GOVSI-1055: Use existing policies as templates

govuk-one-login · Nov 18, 2021 · 3eaedbb · 3eaedbb
1 parent 245edee
commit 3eaedbb
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 93 deletions.
diff --git a/ci/terraform/oidc/shared.tf b/ci/terraform/oidc/shared.tf
@@ -29,4 +29,6 @@ locals {
   events_topic_encryption_key_arn        = data.terraform_remote_state.shared.outputs.events_topic_encryption_key_arn
   lambda_parameter_encryption_key_id     = data.terraform_remote_state.shared.outputs.lambda_parameter_encryption_key_id
   lambda_parameter_encryption_alias_id   = data.terraform_remote_state.shared.outputs.lambda_parameter_encryption_alias_id
+  redis_ssm_parameter_policy             = data.terraform_remote_state.shared.outputs.redis_ssm_parameter_policy
+  pepper_ssm_parameter_policy            = data.terraform_remote_state.shared.outputs.pepper_ssm_parameter_policy
 }
diff --git a/ci/terraform/oidc/ssm.tf b/ci/terraform/oidc/ssm.tf
@@ -1,99 +1,21 @@
-data "aws_ssm_parameter" "redis_master_host" {
-  name = "${var.environment}-${local.redis_key}-redis-master-host"
-}
-
-data "aws_ssm_parameter" "redis_replica_host" {
-  name = "${var.environment}-${local.redis_key}-redis-replica-host"
-}
-
-data "aws_ssm_parameter" "redis_tls" {
-  name = "${var.environment}-${local.redis_key}-redis-tls"
-}
-
-data "aws_ssm_parameter" "redis_password" {
-  name = "${var.environment}-${local.redis_key}-redis-password"
-}
-
-data "aws_ssm_parameter" "redis_port" {
-  name = "${var.environment}-${local.redis_key}-redis-port"
-}
-
-data "aws_iam_policy_document" "redis_parameter_policy" {
-  statement {
-    sid    = "AllowGetParameters"
-    effect = "Allow"
-
-    actions = [
-      "ssm:GetParameter",
-      "ssm:GetParameters",
-    ]
-
-    resources = [
-      data.aws_ssm_parameter.redis_master_host.arn,
-      data.aws_ssm_parameter.redis_replica_host.arn,
-      data.aws_ssm_parameter.redis_tls.arn,
-      data.aws_ssm_parameter.redis_password.arn,
-      data.aws_ssm_parameter.redis_port.arn,
-    ]
-  }
-  statement {
-    sid    = "AllowDecryptOfParameters"
-    effect = "Allow"
-
-    actions = [
-      "kms:Decrypt",
-    ]
-
-    resources = [
-      local.lambda_parameter_encryption_alias_id,
-      local.lambda_parameter_encryption_key_id
-    ]
-  }
+data "aws_iam_policy" "redis_parameter_policy" {
+  arn = local.redis_ssm_parameter_policy
 }
 
 resource "aws_iam_policy" "redis_parameter_policy" {
-  policy      = data.aws_iam_policy_document.redis_parameter_policy.json
+  policy      = data.aws_iam_policy.redis_parameter_policy.policy
   path        = "/${var.environment}/redis/${local.redis_key}/"
   name_prefix = "parameter-store-policy"
 }
 
 ## Password pepper policy
 
-data "aws_ssm_parameter" "password_pepper" {
-  name = "${var.environment}-password-pepper"
-}
-
-data "aws_iam_policy_document" "pepper_parameter_policy" {
-  statement {
-    sid    = "AllowGetParameters"
-    effect = "Allow"
-
-    actions = [
-      "ssm:GetParameter",
-      "ssm:GetParameters",
-    ]
-
-    resources = [
-      data.aws_ssm_parameter.password_pepper.arn
-    ]
-  }
-  statement {
-    sid    = "AllowDecryptOfParameters"
-    effect = "Allow"
-
-    actions = [
-      "kms:Decrypt",
-    ]
-
-    resources = [
-      local.lambda_parameter_encryption_alias_id,
-      local.lambda_parameter_encryption_key_id
-    ]
-  }
+data "aws_iam_policy" "pepper_parameter_policy" {
+  arn = local.pepper_ssm_parameter_policy
 }
 
