feat: allow writing to backup bucket

[alexander-jackson]

pgbackup is a rewrite of the existing database backup system that should hopefully be more observable and resiliant (without just relying on cron to do everything). It's going to need to write to the backup bucket, so let's allow it to do that.

This change:

• Allows the f2-instance profile to write to the Postgres backup bucket

[github-actions]

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

Show Plan

terraform
Running plan in HCP Terraform. Output will stream here. Pressing Ctrl-C
will stop streaming the logs, but will not stop the plan running remotely.

Preparing the remote plan...

To view this run in a browser, visit:
https://app.terraform.io/app/blackboards/infrastructure/runs/run-hLSZHoEvnKXiuhiU

Waiting for the plan to start...

Terraform v1.5.7
on linux_amd64
Initializing plugins and modules...
module.logging_bucket.random_id.this: Refreshing state... [id=SssY]
module.config_bucket.random_id.this: Refreshing state... [id=aPbH]
module.bucket.random_id.this: Refreshing state... [id=csAJ]
module.remote_state_bucket.random_id.this: Refreshing state... [id=WvCN]
module.postgres_backups_bucket.random_id.this: Refreshing state... [id=Ze9c]
aws_iam_user.image_builder: Refreshing state... [id=image.builder]
module.repositories["ticket-tracker"].aws_ecr_repository.this: Refreshing state... [id=ticket-tracker]
aws_iam_user.postgres_backups: Refreshing state... [id=postgres.backups]
module.database.data.aws_iam_policy_document.ec2_assume_role: Refreshing...
aws_route53_zone.opentracker: Refreshing state... [id=Z03017682LQ8TW5YUFGE0]
module.database.aws_iam_policy.this: Refreshing state... [id=arn:aws:iam::558855412466:policy/database-policy]
module.config_bucket.aws_s3_bucket.this: Refreshing state... [id=configuration-68f6c7]
aws_sns_topic.outages: Refreshing state... [id=arn:aws:sns:eu-west-1:558855412466:outages]
module.postgres_backups_bucket.aws_s3_bucket.this: Refreshing state... [id=postgres-backups-65ef5c]
aws_sns_topic.notifications: Refreshing state... [id=arn:aws:sns:eu-west-1:558855412466:ticket-tracker-notifications]
module.database.data.aws_iam_policy_document.ec2_assume_role: Refresh complete after 0s [id=2851119427]
module.bucket.aws_s3_bucket.this: Refreshing state... [id=uptime-72c009]
module.repositories["ticket-tracker"].aws_iam_user.builder: Refreshing state... [id=ticket-tracker-builder]
aws_iam_user.this: Refreshing state... [id=ticket-tracker]
module.logging_bucket.aws_s3_bucket.this: Refreshing state... [id=logging-4acb18]
data.aws_iam_policy_document.uptime_trigger_assume_role: Refreshing...
data.aws_iam_policy_document.uptime_trigger_assume_role: Refresh complete after 0s [id=52247394]
module.personal.aws_iam_user.this: Refreshing state... [id=alex.jackson]
aws_ecr_repository.uptime: Refreshing state... [id=uptime]
aws_iam_user.configuration_deployer: Refreshing state... [id=configuration.deployer]
aws_iam_user.github_actions: Refreshing state... [id=github.actions]
aws_key_pair.main: Refreshing state... [id=macbook-m2-pro]
aws_vpc.main: Refreshing state... [id=vpc-0d1ab7c53aec22955]
aws_iam_policy.iac_deployer: Refreshing state... [id=arn:aws:iam::558855412466:policy/iac-deployer-policy]
module.remote_state_bucket.aws_s3_bucket.this: Refreshing state... [id=terraform-remote-state-5af08d]
aws_iam_role.iac_deployer: Refreshing state... [id=iac-deployer]
module.secondary.data.aws_iam_policy_document.ec2_assume_role: Refreshing...
data.aws_iam_policy_document.assume_role: Refreshing...
data.aws_iam_policy_document.assume_role: Refresh complete after 0s [id=2690255455]
module.secondary.data.aws_iam_policy_document.ec2_assume_role: Refresh complete after 0s [id=2851119427]
