name
+#   policy_arn = data.terraform_remote_state.shared.outputs.YOUR_POLICY_OUTPUT_NAME_arn
+# }
+#
+# Example 2: Attach multiple policies
+# resource "aws_iam_role_policy_attachment" "lambda_read_policy" {
+#   role       = module.lambda.lambda_role_name
+#   policy_arn = data.terraform_remote_state.shared.outputs.postcode_splitter_s3_read_arn
+# }
+#
+# resource "aws_iam_role_policy_attachment" "lambda_write_policy" {
+#   role       = module.lambda.lambda_role_name
+#   policy_arn = data.terraform_remote_state.shared.outputs.another_policy_arn
+# }
--- a/infrastructure/terraform/lambda/postcodeSplitter/main.tf
+++ b/infrastructure/terraform/lambda/postcodeSplitter/main.tf
@ -32,4 +32,10 @@ module "lambda" {
      DB_PASSWORD = local.db_credentials.db_assessment_model_password
    },
  )
+}
+
+# Attach S3 read policy to the Lambda execution role
+resource "aws_iam_role_policy_attachment" "postcode_splitter_s3_read" {
+  role       = module.lambda.lambda_role_name
+  policy_arn = data.terraform_remote_state.shared.outputs.postcode_splitter_s3_read_arn
 }
--- a/infrastructure/terraform/modules/s3_iam_policy/main.tf
+++ b/infrastructure/terraform/modules/s3_iam_policy/main.tf
@ -0,0 +1,29 @@
+# Dynamically build S3 resources list from bucket ARNs and resource paths
+locals {
+  # Generate full resource ARNs by combining bucket ARNs with resource paths
+  resources = flatten([
+    for bucket_arn in var.bucket_arns : [
+      for path in var.resource_paths : "${bucket_arn}${path}"
+    ]
+  ])
+}
+
+# IAM Policy with dynamic actions and resources
+resource "aws_iam_policy" "s3_policy" {
+  name        = var.policy_name
+  description = var.policy_description
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = var.actions
+        Resource = local.resources
+        Condition = var.conditions != null ? var.conditions : null
+      }
+    ]
+  })
+
+  tags = var.tags
+}
--- a/infrastructure/terraform/modules/s3_iam_policy/outputs.tf
+++ b/infrastructure/terraform/modules/s3_iam_policy/outputs.tf
@ -0,0 +1,14 @@
+output "policy_arn" {
+  description = "ARN of the S3 IAM policy"
+  value       = aws_iam_policy.s3_policy.arn
+}
+
+output "policy_name" {
+  description = "Name of the S3 IAM policy"
+  value       = aws_iam_policy.s3_policy.name
+}
+
+output "policy_id" {
+  description = "ID of the S3 IAM policy"
+  value       = aws_iam_policy.s3_policy.id
+}
--- a/infrastructure/terraform/modules/s3_iam_policy/variables.tf
+++ b/infrastructure/terraform/modules/s3_iam_policy/variables.tf
@ -0,0 +1,39 @@
+variable "policy_name" {
+  description = "Name of the IAM policy"
+  type        = string
+}
+
+variable "policy_description" {
+  description = "Description of the IAM policy"
+  type        = string
+  default     = ""
+}
+
+variable "bucket_arns" {
+  description = "List of S3 bucket ARNs to grant access to"
+  type        = list(string)
+}
+
+variable "actions" {
+  description = "List of S3 actions to allow (e.g., ['s3:GetObject'], ['s3:PutObject'], ['s3:DeleteObject'])"
+  type        = list(string)
+  default     = ["s3:GetObject"]
+}
+
+variable "resource_paths" {
+  description = "List of resource paths within buckets (e.g., ['/*'] for all objects, ['/specific-prefix/*'] for specific prefix)"
+  type        = list(string)
+  default     = ["/*"]
+}
+
+variable "conditions" {
+  description = "Optional IAM policy conditions to apply to the statement"
+  type        = any
+  default     = null
+}
+
+variable "tags" {
+  description = "Tags to apply to the policy"
+  type        = map(string)
+  default     = {}
+}
--- a/infrastructure/terraform/shared/main.tf
+++ b/infrastructure/terraform/shared/main.tf
@ -321,6 +321,28 @@ module "condition_etl_registry" {

 }

+# Condition Data S3 Bucket to store initial data
+module "condition_data_bucket" {
+  source      = "../modules/s3"
+  bucketname = "condition-data-${var.stage}"
+  allowed_origins = var.allowed_origins
+}
+
+module "condition_etl_s3_read" {
+  source = "../modules/s3_iam_policy"
+
+  policy_name        = "ConditionETLReadS3"
+  policy_description = "Allow Lambda to read objects from condition-data-${var.stage}"
+  bucket_arns        = ["arn:aws:s3:::condition-data-${var.stage}"]
+  actions            = ["s3:GetObject"]
+  resource_paths     = ["/*"]
+}
+
+output "condition_etl_s3_read_arn" {
+  value = module.condition_etl_s3_read.policy_arn
+}
+
+
 ################################################
 # Postcode Splitter – Lambda ECR
 ################################################
@ -337,30 +359,17 @@ module "postcode_splitter_registry" {

 }

-################################################
-# Conidition data – S3 bucket
-################################################
-module "condition_data_bucket" {
-  source      = "../modules/s3"
-  bucketname = "condition-data-${var.stage}"
-  allowed_origins = var.allowed_origins
+# S3 policy for postcode splitter to read from retrofit data bucket
+module "postcode_splitter_s3_read" {
+  source = "../modules/s3_iam_policy"
+
+  policy_name        = "PostcodeSplitterReadS3"
+  policy_description = "Allow postcode splitter Lambda to read from retrofit-data bucket"
+  bucket_arns        = ["arn:aws:s3:::retrofit-data-${var.stage}"]
+  actions            = ["s3:GetObject"]
+  resource_paths     = ["/*"]
 }

-resource "aws_iam_policy" "condition_etl_s3_read" {
-  name        = "ConditionETLReadS3"
-  description = "Allow Lambda to read objects from condition-data-${var.stage}"
-  policy      = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = ["s3:GetObject"]
-        Resource = "arn:aws:s3:::condition-data-${var.stage}/*"
-      }
-    ]
-  })
-}
-
-output "condition_etl_s3_read_arn" {
-  value = aws_iam_policy.condition_etl_s3_read.arn
+output "postcode_splitter_s3_read_arn" {
+  value = module.postcode_splitter_s3_read.policy_arn
 }