GOVSI-1055: Create Redis access policies within OIDC module

These can be removed from shared after the migration
govuk-one-login · Nov 18, 2021 · fcdfb4a · fcdfb4a
1 parent 89dc2f8
commit fcdfb4a
Show file tree

Hide file tree

Showing 3 changed files with 116 additions and 6 deletions.
diff --git a/ci/terraform/oidc/lambda-roles.tf b/ci/terraform/oidc/lambda-roles.tf
@@ -4,11 +4,17 @@ module "oidc_default_role" {
   role_name   = "oidc-default-role"
   vpc_arn     = local.authentication_vpc_arn
 
-  policies_to_attach = var.use_localstack ? [aws_iam_policy.lambda_sns_policy.arn] : [
+  policies_to_attach = var.use_localstack ? [
+    aws_iam_policy.lambda_sns_policy.arn,
+    aws_iam_policy.redis_parameter_policy.arn,
+    aws_iam_policy.pepper_parameter_policy.arn
+    ] : [
     aws_iam_policy.oidc_default_id_token_public_key_kms_policy[0].arn,
     aws_iam_policy.audit_signing_key_lambda_kms_signing_policy[0].arn,
     aws_iam_policy.dynamo_access_policy[0].arn,
-    aws_iam_policy.lambda_sns_policy.arn
+    aws_iam_policy.lambda_sns_policy.arn,
+    aws_iam_policy.redis_parameter_policy.arn,
+    aws_iam_policy.pepper_parameter_policy.arn
   ]
 }
 
@@ -29,10 +35,14 @@ module "oidc_dynamo_sqs_role" {
   role_name   = "oidc-dynamo-sqs"
   vpc_arn     = local.authentication_vpc_arn
 
-  policies_to_attach = var.use_localstack ? [aws_iam_policy.lambda_sns_policy.arn] : [
+  policies_to_attach = var.use_localstack ? [
+    aws_iam_policy.lambda_sns_policy.arn,
+    aws_iam_policy.redis_parameter_policy.arn
+    ] : [
     aws_iam_policy.audit_signing_key_lambda_kms_signing_policy[0].arn,
     aws_iam_policy.dynamo_access_policy[0].arn,
-    aws_iam_policy.lambda_sns_policy.arn
+    aws_iam_policy.lambda_sns_policy.arn,
+    aws_iam_policy.redis_parameter_policy.arn
   ]
 
 }

diff --git a/ci/terraform/oidc/ssm.tf b/ci/terraform/oidc/ssm.tf
@@ -0,0 +1,99 @@
+data "aws_ssm_parameter" "redis_master_host" {
+  name = "${var.environment}-${local.redis_key}-redis-master-host"
+}
+
+data "aws_ssm_parameter" "redis_replica_host" {
+  name = "${var.environment}-${local.redis_key}-redis-replica-host"
+}
+
+data "aws_ssm_parameter" "redis_tls" {
+  name = "${var.environment}-${local.redis_key}-redis-tls"
+}
+
+data "aws_ssm_parameter" "redis_password" {
+  name = "${var.environment}-${local.redis_key}-redis-password"
+}
+
+data "aws_ssm_parameter" "redis_port" {
+  name = "${var.environment}-${local.redis_key}-redis-port"
+}
+
+data "aws_iam_policy_document" "redis_parameter_policy" {
+  statement {
+    sid    = "AllowGetParameters"
+    effect = "Allow"
+
+    actions = [
+      "ssm:GetParameter",
+      "ssm:GetParameters",
+    ]
+
+    resources = [
+      data.aws_ssm_parameter.redis_master_host.arn,
+      data.aws_ssm_parameter.redis_replica_host.arn,
+      data.aws_ssm_parameter.redis_tls.arn,
+      data.aws_ssm_parameter.redis_password.arn,
+      data.aws_ssm_parameter.redis_port.arn,
+    ]
+  }
+  statement {
+    sid    = "AllowDecryptOfParameters"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+    ]
+
+    resources = [
+      local.lambda_parameter_encryption_alias_id,
+      local.lambda_parameter_encryption_key_id
+    ]
+  }
+}
+
+resource "aws_iam_policy" "redis_parameter_policy" {
+  policy      = data.aws_iam_policy_document.redis_parameter_policy.json
+  path        = "/${var.environment}/redis/${local.redis_key}/"
+  name_prefix = "parameter-store-policy"
+}
+
+## Password pepper policy
+
+data "aws_ssm_parameter" "password_pepper" {
+  name = "${var.environment}-password-pepper"
+}
+
+data "aws_iam_policy_document" "pepper_parameter_policy" {
+  statement {
+    sid    = "AllowGetParameters"
+    effect = "Allow"
+
+    actions = [
+      "ssm:GetParameter",
+      "ssm:GetParameters",
+    ]
+
+    resources = [
+      data.aws_ssm_parameter.password_pepper.arn
+    ]
+  }
+  statement {
+    sid    = "AllowDecryptOfParameters"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+    ]
+
+    resources = [
+      local.lambda_parameter_encryption_alias_id,
+      local.lambda_parameter_encryption_key_id
+    ]
+  }
+}
+
+resource "aws_iam_policy" "pepper_parameter_policy" {
+  policy      = data.aws_iam_policy_document.pepper_parameter_policy[0].json
+  path        = "/${var.environment}/lambda-parameters/"
+  name_prefix = "pepper-parameter-store-policy"
+}
diff --git a/ci/terraform/oidc/token.tf b/ci/terraform/oidc/token.tf
@@ -4,10 +4,11 @@ module "oidc_token_role" {
   role_name   = "oidc-token"
   vpc_arn     = local.authentication_vpc_arn
 
-  policies_to_attach = var.use_localstack ? [] : [
+  policies_to_attach = var.use_localstack ? [aws_iam_policy.redis_parameter_policy.arn] : [
     aws_iam_policy.oidc_token_kms_signing_policy[0].arn,
     aws_iam_policy.audit_signing_key_lambda_kms_signing_policy[0].arn,
-    aws_iam_policy.dynamo_access_policy[0].arn
+    aws_iam_policy.dynamo_access_policy[0].arn,
+    aws_iam_policy.redis_parameter_policy.arn
   ]
 }