module.database.aws_iam_role.this: Refreshing state... [id=database-role]
aws_iam_access_key.postgres_backups: Refreshing state... [id=AKIAYEHTA3LZFDVAEC42]
aws_iam_access_key.image_builder: Refreshing state... [id=AKIAYEHTA3LZI2GLLBWM]
module.repositories["ticket-tracker"].aws_iam_access_key.builder: Refreshing state... [id=AKIAYEHTA3LZAHS7ZJVQ]
aws_iam_access_key.this: Refreshing state... [id=AKIAYEHTA3LZJEQ7KL5O]
aws_iam_role.uptime_trigger: Refreshing state... [id=uptime-trigger]
module.personal.aws_iam_access_key.this: Refreshing state... [id=AKIAYEHTA3LZCH5CBE4Y]
module.personal.aws_iam_user_login_profile.this: Refreshing state... [id=alex.jackson]
module.personal.aws_iam_user_policy.this: Refreshing state... [id=alex.jackson:alex.jackson.policy]
aws_iam_access_key.configuration_deployer: Refreshing state... [id=AKIAYEHTA3LZKXOXWTYC]
aws_iam_access_key.github_actions: Refreshing state... [id=AKIAYEHTA3LZK6JIHCYE]
aws_sns_topic_subscription.outages: Refreshing state... [id=arn:aws:sns:eu-west-1:558855412466:outages:c15a0919-9e06-484e-bef6-08ab63e662d8]
aws_sns_topic_subscription.notifications: Refreshing state... [id=arn:aws:sns:eu-west-1:558855412466:ticket-tracker-notifications:360092e1-a2d6-48be-ab1e-a973d714e068]
aws_iam_user_policy.this: Refreshing state... [id=ticket-tracker:ticket-tracker.policy]
module.repositories["ticket-tracker"].aws_iam_user_policy.builder: Refreshing state... [id=ticket-tracker-builder:ticket-tracker-builder-policy]
aws_iam_role.uptime: Refreshing state... [id=uptime]
module.secondary.aws_iam_role.this: Refreshing state... [id=secondary-role]
aws_iam_user_policy.image_builder: Refreshing state... [id=image.builder:image.builder.policy]
aws_iam_user_policy.github_actions: Refreshing state... [id=github.actions:github.actions.policy]
aws_iam_role_policy_attachment.iac_deployer: Refreshing state... [id=iac-deployer-20230421061924179000000001]
module.secondary.aws_iam_policy.this: Refreshing state... [id=arn:aws:iam::558855412466:policy/secondary-policy]
module.database.aws_iam_instance_profile.this: Refreshing state... [id=database-instance-profile]
module.database.aws_iam_role_policy_attachment.this: Refreshing state... [id=database-role-20231230120447701700000002]
aws_lambda_function.uptime: Refreshing state... [id=uptime]
module.secondary.aws_iam_instance_profile.this: Refreshing state... [id=secondary-instance-profile]
module.secondary.aws_iam_role_policy_attachment.this: Refreshing state... [id=secondary-role-20240830195016300100000001]
aws_iam_policy.uptime_trigger: Refreshing state... [id=arn:aws:iam::558855412466:policy/uptime-trigger]
aws_scheduler_schedule.uptime: Refreshing state... [id=default/uptime-trigger]
aws_iam_role_policy_attachment.uptime_trigger: Refreshing state... [id=uptime-trigger-20240331174144664500000001]
aws_internet_gateway.main: Refreshing state... [id=igw-0aa2c09bec52493fc]
aws_subnet.main: Refreshing state... [id=subnet-07936cc0e5c7d83b1]
module.bucket.aws_s3_bucket_versioning.this: Refreshing state... [id=uptime-72c009]
aws_iam_policy.uptime: Refreshing state... [id=arn:aws:iam::558855412466:policy/uptime-policy]
module.postgres_backups_bucket.aws_s3_bucket_versioning.this: Refreshing state... [id=postgres-backups-65ef5c]
aws_iam_user_policy.postgres_backups: Refreshing state... [id=postgres.backups:postgres.backups.policy]
aws_iam_user_policy.configuration_deployer: Refreshing state... [id=configuration.deployer:configuration.deployer.policy]
aws_iam_role_policy_attachment.uptime: Refreshing state... [id=uptime-20240418192134073500000001]
module.config_bucket.aws_s3_bucket_versioning.this: Refreshing state... [id=configuration-68f6c7]
module.logging_bucket.aws_s3_bucket_versioning.this: Refreshing state... [id=logging-4acb18]
