From 3eaedbbad316bdcb453d180c709313fd4e80a561 Mon Sep 17 00:00:00 2001 From: Alex Wilson Date: Tue, 16 Nov 2021 12:38:48 +0000 Subject: [PATCH] GOVSI-1055: Use existing policies as templates --- ci/terraform/oidc/shared.tf | 2 + ci/terraform/oidc/ssm.tf | 90 ++------------------------- ci/terraform/shared/localstack.tfvars | 3 +- ci/terraform/shared/outputs.tf | 8 +++ ci/terraform/shared/sandpit.tfvars | 1 + ci/terraform/shared/ssm.tf | 11 +--- 6 files changed, 22 insertions(+), 93 deletions(-) diff --git a/ci/terraform/oidc/shared.tf b/ci/terraform/oidc/shared.tf index 2e7bf41474..2c9f248529 100644 --- a/ci/terraform/oidc/shared.tf +++ b/ci/terraform/oidc/shared.tf @@ -29,4 +29,6 @@ locals { events_topic_encryption_key_arn = data.terraform_remote_state.shared.outputs.events_topic_encryption_key_arn lambda_parameter_encryption_key_id = data.terraform_remote_state.shared.outputs.lambda_parameter_encryption_key_id lambda_parameter_encryption_alias_id = data.terraform_remote_state.shared.outputs.lambda_parameter_encryption_alias_id + redis_ssm_parameter_policy = data.terraform_remote_state.shared.outputs.redis_ssm_parameter_policy + pepper_ssm_parameter_policy = data.terraform_remote_state.shared.outputs.pepper_ssm_parameter_policy } \ No newline at end of file diff --git a/ci/terraform/oidc/ssm.tf b/ci/terraform/oidc/ssm.tf index 7401f30a87..70b837c3ec 100644 --- a/ci/terraform/oidc/ssm.tf +++ b/ci/terraform/oidc/ssm.tf @@ -1,99 +1,21 @@ -data "aws_ssm_parameter" "redis_master_host" { - name = "${var.environment}-${local.redis_key}-redis-master-host" -} - -data "aws_ssm_parameter" "redis_replica_host" { - name = "${var.environment}-${local.redis_key}-redis-replica-host" -} - -data "aws_ssm_parameter" "redis_tls" { - name = "${var.environment}-${local.redis_key}-redis-tls" -} - -data "aws_ssm_parameter" "redis_password" { - name = "${var.environment}-${local.redis_key}-redis-password" -} - -data "aws_ssm_parameter" "redis_port" { - name = "${var.environment}-${local.redis_key}-redis-port" -} - -data "aws_iam_policy_document" "redis_parameter_policy" { - statement { - sid = "AllowGetParameters" - effect = "Allow" - - actions = [ - "ssm:GetParameter", - "ssm:GetParameters", - ] - - resources = [ - data.aws_ssm_parameter.redis_master_host.arn, - data.aws_ssm_parameter.redis_replica_host.arn, - data.aws_ssm_parameter.redis_tls.arn, - data.aws_ssm_parameter.redis_password.arn, - data.aws_ssm_parameter.redis_port.arn, - ] - } - statement { - sid = "AllowDecryptOfParameters" - effect = "Allow" - - actions = [ - "kms:Decrypt", - ] - - resources = [ - local.lambda_parameter_encryption_alias_id, - local.lambda_parameter_encryption_key_id - ] - } +data "aws_iam_policy" "redis_parameter_policy" { + arn = local.redis_ssm_parameter_policy } resource "aws_iam_policy" "redis_parameter_policy" { - policy = data.aws_iam_policy_document.redis_parameter_policy.json + policy = data.aws_iam_policy.redis_parameter_policy.policy path = "/${var.environment}/redis/${local.redis_key}/" name_prefix = "parameter-store-policy" } ## Password pepper policy -data "aws_ssm_parameter" "password_pepper" { - name = "${var.environment}-password-pepper" -} - -data "aws_iam_policy_document" "pepper_parameter_policy" { - statement { - sid = "AllowGetParameters" - effect = "Allow" - - actions = [ - "ssm:GetParameter", - "ssm:GetParameters", - ] - - resources = [ - data.aws_ssm_parameter.password_pepper.arn - ] - } - statement { - sid = "AllowDecryptOfParameters" - effect = "Allow" - - actions = [ - "kms:Decrypt", - ] - - resources = [ - local.lambda_parameter_encryption_alias_id, - local.lambda_parameter_encryption_key_id - ] - } +data "aws_iam_policy" "pepper_parameter_policy" { + arn = local.pepper_ssm_parameter_policy } resource "aws_iam_policy" "pepper_parameter_policy" { - policy = data.aws_iam_policy_document.pepper_parameter_policy.json + policy = data.aws_iam_policy.pepper_parameter_policy.policy path = "/${var.environment}/lambda-parameters/" name_prefix = "pepper-parameter-store-policy" } \ No newline at end of file diff --git a/ci/terraform/shared/localstack.tfvars b/ci/terraform/shared/localstack.tfvars index ad426969bf..7941e23941 100644 --- a/ci/terraform/shared/localstack.tfvars +++ b/ci/terraform/shared/localstack.tfvars @@ -24,4 +24,5 @@ stub_rp_clients = [ }, ] test_client_email_allowlist = "testclient.user1@digital.cabinet-office.gov.uk,testclient.user2@digital.cabinet-office.gov.uk" -terms_and_conditions = "1.0" \ No newline at end of file +terms_and_conditions = "1.0" +password_pepper = "fake-pepper" \ No newline at end of file diff --git a/ci/terraform/shared/outputs.tf b/ci/terraform/shared/outputs.tf index d9aa66348e..b640769934 100644 --- a/ci/terraform/shared/outputs.tf +++ b/ci/terraform/shared/outputs.tf @@ -108,4 +108,12 @@ output "lambda_parameter_encryption_key_id" { output "lambda_parameter_encryption_alias_id" { value = aws_kms_alias.parameter_store_key_alias.id +} + +output "redis_ssm_parameter_policy" { + value = aws_iam_policy.parameter_policy.arn +} + +output "pepper_ssm_parameter_policy" { + value = aws_iam_policy.pepper_parameter_policy.arn } \ No newline at end of file diff --git a/ci/terraform/shared/sandpit.tfvars b/ci/terraform/shared/sandpit.tfvars index 05be30b893..9ff8d2f703 100644 --- a/ci/terraform/shared/sandpit.tfvars +++ b/ci/terraform/shared/sandpit.tfvars @@ -2,5 +2,6 @@ environment = "sandpit" keep_lambdas_warm = false redis_node_size = "cache.t2.micro" test_client_email_allowlist = "testclient.user1@digital.cabinet-office.gov.uk,testclient.user2@digital.cabinet-office.gov.uk" +password_pepper = "fake-pepper" enable_api_gateway_execution_request_tracing = true \ No newline at end of file diff --git a/ci/terraform/shared/ssm.tf b/ci/terraform/shared/ssm.tf index 803491d91a..2043ec3fcc 100644 --- a/ci/terraform/shared/ssm.tf +++ b/ci/terraform/shared/ssm.tf @@ -77,14 +77,12 @@ resource "aws_ssm_parameter" "redis_port" { } resource "aws_ssm_parameter" "password_pepper" { - count = var.password_pepper == null ? 0 : 1 name = "${var.environment}-password-pepper" type = "SecureString" key_id = aws_kms_alias.parameter_store_key_alias.id value = var.password_pepper } - data "aws_iam_policy_document" "redis_parameter_policy" { statement { sid = "AllowGetParameters" @@ -140,7 +138,6 @@ resource "aws_iam_role_policy_attachment" "dynamo_sqs_lambda_iam_role_parameters } data "aws_iam_policy_document" "pepper_parameter_policy" { - count = var.password_pepper == null ? 0 : 1 statement { sid = "AllowGetParameters" effect = "Allow" @@ -151,7 +148,7 @@ data "aws_iam_policy_document" "pepper_parameter_policy" { ] resources = [ - aws_ssm_parameter.password_pepper[0].arn + aws_ssm_parameter.password_pepper.arn ] } statement { @@ -170,14 +167,12 @@ data "aws_iam_policy_document" "pepper_parameter_policy" { } resource "aws_iam_policy" "pepper_parameter_policy" { - count = var.password_pepper == null ? 0 : 1 - policy = data.aws_iam_policy_document.pepper_parameter_policy[0].json + policy = data.aws_iam_policy_document.pepper_parameter_policy.json path = "/${var.environment}/lambda-parameters/" name_prefix = "pepper-parameter-store-policy" } resource "aws_iam_role_policy_attachment" "lambda_iam_role_pepper_parameters" { - count = var.password_pepper == null ? 0 : 1 - policy_arn = aws_iam_policy.pepper_parameter_policy[0].arn + policy_arn = aws_iam_policy.pepper_parameter_policy.arn role = aws_iam_role.lambda_iam_role.name }