From c8656f9345d9835f08de3e50f493117f8fe3dcf0 Mon Sep 17 00:00:00 2001
From: LBH-wgreeff <wayne.greeff@hackney.gov.uk>
Date: Wed, 15 Jan 2025 14:29:34 +0000
Subject: [PATCH 1/5] creating s3 bucket for mwaa etl scripts

---
 terraform/core/46-mwaa-bucket-kms.tf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/terraform/core/46-mwaa-bucket-kms.tf b/terraform/core/46-mwaa-bucket-kms.tf
index 5ed1d7a92..e2019efc1 100644
--- a/terraform/core/46-mwaa-bucket-kms.tf
+++ b/terraform/core/46-mwaa-bucket-kms.tf
@@ -89,3 +89,21 @@ resource "aws_s3_bucket_public_access_block" "mwaa_bucket_block" {
   ignore_public_acls      = true
   restrict_public_buckets = true
 }
+
+resource "aws_s3_bucket" "mwaa_etl_scripts_bucket" {
+  bucket = "${local.identifier_prefix}-mwaa-etl-scripts-bucket"
+
+  tags = module.tags.values
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "mwaa_etl_scripts_bucket_encryption" {
+  bucket = aws_s3_bucket.mwaa_etl_scripts_bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "aws:kms"
+      kms_master_key_id = aws_kms_key.mwaa_key.arn
+    }
+    bucket_key_enabled = true
+  }
+}
\ No newline at end of file

From 306368c1a611e526a15b10e7bfb8e8d6e536f0a4 Mon Sep 17 00:00:00 2001
From: LBH-wgreeff <wayne.greeff@hackney.gov.uk>
Date: Wed, 15 Jan 2025 15:06:21 +0000
Subject: [PATCH 2/5] adding missing compliance exclude

---
 terraform/compliance/s3.feature | 1 +
 1 file changed, 1 insertion(+)

diff --git a/terraform/compliance/s3.feature b/terraform/compliance/s3.feature
index 0def1a0dd..c82540e8d 100644
--- a/terraform/compliance/s3.feature
+++ b/terraform/compliance/s3.feature
@@ -4,6 +4,7 @@ Feature: S3
   @exclude_module.qlik_server\[0\].aws_s3_bucket.qlik_alb_logs\[0\]
   @exclude_module.airflow.aws_s3_bucket.bucket
   @exclude_aws_s3_bucket.mwaa_bucket
+  @exclude_aws_s3_bucket.mwaa_etl_scrtipts_bucket
   Scenario: Data must be encrypted at rest for buckets created using server_side_encryption_configuration property within bucket resource
     Given I have aws_s3_bucket defined
     Then it must have server_side_encryption_configuration

From deaef497a9777be08d805136b2f3f1dc9f3504b9 Mon Sep 17 00:00:00 2001
From: LBH-wgreeff <wayne.greeff@hackney.gov.uk>
Date: Wed, 15 Jan 2025 15:52:14 +0000
Subject: [PATCH 3/5] adding missing aws_s3_bucket_public_access_block block

---
 terraform/core/46-mwaa-bucket-kms.tf | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/terraform/core/46-mwaa-bucket-kms.tf b/terraform/core/46-mwaa-bucket-kms.tf
index e2019efc1..b330b6b24 100644
--- a/terraform/core/46-mwaa-bucket-kms.tf
+++ b/terraform/core/46-mwaa-bucket-kms.tf
@@ -106,4 +106,14 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "mwaa_etl_scripts_
     }
     bucket_key_enabled = true
   }
+}
+
+
+resource "aws_s3_bucket_public_access_block" "mwaa_bucket_block" {
+  bucket = aws_s3_bucket.mwaa_etl_scripts_bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
 }
\ No newline at end of file

From 71592621c2bae6cbed2695dd6a4ca33c147328d0 Mon Sep 17 00:00:00 2001
From: LBH-wgreeff <wayne.greeff@hackney.gov.uk>
Date: Wed, 15 Jan 2025 15:54:23 +0000
Subject: [PATCH 4/5] fixed typo

---
 terraform/core/46-mwaa-bucket-kms.tf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/terraform/core/46-mwaa-bucket-kms.tf b/terraform/core/46-mwaa-bucket-kms.tf
index b330b6b24..bda71b766 100644
--- a/terraform/core/46-mwaa-bucket-kms.tf
+++ b/terraform/core/46-mwaa-bucket-kms.tf
@@ -108,8 +108,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "mwaa_etl_scripts_
   }
 }
 
-
-resource "aws_s3_bucket_public_access_block" "mwaa_bucket_block" {
+resource "aws_s3_bucket_public_access_block" "mwaa_etl_scripts_bucket_block" {
   bucket = aws_s3_bucket.mwaa_etl_scripts_bucket.id
 
   block_public_acls       = true

From 2a117c43cea669b3d1650c049dcb3c88294f893d Mon Sep 17 00:00:00 2001
From: LBH-wgreeff <wayne.greeff@hackney.gov.uk>
Date: Wed, 15 Jan 2025 16:37:04 +0000
Subject: [PATCH 5/5] fixing typo

---
 terraform/compliance/s3.feature | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/compliance/s3.feature b/terraform/compliance/s3.feature
index c82540e8d..b7d7cca60 100644
--- a/terraform/compliance/s3.feature
+++ b/terraform/compliance/s3.feature
@@ -4,7 +4,7 @@ Feature: S3
   @exclude_module.qlik_server\[0\].aws_s3_bucket.qlik_alb_logs\[0\]
   @exclude_module.airflow.aws_s3_bucket.bucket
   @exclude_aws_s3_bucket.mwaa_bucket
-  @exclude_aws_s3_bucket.mwaa_etl_scrtipts_bucket
+  @exclude_aws_s3_bucket.mwaa_etl_scripts_bucket
   Scenario: Data must be encrypted at rest for buckets created using server_side_encryption_configuration property within bucket resource
     Given I have aws_s3_bucket defined
     Then it must have server_side_encryption_configuration