feat: import the resources for BI Extracts

- Import the s3 bucket that was created to store Cost and Usage Report 2.0 data - Update TF Plan actions to handle imports
cds-snc · Jan 31, 2024 · e3ba09d · e3ba09d
1 parent 049793c
commit e3ba09d
Show file tree

Hide file tree

Showing 5 changed files with 110 additions and 2 deletions.
diff --git a/.github/workflows/tf-plan-org.yml b/.github/workflows/tf-plan-org.yml
@@ -11,6 +11,7 @@ env:
   TERRAFORM_VERSION: 1.1.7
   TERRAGRUNT_VERSION: 0.36.3
   CONFTEST_VERSION: 0.30.0
+  TF_SUMMARIZE_VERSION: 0.3.5
 
 permissions:
   id-token: write
@@ -39,7 +40,7 @@ jobs:
           aws-region: ca-central-1
 
       - name: Terraform Plan for org_account/aft
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@v3.2.0
         with:
           comment-delete: true
           comment-title: Plan for org_account/organization

diff --git a/.github/workflows/tf-plan.yml b/.github/workflows/tf-plan.yml
@@ -10,6 +10,7 @@ env:
   TERRAFORM_VERSION: 1.1.7
   TERRAGRUNT_VERSION: 0.36.3
   CONFTEST_VERSION: 0.30.0
+  TF_SUMMARIZE_VERSION: 0.3.5
 
 permissions:
   id-token: write
@@ -52,6 +53,12 @@ jobs:
             role: cds-aws-lz-plan
             admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
 
+          - account_folder: org_account
+            module: bi_extracts
+            account: 659087519042
+            role: cds-aws-lz-plan
+            admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
+
           - account_folder: log_archive
             module: main
             account: 274536870005
@@ -90,6 +97,7 @@ jobs:
             account: 137554749751
             role: cds-aws-lz-plan
             aft_notifications_hook: AFT_NOTIFICATIONS_HOOK
+
 
     runs-on: ubuntu-latest
     steps:
@@ -119,7 +127,7 @@ jobs:
           TF_VAR_weekly_spend_notifier_hook: ${{ secrets[matrix.weekly_spend_notifier_hook]}}
           TF_VAR_aft_notifications_hook: ${{ secrets[matrix.aft_notifications_hook]}}
           TF_VAR_admin_sso_role_arn: ${{ secrets[matrix.admin_sso_role_arn] }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@v3.2.0
         with:
           comment-delete: true
           comment-title: Plan for ${{matrix.account_folder}}/${{ matrix.module }}

diff --git a/terragrunt/org_account/bi_extracts/.terraform.lock.hcl b/terragrunt/org_account/bi_extracts/.terraform.lock.hcl
diff --git a/terragrunt/org_account/bi_extracts/main.tf b/terragrunt/org_account/bi_extracts/main.tf
@@ -0,0 +1,70 @@
+module "cur_export_bucket" { 
+  source = "github.com/cds-snc/terraform-modules//S3?ref=v9.0.5"
+  billing_tag_value = "SRE"
+}
+
+import { 
+  to = module.cur_export_bucket.aws_s3_bucket.this
+  id = "713f18dd-9f30-4976-a152-e81d48cf053a"
+}
+
+resource "aws_s3_bucket_policy" "cur_export_bucket" { 
+  bucket = module.cur_export_bucket.s3_bucket_id
+  policy = data.aws_iam_policy_document.cur_export_bucket.json
+
+}
+
+import {
+  to = aws_s3_bucket_policy.cur_export_bucket
+  id = "713f18dd-9f30-4976-a152-e81d48cf053a"
+}
+
+data "aws_iam_policy_document" "cur_export_bucket" {
+  statement {
+    sid       = "EnableAWSDataExportsToWriteToS3AndCheckPolicy"
+    effect    = "Allow"
+    actions   = ["s3:PutObject", "s3:GetBucketPolicy"]
+    resources = [
+      module.cur_export_bucket.s3_bucket_arn,
+      "${module.cur_export_bucket.s3_bucket_arn}/*"
+    ]
+    principals {
+      type        = "Service"
+      identifiers = ["bcm-data-exports.amazonaws.com", "billingreports.amazonaws.com"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "aws:SourceArn"
+      values   = [
+        "arn:aws:cur:us-east-1:659087519042:definition/*",
+        "arn:aws:bcm-data-exports:us-east-1:659087519042:export/*"
+      ]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = ["659087519042"]
+    }
+  }
+
+  statement {
+    sid       = "CDSSupersetRootRead"
+    effect    = "Allow"
+    actions   = [
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads",
+      "s3:ListMultipartUploadParts",
+      "s3:AbortMultipartUpload"
+    ]
+    resources = [
+      module.cur_export_bucket.s3_bucket_arn,
+      "${module.cur_export_bucket.s3_bucket_arn}/*"
+    ]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::066023111852:root"]
+    }
+  }
+}
diff --git a/terragrunt/org_account/bi_extracts/terragrunt.hcl b/terragrunt/org_account/bi_extracts/terragrunt.hcl
@@ -0,0 +1,4 @@
+include {
+  path = find_in_parent_folders()
+}
+