 resource "aws_iam_policy" "pepper_parameter_policy" {
-  policy      = data.aws_iam_policy_document.pepper_parameter_policy.json
+  policy      = data.aws_iam_policy.pepper_parameter_policy.policy
   path        = "/${var.environment}/lambda-parameters/"
   name_prefix = "pepper-parameter-store-policy"
 }
diff --git a/ci/terraform/shared/localstack.tfvars b/ci/terraform/shared/localstack.tfvars
@@ -24,4 +24,5 @@ stub_rp_clients = [
   },
 ]
 test_client_email_allowlist = "[email protected],[email protected]"
-terms_and_conditions        = "1.0"
+terms_and_conditions        = "1.0"
+password_pepper             = "fake-pepper"
diff --git a/ci/terraform/shared/outputs.tf b/ci/terraform/shared/outputs.tf
@@ -108,4 +108,12 @@ output "lambda_parameter_encryption_key_id" {
 
 output "lambda_parameter_encryption_alias_id" {
   value = aws_kms_alias.parameter_store_key_alias.id
+}
+
+output "redis_ssm_parameter_policy" {
+  value = aws_iam_policy.parameter_policy.arn
+}
+
+output "pepper_ssm_parameter_policy" {
+  value = aws_iam_policy.pepper_parameter_policy.arn
 }
diff --git a/ci/terraform/shared/sandpit.tfvars b/ci/terraform/shared/sandpit.tfvars
@@ -2,5 +2,6 @@ environment                 = "sandpit"
 keep_lambdas_warm           = false
 redis_node_size             = "cache.t2.micro"
 test_client_email_allowlist = "[email protected],[email protected]"
+password_pepper             = "fake-pepper"
 
 enable_api_gateway_execution_request_tracing = true
diff --git a/ci/terraform/shared/ssm.tf b/ci/terraform/shared/ssm.tf
@@ -77,14 +77,12 @@ resource "aws_ssm_parameter" "redis_port" {
 }
 
 resource "aws_ssm_parameter" "password_pepper" {
-  count  = var.password_pepper == null ? 0 : 1
   name   = "${var.environment}-password-pepper"
   type   = "SecureString"
   key_id = aws_kms_alias.parameter_store_key_alias.id
   value  = var.password_pepper
 }
 
-
 data "aws_iam_policy_document" "redis_parameter_policy" {
   statement {
     sid    = "AllowGetParameters"
@@ -140,7 +138,6 @@ resource "aws_iam_role_policy_attachment" "dynamo_sqs_lambda_iam_role_parameters
 }
 
 data "aws_iam_policy_document" "pepper_parameter_policy" {
-  count = var.password_pepper == null ? 0 : 1
   statement {
     sid    = "AllowGetParameters"
     effect = "Allow"
@@ -151,7 +148,7 @@ data "aws_iam_policy_document" "pepper_parameter_policy" {
     ]
 
     resources = [
-      aws_ssm_parameter.password_pepper[0].arn
+      aws_ssm_parameter.password_pepper.arn
     ]
   }
   statement {
@@ -170,14 +167,12 @@ data "aws_iam_policy_document" "pepper_parameter_policy" {
 }
 
 resource "aws_iam_policy" "pepper_parameter_policy" {
-  count       = var.password_pepper == null ? 0 : 1
-  policy      = data.aws_iam_policy_document.pepper_parameter_policy[0].json
+  policy      = data.aws_iam_policy_document.pepper_parameter_policy.json
   path        = "/${var.environment}/lambda-parameters/"
   name_prefix = "pepper-parameter-store-policy"
 }
 
 resource "aws_iam_role_policy_attachment" "lambda_iam_role_pepper_parameters" {
-  count      = var.password_pepper == null ? 0 : 1
-  policy_arn = aws_iam_policy.pepper_parameter_policy[0].arn
+  policy_arn = aws_iam_policy.pepper_parameter_policy.arn
   role       = aws_iam_role.lambda_iam_role.name
 }