From e3ba09d26e329c953889a758a5719b1e8099fc91 Mon Sep 17 00:00:00 2001
From: Calvin Rodo <calvin.rodo@cds-snc.ca>
Date: Wed, 31 Jan 2024 18:34:44 +0000
Subject: [PATCH] feat: import the resources for BI Extracts

- Import the s3 bucket that was created to store Cost and Usage Report 2.0 data
- Update TF Plan actions to handle imports
---
 .github/workflows/tf-plan-org.yml             |  3 +-
 .github/workflows/tf-plan.yml                 | 10 ++-
 .../bi_extracts/.terraform.lock.hcl           | 25 +++++++
 terragrunt/org_account/bi_extracts/main.tf    | 70 +++++++++++++++++++
 .../org_account/bi_extracts/terragrunt.hcl    |  4 ++
 5 files changed, 110 insertions(+), 2 deletions(-)
 create mode 100644 terragrunt/org_account/bi_extracts/.terraform.lock.hcl
 create mode 100644 terragrunt/org_account/bi_extracts/main.tf
 create mode 100644 terragrunt/org_account/bi_extracts/terragrunt.hcl

diff --git a/.github/workflows/tf-plan-org.yml b/.github/workflows/tf-plan-org.yml
index 3e51f599..78569d74 100644
--- a/.github/workflows/tf-plan-org.yml
+++ b/.github/workflows/tf-plan-org.yml
@@ -11,6 +11,7 @@ env:
   TERRAFORM_VERSION: 1.1.7
   TERRAGRUNT_VERSION: 0.36.3
   CONFTEST_VERSION: 0.30.0
+  TF_SUMMARIZE_VERSION: 0.3.5
 
 permissions:
   id-token: write
@@ -39,7 +40,7 @@ jobs:
           aws-region: ca-central-1
 
       - name: Terraform Plan for org_account/aft
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@v3.2.0
         with:
           comment-delete: true
           comment-title: Plan for org_account/organization
diff --git a/.github/workflows/tf-plan.yml b/.github/workflows/tf-plan.yml
index 17a504aa..490b30f5 100644
--- a/.github/workflows/tf-plan.yml
+++ b/.github/workflows/tf-plan.yml
@@ -10,6 +10,7 @@ env:
   TERRAFORM_VERSION: 1.1.7
   TERRAGRUNT_VERSION: 0.36.3
   CONFTEST_VERSION: 0.30.0
+  TF_SUMMARIZE_VERSION: 0.3.5
 
 permissions:
   id-token: write
@@ -52,6 +53,12 @@ jobs:
             role: cds-aws-lz-plan
             admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
 
+          - account_folder: org_account
+            module: bi_extracts
+            account: 659087519042
+            role: cds-aws-lz-plan
+            admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
+
           - account_folder: log_archive
             module: main
             account: 274536870005
@@ -90,6 +97,7 @@ jobs:
             account: 137554749751
             role: cds-aws-lz-plan
             aft_notifications_hook: AFT_NOTIFICATIONS_HOOK
+          
 
