Use dedicated role for taking the snapshot

bogsi17 · bogsi17 · commit e9ad72020b63 · 2025-08-28T14:46:07.000+01:00
The GithubDeployDataReplicationInfrastructure role has an explicit Deny in the policy for all tagged resources which prevents taking DB snapshots

Jira-Issue: MAV-1864
diff --git a/.github/workflows/data-replication-pipeline.yml b/.github/workflows/data-replication-pipeline.yml
@@ -44,6 +44,9 @@ env:
   aws_role: ${{ inputs.environment == 'production'
     && 'arn:aws:iam::820242920762:role/GithubDeployDataReplicationInfrastructure'
     || 'arn:aws:iam::393416225559:role/GithubDeployDataReplicationInfrastructure' }}
+  db_snapshot_role: ${{ inputs.environment == 'production'
+    && 'arn:aws:iam::820242920762:role/DatabaseSnapshotRole'
+    || 'arn:aws:iam::393416225559:role/DatabaseSnapshotRole' }}
 
 defaults:
   run:
@@ -62,10 +65,11 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
-      - name: Configure AWS Credentials
+      - name: Assume DB Snapshot role
+        if: inputs.take_db_snapshot
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ env.aws_role }}
+          role-to-assume: ${{ env.db_snapshot_role }}
           aws-region: eu-west-2
       - name: Take DB snapshot
         if: inputs.take_db_snapshot
@@ -76,6 +80,11 @@ jobs:
           echo "Waiting for snapshot to be available. This can take a while."
           aws rds wait db-cluster-snapshot-available --db-cluster-snapshot-identifier $snapshot_identifier
           echo "New snapshot is now available"
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws_role }}
+          aws-region: eu-west-2
       - name: Get latest snapshot
         id: get-latest-snapshot
         run: |
diff --git a/terraform/account/deployment_permissions.tf b/terraform/account/deployment_permissions.tf
@@ -46,6 +46,28 @@ resource "aws_iam_role_policy_attachment" "data_replication" {
   policy_arn = each.value
 }
 
+resource "aws_iam_role" "data_replication_snapshot" {
+  name        = "DatabaseSnapshotRole"
+  description = "Role to be assumed by the data replication workflow for taking on-demand DB snapshots"
+  assume_role_policy = templatefile("resources/iam_role_github_trust_policy_${var.environment}.json.tftpl", {
+    account_id = var.account_id
+  })
+}
+
+resource "aws_iam_policy" "db_snapshot_policy" {
+  name        = "DatabaseSnapshotPolicy"
+  description = "Policy to take DB snapshots"
+  policy      = file("resources/iam_policy_DatabaseSnapshotPolicy.json")
+  lifecycle {
+    ignore_changes = [description]
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "db_snapshot" {
+  role       = aws_iam_role.data_replication_snapshot.name
+  policy_arn = aws_iam_policy.db_snapshot_policy.arn
+}
+
 ################# Deploy Monitoring ################
 
 resource "aws_iam_role" "monitoring_deploy" {
diff --git a/terraform/account/resources/iam_policy_DatabaseSnapshotPolicy.json b/terraform/account/resources/iam_policy_DatabaseSnapshotPolicy.json
@@ -0,0 +1,14 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "Statement1",
+      "Effect": "Allow",
+      "Action": [
+        "rds:CreateDBClusterSnapshot",
+        "rds:DescribeDBClusterSnapshots"
+      ],
+      "Resource": ["*"]
+    }
+  ]
+}
