From 5840e94279cf9aa0f04e2c4ec6541b08c93db12c Mon Sep 17 00:00:00 2001
From: Ian Rose <ian.rose@innovation.ca.gov>
Date: Wed, 23 Aug 2023 14:27:16 -0700
Subject: [PATCH] Create public S3 bucket for building footprint artifacts.

---
 docs/cloud-infrastructure.md      |  5 +++
 terraform/aws/modules/infra/s3.tf | 51 +++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)

diff --git a/docs/cloud-infrastructure.md b/docs/cloud-infrastructure.md
index 8ef2ea56..5d1e65f1 100644
--- a/docs/cloud-infrastructure.md
+++ b/docs/cloud-infrastructure.md
@@ -207,10 +207,14 @@ No modules.
 | [aws_route_table.public](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/route_table) | resource |
 | [aws_route_table_association.private](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/route_table_association) | resource |
 | [aws_route_table_association.public](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/route_table_association) | resource |
+| [aws_s3_bucket.dof_demographics_public](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.dsa_project](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.mwaa](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.scratch](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_policy.dof_demographics_public_read_access](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.dof_demographics_public](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_public_access_block.mwaa](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_versioning.dof_demographics_public](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_versioning.dsa_project](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_versioning.mwaa](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/s3_bucket_versioning) | resource |
 | [aws_security_group.batch](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/resources/security_group) | resource |
@@ -228,6 +232,7 @@ No modules.
 | [aws_iam_policy_document.aws_batch_service_policy](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.batch_submit_policy_document](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.default_ecr_policy_document](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.dof_demographics_public_read_access](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.mwaa](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3_dsa_project_policy_document](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3_list_all_my_buckets](https://registry.terraform.io/providers/hashicorp/aws/4.56.0/docs/data-sources/iam_policy_document) | data source |
diff --git a/terraform/aws/modules/infra/s3.tf b/terraform/aws/modules/infra/s3.tf
index 82c2df13..004ba7e8 100644
--- a/terraform/aws/modules/infra/s3.tf
+++ b/terraform/aws/modules/infra/s3.tf
@@ -68,6 +68,57 @@ resource "aws_s3_bucket_public_access_block" "mwaa" {
   restrict_public_buckets = true
 }
 
+##################################
+#     DSE MDSA Project Buckets   #
+##################################
+
+resource "aws_s3_bucket" "dof_demographics_public" {
+  bucket = "dof-demographics-${var.environment}-${var.region}-public"
+  tags = {
+    Owner   = "dof"
+    Project = "demographics"
+  }
+}
+
+resource "aws_s3_bucket_versioning" "dof_demographics_public" {
+  bucket = aws_s3_bucket.dof_demographics_public.bucket
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+data "aws_iam_policy_document" "dof_demographics_public_read_access" {
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      aws_s3_bucket.dof_demographics_public.arn,
+      "${aws_s3_bucket.dof_demographics_public.arn}/*",
+    ]
+  }
+}
+
+resource "aws_s3_bucket_policy" "dof_demographics_public_read_access" {
+  bucket = aws_s3_bucket.dof_demographics_public.id
+  policy = data.aws_iam_policy_document.dof_demographics_public_read_access.json
+}
+
+resource "aws_s3_bucket_public_access_block" "dof_demographics_public" {
+  bucket = aws_s3_bucket.dof_demographics_public.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
 ##################################
 #     AAE DSA Project Buckets    #
 ##################################