From a87831aa523840af423a66a0ff9ed57c466a7086 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Mon, 1 Dec 2025 17:10:07 +0000 Subject: [PATCH 1/2] NRL-1832 Remove unused NHSD identities roles from TF --- .../dev/iam__developer-role.tf | 26 ---- .../mgmt/{iam__developer-role.tf => iam.tf} | 16 --- .../prod/iam__ops-role.tf | 135 ------------------ .../test/iam__developer-role.tf | 26 ---- .../test/iam__ops-role.tf | 60 -------- 5 files changed, 263 deletions(-) delete mode 100644 terraform/account-wide-infrastructure/dev/iam__developer-role.tf rename terraform/account-wide-infrastructure/mgmt/{iam__developer-role.tf => iam.tf} (88%) delete mode 100644 terraform/account-wide-infrastructure/prod/iam__ops-role.tf delete mode 100644 terraform/account-wide-infrastructure/test/iam__developer-role.tf delete mode 100644 terraform/account-wide-infrastructure/test/iam__ops-role.tf diff --git a/terraform/account-wide-infrastructure/dev/iam__developer-role.tf b/terraform/account-wide-infrastructure/dev/iam__developer-role.tf deleted file mode 100644 index a6cd345e4..000000000 --- a/terraform/account-wide-infrastructure/dev/iam__developer-role.tf +++ /dev/null @@ -1,26 +0,0 @@ -resource "aws_iam_role" "developer_role" { - name = "NHSDDeveloperRole" - assume_role_policy = jsonencode({ - Version : "2012-10-17", - Statement : [ - { - Action : "sts:AssumeRole", - Principal : { - AWS : "arn:aws:iam::${data.aws_secretsmanager_secret_version.identities_account_id.secret_string}:root" - }, - Effect : "Allow" - Condition : { - Bool : { - "aws:MultiFactorAuthPresent" : true - } - } - } - ] - }) -} - - -resource "aws_iam_role_policy_attachment" "policy_attachment" { - role = aws_iam_role.developer_role.name - policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" -} diff --git a/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf b/terraform/account-wide-infrastructure/mgmt/iam.tf similarity index 88% rename from terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf rename to terraform/account-wide-infrastructure/mgmt/iam.tf index 9496eddee..834e922d7 100644 --- a/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf +++ b/terraform/account-wide-infrastructure/mgmt/iam.tf @@ -1,19 +1,3 @@ -resource "aws_iam_role" "developer_role" { - name = "NHSDDeveloperRole" - assume_role_policy = jsonencode({ - Version : "2012-10-17", - Statement : [ - { - Action : "sts:AssumeRole", - Principal : { - AWS : "arn:aws:iam::${data.aws_secretsmanager_secret_version.identities_account_id.secret_string}:root" - }, - Effect : "Allow" - } - ] - }) -} - module "developer_policy" { source = "../modules/role-policy" name = "${local.prefix}--developer-policy" diff --git a/terraform/account-wide-infrastructure/prod/iam__ops-role.tf b/terraform/account-wide-infrastructure/prod/iam__ops-role.tf deleted file mode 100644 index 23f86c305..000000000 --- a/terraform/account-wide-infrastructure/prod/iam__ops-role.tf +++ /dev/null @@ -1,135 +0,0 @@ -resource "aws_iam_role" "ops_role" { - name = "NHSDOpsRole" - assume_role_policy = jsonencode({ - Version : "2012-10-17", - Statement : [ - { - Action : "sts:AssumeRole", - Principal : { - AWS : "arn:aws:iam::${data.aws_secretsmanager_secret_version.identities_account_id.secret_string}:root" - }, - Effect : "Allow" - } - ] - }) -} - - -module "ops_role_read_only_resources" { - source = "../modules/role-policy" - name = "${local.prefix}--ops-read-only" - role_name = aws_iam_role.ops_role.name - iam_permissions = [ - { - Action = [ - "acm:Describe*", - "acm:Get*", - "acm:List*", - "cloudwatch:Describe*", - "cloudwatch:Get*", - "cloudwatch:List*", - "dynamodb:BatchGet*", - "dynamodb:Describe*", - "dynamodb:Get*", - "dynamodb:List*", - "dynamodb:Query", - "dynamodb:Scan", - "events:Describe*", - "events:List*", - "events:Test*", - "firehose:Describe*", - "firehose:List*", - "iam:Generate*", - "iam:Get*", - "iam:List*", - "iam:Simulate*", - "kinesis:Describe*", - "kinesis:Get*", - "kinesis:List*", - "logs:Describe*", - "logs:Get*", - "logs:FilterLogEvents", - "logs:ListTagsLogGroup", - "logs:TestMetricFilter", - "rds:Describe*", - "rds:List*", - "rds:Download*", - "route53:Get*", - "route53:List*", - "route53:Test*", - "secretsmanager:List*", - "secretsmanager:Describe*", - "secretsmanager:GetResourcePolicy", - "sns:Get*", - "sns:List*", - "sns:Check*", - "ssm:Describe*", - "ssm:Get*", - "ssm:List*", - "tag:Get*", - "apigateway:GET*" - ] - Effect = "Allow" - Resource = [ - "*" - ] - }, - { - Action = [ - "s3:Get*", - "s3:List*", - "s3:Head*" - ] - Effect = "Allow" - Resource = [ - "*" - ] - }, - { - Action = [ - "kms:Describe*", - "kms:Get*", - "kms:List*", - "kms:GenerateDataKey*", - "kms:Encrypt", - "kms:ReEncrypt*", - "kms:Decrypt", - ] - Effect = "Allow" - Resource = [ - "*" - ] - }, - { - Action = [ - "sqs:Get*", - "sqs:List*", - ] - Effect = "Allow" - Resource = [ - "*" - ] - }, - { - Action = [ - "glue:Get*", - "glue:List*", - "glue:BatchGet*" - ] - Effect = "Allow" - Resource = [ - "*" - ] - }, - { - Action = [ - "lambda:List*", - "lambda:Get*" - ] - Effect = "Allow" - Resource = [ - "*" - ] - } - ] -} diff --git a/terraform/account-wide-infrastructure/test/iam__developer-role.tf b/terraform/account-wide-infrastructure/test/iam__developer-role.tf deleted file mode 100644 index ee3aa0d2b..000000000 --- a/terraform/account-wide-infrastructure/test/iam__developer-role.tf +++ /dev/null @@ -1,26 +0,0 @@ -resource "aws_iam_role" "developer_role" { - name = "NHSDDeveloperRole" - assume_role_policy = jsonencode({ - Version : "2012-10-17", - Statement : [ - { - Action : "sts:AssumeRole", - Principal : { - AWS : "arn:aws:iam::${data.aws_secretsmanager_secret_version.identities_account_id.secret_string}:root" - }, - Effect : "Allow", - Condition : { - Bool : { - "aws:MultiFactorAuthPresent" : true - } - } - } - ] - }) -} - - -resource "aws_iam_role_policy_attachment" "policy_attachment" { - role = aws_iam_role.developer_role.name - policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" -} diff --git a/terraform/account-wide-infrastructure/test/iam__ops-role.tf b/terraform/account-wide-infrastructure/test/iam__ops-role.tf deleted file mode 100644 index 45b2ed58b..000000000 --- a/terraform/account-wide-infrastructure/test/iam__ops-role.tf +++ /dev/null @@ -1,60 +0,0 @@ -resource "aws_iam_role" "ops_role" { - name = "NHSDOpsRole" - assume_role_policy = jsonencode({ - Version : "2012-10-17", - Statement : [ - { - Action : "sts:AssumeRole", - Principal : { - AWS : "arn:aws:iam::${data.aws_secretsmanager_secret_version.identities_account_id.secret_string}:root" - }, - Effect : "Allow" - } - ] - }) -} - - -module "ops_role_permissions" { - source = "../modules/role-policy" - name = "${local.prefix}--ops-permissions" - role_name = aws_iam_role.ops_role.name - iam_permissions = [ - { - Action = [ - "acm:Describe*", - "acm:Get*", - "acm:List*", - "cloudwatch:*", - "dynamodb:*", - "firehose:Describe*", - "firehose:List*", - "glue:*", - "iam:Generate*", - "iam:Get*", - "iam:List*", - "iam:Simulate*", - "kinesis:Describe*", - "kinesis:Get*", - "kinesis:List*", - "kms:*", - "lambda:*", - "logs:*", - "route53:Get*", - "route53:List*", - "route53:Test*", - "s3:*", - "secretsmanager:*", - "sns:*", - "sqs:*", - "ssm:*", - "tag:*", - "apigateway:*" - ] - Effect = "Allow" - Resource = [ - "*" - ] - } - ] -} From a1692665d072204aacb9005bd2c406cc12bbc39c Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Mon, 1 Dec 2025 17:14:16 +0000 Subject: [PATCH 2/2] NRL-1832 Remove secrets that reference NHSD-Identities account --- terraform/account-wide-infrastructure/dev/data.tf | 4 ---- terraform/account-wide-infrastructure/dev/secrets.tf | 4 ---- terraform/account-wide-infrastructure/mgmt/data.tf | 4 ---- terraform/account-wide-infrastructure/mgmt/secrets.tf | 3 --- terraform/account-wide-infrastructure/prod/data.tf | 4 ---- terraform/account-wide-infrastructure/prod/secrets.tf | 4 ---- terraform/account-wide-infrastructure/test/data.tf | 4 ---- terraform/account-wide-infrastructure/test/secrets.tf | 4 ---- 8 files changed, 31 deletions(-) delete mode 100644 terraform/account-wide-infrastructure/mgmt/secrets.tf diff --git a/terraform/account-wide-infrastructure/dev/data.tf b/terraform/account-wide-infrastructure/dev/data.tf index 633f06302..95bb5f9c0 100644 --- a/terraform/account-wide-infrastructure/dev/data.tf +++ b/terraform/account-wide-infrastructure/dev/data.tf @@ -2,10 +2,6 @@ data "aws_region" "current" {} data "aws_caller_identity" "current" {} -data "aws_secretsmanager_secret_version" "identities_account_id" { - secret_id = aws_secretsmanager_secret.identities_account_id.name -} - data "aws_secretsmanager_secret_version" "backup_destination_parameters" { secret_id = aws_secretsmanager_secret.backup_destination_parameters.name } diff --git a/terraform/account-wide-infrastructure/dev/secrets.tf b/terraform/account-wide-infrastructure/dev/secrets.tf index 5e60405d8..09c33517c 100644 --- a/terraform/account-wide-infrastructure/dev/secrets.tf +++ b/terraform/account-wide-infrastructure/dev/secrets.tf @@ -1,7 +1,3 @@ -resource "aws_secretsmanager_secret" "identities_account_id" { - name = "${local.prefix}--nhs-identities-account-id" -} - resource "aws_secretsmanager_secret" "backup_destination_parameters" { name = "${local.prefix}--backup-destination-parameters" description = "Parameters used to configure the backup destination" diff --git a/terraform/account-wide-infrastructure/mgmt/data.tf b/terraform/account-wide-infrastructure/mgmt/data.tf index a7306907d..ebfc46ff1 100644 --- a/terraform/account-wide-infrastructure/mgmt/data.tf +++ b/terraform/account-wide-infrastructure/mgmt/data.tf @@ -18,10 +18,6 @@ data "aws_s3_bucket" "truststore" { bucket = "${local.project}--truststore" } -data "aws_secretsmanager_secret_version" "identities_account_id" { - secret_id = aws_secretsmanager_secret.identities_account_id.name -} - data "aws_secretsmanager_secret" "prod_account_id" { name = "${local.project}--mgmt--prod-account-id" } diff --git a/terraform/account-wide-infrastructure/mgmt/secrets.tf b/terraform/account-wide-infrastructure/mgmt/secrets.tf deleted file mode 100644 index 2fb89fcf7..000000000 --- a/terraform/account-wide-infrastructure/mgmt/secrets.tf +++ /dev/null @@ -1,3 +0,0 @@ -resource "aws_secretsmanager_secret" "identities_account_id" { - name = "${local.prefix}--nhs-identities-account-id" -} diff --git a/terraform/account-wide-infrastructure/prod/data.tf b/terraform/account-wide-infrastructure/prod/data.tf index 8974b7fb0..507ee68be 100644 --- a/terraform/account-wide-infrastructure/prod/data.tf +++ b/terraform/account-wide-infrastructure/prod/data.tf @@ -2,10 +2,6 @@ data "aws_region" "current" {} data "aws_caller_identity" "current" {} -data "aws_secretsmanager_secret_version" "identities_account_id" { - secret_id = aws_secretsmanager_secret.identities_account_id.name -} - data "aws_secretsmanager_secret" "emails" { name = "${local.prefix}-emails" } diff --git a/terraform/account-wide-infrastructure/prod/secrets.tf b/terraform/account-wide-infrastructure/prod/secrets.tf index 1547a9c36..18e4dd408 100644 --- a/terraform/account-wide-infrastructure/prod/secrets.tf +++ b/terraform/account-wide-infrastructure/prod/secrets.tf @@ -1,7 +1,3 @@ -resource "aws_secretsmanager_secret" "identities_account_id" { - name = "${local.prefix}--nhs-identities-account-id" -} - resource "aws_secretsmanager_secret" "prod_smoke_test_apigee_app" { name = "${local.prefix}--prod--apigee-app--smoke-test" description = "APIGEE App used to run Smoke Tests against the PROD environment" diff --git a/terraform/account-wide-infrastructure/test/data.tf b/terraform/account-wide-infrastructure/test/data.tf index 8974b7fb0..507ee68be 100644 --- a/terraform/account-wide-infrastructure/test/data.tf +++ b/terraform/account-wide-infrastructure/test/data.tf @@ -2,10 +2,6 @@ data "aws_region" "current" {} data "aws_caller_identity" "current" {} -data "aws_secretsmanager_secret_version" "identities_account_id" { - secret_id = aws_secretsmanager_secret.identities_account_id.name -} - data "aws_secretsmanager_secret" "emails" { name = "${local.prefix}-emails" } diff --git a/terraform/account-wide-infrastructure/test/secrets.tf b/terraform/account-wide-infrastructure/test/secrets.tf index 173154ef1..e648d07b0 100644 --- a/terraform/account-wide-infrastructure/test/secrets.tf +++ b/terraform/account-wide-infrastructure/test/secrets.tf @@ -1,7 +1,3 @@ -resource "aws_secretsmanager_secret" "identities_account_id" { - name = "${local.prefix}--nhs-identities-account-id" -} - resource "aws_secretsmanager_secret" "qa_smoke_test_apigee_app" { name = "${local.prefix}--qa--apigee-app--smoke-test" description = "APIGEE App used to run Smoke Tests against the QA environment"