module.database.data.aws_subnet.self: Refreshing...
module.secondary.data.aws_subnet.self: Refreshing...
module.database.aws_ebs_volume.this: Refreshing state... [id=vol-0ac43ea68879b3895]
module.secondary.aws_security_group.this: Refreshing state... [id=sg-09c16fd26e819748e]
module.database.aws_security_group.this: Refreshing state... [id=sg-0998f7db6e1ffb7eb]
module.database.data.aws_subnet.self: Refresh complete after 0s [id=subnet-07936cc0e5c7d83b1]
aws_route_table.gateway: Refreshing state... [id=rtb-0881a403738fea9c7]
module.secondary.data.aws_subnet.self: Refresh complete after 0s [id=subnet-07936cc0e5c7d83b1]
module.remote_state_bucket.aws_s3_bucket_versioning.this: Refreshing state... [id=terraform-remote-state-5af08d]
module.database.aws_security_group_rule.allow_outbound_http: Refreshing state... [id=sgrule-1983782041]
module.database.aws_security_group_rule.allow_inbound_postgres: Refreshing state... [id=sgrule-3465932672]
module.database.aws_security_group_rule.allow_outbound_https: Refreshing state... [id=sgrule-1306823711]
module.database.aws_instance.this: Refreshing state... [id=i-0e48bcc2a0d16252e]
module.database.aws_security_group_rule.allow_inbound_ssh: Refreshing state... [id=sgrule-3173870365]
aws_route_table_association.gateway: Refreshing state... [id=rtbassoc-041dbac3ebba9c5ca]
module.secondary.aws_security_group_rule.allow_inbound_ssh: Refreshing state... [id=sgrule-1349148784]
module.secondary.aws_security_group_rule.allow_inbound_https: Refreshing state... [id=sgrule-1220995848]
module.secondary.aws_security_group_rule.allow_outbound_postgres: Refreshing state... [id=sgrule-4235038627]
module.secondary.aws_instance.this: Refreshing state... [id=i-0020a8286890ff956]
module.secondary.aws_security_group_rule.allow_outbound_https: Refreshing state... [id=sgrule-2114639601]
module.secondary.aws_security_group_rule.allow_outbound_subnet_postgres: Refreshing state... [id=sgrule-3062141385]
module.secondary.aws_security_group_rule.allow_outbound_ssh: Refreshing state... [id=sgrule-1707530534]
module.secondary.aws_security_group_rule.allow_outbound_http: Refreshing state... [id=sgrule-2310426905]
aws_security_group_rule.allow_inbound_connections_from_secondary: Refreshing state... [id=sgrule-3884167637]
module.database.aws_volume_attachment.this: Refreshing state... [id=vai-3516952077]
module.secondary.aws_eip.this: Refreshing state... [id=eipalloc-0ae65475676d8217a]
aws_route53_record.opentracker_tags: Refreshing state... [id=Z03017682LQ8TW5YUFGE0_tags_A]
aws_route53_record.opentracker_today: Refreshing state... [id=Z03017682LQ8TW5YUFGE0_today_A]
aws_route53_record.opentracker: Refreshing state... [id=Z03017682LQ8TW5YUFGE0__A]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.secondary.aws_iam_policy.this will be updated in-place
  ~ resource "aws_iam_policy" "this" {
        id          = "arn:aws:iam::558855412466:policy/secondary-policy"
        name        = "secondary-policy"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                    # (5 unchanged elements hidden)
                    {
                        Action   = [
                            "s3:PutObject",
                        ]
                        Effect   = "Allow"
                        Resource = "arn:aws:s3:::logging-4acb18/*"
                    },
                  + {
                      + Action   = [
                          + "s3:PutObject",
                        ]
                      + Effect   = "Allow"
                      + Resource = "arn:aws:s3:::postgres-backups-65ef5c/*"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags        = {}
        # (6 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.