add departmental ecs role access the etl bucket

LBHackney-IT · Feb 7, 2025 · 43b30db · 43b30db
1 parent b923169
commit 43b30db
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 2 deletions.
diff --git a/terraform/core/99-outputs.tf b/terraform/core/99-outputs.tf
@@ -32,3 +32,15 @@ output "identity_store_id" {
 output "arn" {
   value = local.sso_instance_arn
 }
+
+output "mwaa_etl_scripts_bucket_arn" {
+  value = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
+}
+
+output "mwaa_etl_scripts_bucket_id" {
+  value = aws_s3_bucket.mwaa_etl_scripts_bucket.id
+}
+
+output "mwaa_key_arn" {
+  value = aws_kms_key.mwaa_key.arn
+}
diff --git a/terraform/modules/department/01-inputs-required.tf b/terraform/modules/department/01-inputs-required.tf
@@ -132,3 +132,15 @@ variable "redshift_port" {
   description = "Port that the redshift cluster is running on"
   type        = number
 }
+
+variable "mwaa_etl_scripts_bucket_arn" {
+  type = string
+}
+
+variable "mwaa_etl_scripts_bucket_id" {
+  type = string
+}
+
+variable "mwaa_key_arn" {
+  type = string
+}
diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf
@@ -174,7 +174,8 @@ data "aws_iam_policy_document" "s3_department_access" {
       var.athena_storage_bucket.kms_key_arn,
       var.glue_scripts_bucket.kms_key_arn,
       var.spark_ui_output_storage_bucket.kms_key_arn,
-      var.glue_temp_storage_bucket.kms_key_arn
+      var.glue_temp_storage_bucket.kms_key_arn,
+      var.mwaa_key_arn
     ]
   }
 
@@ -216,7 +217,10 @@ data "aws_iam_policy_document" "s3_department_access" {
       var.glue_temp_storage_bucket.bucket_arn,
 
       var.spark_ui_output_storage_bucket.bucket_arn,
-      "${var.spark_ui_output_storage_bucket.bucket_arn}/${local.department_identifier}/*"
+      "${var.spark_ui_output_storage_bucket.bucket_arn}/${local.department_identifier}/*",
+
+      var.mwaa_etl_scripts_bucket_arn,
+      "${var.mwaa_etl_scripts_bucket_arn}/*",
     ]
   }