     runs-on: ubuntu-latest
     steps:
@@ -119,7 +127,7 @@ jobs:
           TF_VAR_weekly_spend_notifier_hook: ${{ secrets[matrix.weekly_spend_notifier_hook]}}
           TF_VAR_aft_notifications_hook: ${{ secrets[matrix.aft_notifications_hook]}}
           TF_VAR_admin_sso_role_arn: ${{ secrets[matrix.admin_sso_role_arn] }}
-        uses: cds-snc/terraform-plan@v3
+        uses: cds-snc/terraform-plan@v3.2.0
         with:
           comment-delete: true
           comment-title: Plan for ${{matrix.account_folder}}/${{ matrix.module }}
diff --git a/terragrunt/org_account/bi_extracts/.terraform.lock.hcl b/terragrunt/org_account/bi_extracts/.terraform.lock.hcl
new file mode 100644
index 00000000..ac5d5e3f
--- /dev/null
+++ b/terragrunt/org_account/bi_extracts/.terraform.lock.hcl
@@ -0,0 +1,25 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.11.0"
+  constraints = ">= 4.9.0, >= 4.40.0, <= 5.11.0"
+  hashes = [
+    "h1:OyEBhYcTPChBb0gooSlLIcrxakh72qAN+Sd8Oo12uoc=",
+    "zh:2913af44f9b584f756e5548d5ddc5a251c6d68a7fcd7c41d1418a800a94ef113",
+    "zh:31d2bfa84608b74ff5896f41b09e5927d7c37d18875277a51dcd75a1fea3f909",
+    "zh:8538ff18e3b4822178e793f06764efdbb84c62227c1051af7d2409ab7be37bfc",
+    "zh:8a9295e623327613fc02a6994e73c61b9d0d195bf6fabdb31ee9fd0e6778f62b",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:a65877248951eadf0d16a3260e85f6b178645da7f1897bc7bda6f12fdbec8e47",
+    "zh:a70772851e2c87cc1e10c35389718a544746adc4acbbed129243c0972c367fc6",
+    "zh:b10ca631318f8d1d9a2baa318139bc9e545e51efaf677afece173badce75b44c",
+    "zh:ca2a5698c33158549fa084ad601610eae94498cba445458391b507da22355402",
+    "zh:cdbfc4d64161561bfbcaee5d9b078077ed986131a1eab32ff30e71be09037eec",
+    "zh:ce499f93835bf3d28c13ba98a0a220ff541a827fb400fa931601a375b907b56d",
+    "zh:da6af610e66e96280a299071a698568b505c2456bb15c906304d6f39578c72e3",
+    "zh:e42714e085126c10d8f29664143f97d771b6cc6887d27cdf6c4007ab12af4646",
+    "zh:e86dd0c561c73512acba69f55041adfc04d0467f592f52337a7ac600fbc93680",
+    "zh:f5da95bbd44809534c6678e9b1ae0b390331a5619f2ae353c6b88e96ae855cc0",
+  ]
+}
diff --git a/terragrunt/org_account/bi_extracts/main.tf b/terragrunt/org_account/bi_extracts/main.tf
new file mode 100644
index 00000000..9287ed9b
--- /dev/null
+++ b/terragrunt/org_account/bi_extracts/main.tf
@@ -0,0 +1,70 @@
+module "cur_export_bucket" { 
+  source = "github.com/cds-snc/terraform-modules//S3?ref=v9.0.5"
+  billing_tag_value = "SRE"
+}
+
+import { 
+  to = module.cur_export_bucket.aws_s3_bucket.this
+  id = "713f18dd-9f30-4976-a152-e81d48cf053a"
+}
+
+resource "aws_s3_bucket_policy" "cur_export_bucket" { 
+  bucket = module.cur_export_bucket.s3_bucket_id
+  policy = data.aws_iam_policy_document.cur_export_bucket.json
+
+}
+
+import {
+  to = aws_s3_bucket_policy.cur_export_bucket
+  id = "713f18dd-9f30-4976-a152-e81d48cf053a"
+}
+
+data "aws_iam_policy_document" "cur_export_bucket" {
+  statement {
+    sid       = "EnableAWSDataExportsToWriteToS3AndCheckPolicy"
+    effect    = "Allow"
+    actions   = ["s3:PutObject", "s3:GetBucketPolicy"]
+    resources = [
+      module.cur_export_bucket.s3_bucket_arn,
+      "${module.cur_export_bucket.s3_bucket_arn}/*"
+    ]
+    principals {
+      type        = "Service"
+      identifiers = ["bcm-data-exports.amazonaws.com", "billingreports.amazonaws.com"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "aws:SourceArn"
+      values   = [
+        "arn:aws:cur:us-east-1:659087519042:definition/*",
+        "arn:aws:bcm-data-exports:us-east-1:659087519042:export/*"
+      ]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = ["659087519042"]
+    }
+  }
+
+  statement {
+    sid       = "CDSSupersetRootRead"
+    effect    = "Allow"
+    actions   = [
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads",
+      "s3:ListMultipartUploadParts",
+      "s3:AbortMultipartUpload"
+    ]
+    resources = [
+      module.cur_export_bucket.s3_bucket_arn,
+      "${module.cur_export_bucket.s3_bucket_arn}/*"
+    ]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::066023111852:root"]
+    }
+  }
+}
\ No newline at end of file
diff --git a/terragrunt/org_account/bi_extracts/terragrunt.hcl b/terragrunt/org_account/bi_extracts/terragrunt.hcl
new file mode 100644
index 00000000..363bebe9
--- /dev/null
+++ b/terragrunt/org_account/bi_extracts/terragrunt.hcl
@@ -0,0 +1,4 @@
+include {
+  path = find_in_parent_folders()
+}
+