Merge pull request #3417 from ministryofjustice/CC-2091

CC-2091: Added oracle licensing policy and tag
ministryofjustice · Sep 20, 2023 · 6f154fb · 6f154fb
2 parents dfd9566 + fac6ec6
commit 6f154fb
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 2 deletions.
diff --git a/terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs.tf b/terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs.tf
@@ -60,7 +60,8 @@ resource "aws_instance" "ec2_oracle_ebs" {
   tags = merge(local.tags,
     { Name = lower(format("ec2-%s-%s-ebsdb", local.application_name, local.environment)) },
     { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling },
-    { backup = "true" }
+    { backup = "true" },
+    { OracleDbLTS-ManagedInstance = "true" }
   )
   depends_on = [aws_security_group.ec2_sg_ebsdb]
 }

diff --git a/terraform/environments/ccms-ebs/ccms-iam-outputs.tf b/terraform/environments/ccms-ebs/ccms-iam-outputs.tf
@@ -55,3 +55,13 @@ output "aws_iam_policy_rman_to_s3_policy" {
   description = "aws_iam_policy rman_to_s3 policy"
   value       = aws_iam_policy.rman_to_s3.policy
 }
+
+output "aws_iam_policy_oracle_licensing_arn" {
+  description = "aws_iam_policy oracle_licensing arn"
+  value       = aws_iam_policy.oracle_licensing.arn
+}
+
+output "aws_iam_policy_oracle_licensing_policy" {
+  description = "aws_iam_policy oracle_licensing policy"
+  value       = aws_iam_policy.oracle_licensing.policy
+}
diff --git a/terraform/environments/ccms-ebs/ccms-iam.tf b/terraform/environments/ccms-ebs/ccms-iam.tf
@@ -176,4 +176,39 @@ resource "aws_iam_policy" "rman_to_s3" {
 resource "aws_iam_role_policy_attachment" "rman_to_s3_policy" {
   role       = aws_iam_role.role_stsassume_oracle_base.name
   policy_arn = aws_iam_policy.rman_to_s3.arn
-}
+}
+
+
+# Oracle Licensing policy
+resource "aws_iam_policy" "oracle_licensing" {
+  name        = "oracle_licensing_policy-${local.environment}"
+  description = "Allows licensing metrics to be captured"
+
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Action" : [
+            "s3:PutObject",
+            "s3:GetObject",
+            "s3:PutObjectAcl",
+            "s3:ListBucket",
+            "s3:DeleteObject"
+          ],
+          "Resource" : [
+            "arn:aws:s3:::license-manager-artifact-bucket/*",
+            "arn:aws:s3:::license-manager-artifact-bucket"
+          ],
+          "Effect" : "Allow",
+          "Sid" : "SSMS3BucketPolicy"
+        }
+      ]
+    }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "oracle_licensing_policy" {
+  role       = aws_iam_role.role_stsassume_oracle_base.name
+  policy_arn = aws_iam_policy.oracle_licensing.arn
+}