From e1f061c7e3dc5f1fd3aaa8517d00232b86d36e8c Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 10 Dec 2025 10:00:27 +0000 Subject: [PATCH 01/48] [ndr-297] Added helper script to extract tf state from environments. --- pre_core/Makefile | 39 ++ pre_core/iam_github_dev.tf | 957 ++++++++++++++++++++++++++++++++ pre_core/iam_github_pre-prod.tf | 918 ++++++++++++++++++++++++++++++ pre_core/iam_github_test.tf | 719 ++++++++++++++++++++++++ pre_core/policy_tool.py | 98 ++++ pre_core/providers.tf | 6 + pre_core/terraform.tf | 22 + pre_core/variables.tf | 15 + 8 files changed, 2774 insertions(+) create mode 100644 pre_core/Makefile create mode 100644 pre_core/iam_github_dev.tf create mode 100644 pre_core/iam_github_pre-prod.tf create mode 100644 pre_core/iam_github_test.tf create mode 100644 pre_core/policy_tool.py create mode 100644 pre_core/providers.tf create mode 100644 pre_core/terraform.tf create mode 100644 pre_core/variables.tf diff --git a/pre_core/Makefile b/pre_core/Makefile new file mode 100644 index 000000000..f7571247e --- /dev/null +++ b/pre_core/Makefile @@ -0,0 +1,39 @@ +# var-file := $(account).tfvars + +guard-%: + @ if [ "${${*}}" = "" ]; then \ + echo "env var: $* not set"; \ + exit 1; \ + fi + +clean: + find . -type d -name .terraform -exec rm -rf "{}" \; 2>/dev/null || true + find . -type d -name terraform.tfstate.d -exec rm -rf "{}" \; 2>/dev/null || true + find . -name .terraform.plan -type f -delete 2>/dev/null || true + find . -name errored.tfstate -type f -delete 2>/dev/null || true + find . -name .tfplan.exit -type f -delete 2>/dev/null || true + find . -name external-vars.json -type f -delete 2>/dev/null || true + find . -name terraform.tfstate -type f -delete 2>/dev/null || true + +tf-format-check: + terraform fmt -check -recursive + +tf-format: + terraform fmt --recursive + +init: guard-aws_account_id guard-env + terraform init -var environment=${env} -var aws_account_id=${aws_account_id} + +plan: guard-aws_account_id guard-env + terraform plan -out=tfplan -var environment=${env} -var aws_account_id=${aws_account_id} + + +# TEMP FUNCTIONS + +import-github-policies: guard-aws_account_id guard-env guard-role + python policy_tool.py import ${aws_account_id} ${env} ${role} + rm dummy_import_${env}.tf + +generate-tf-file: guard-aws_account_id guard-env guard-role + python policy_tool.py generate-tf-file ${aws_account_id} ${env} ${role} + mv imported_${env}.tf.txt iam_github_${env}.tf diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf new file mode 100644 index 000000000..6aa6dde02 --- /dev/null +++ b/pre_core/iam_github_dev.tf @@ -0,0 +1,957 @@ +# aws_iam_role.github_role_dev[0]: +resource "aws_iam_role" "github_role_dev" { + count = var.environment == "dev" ? 1 : 0 + assume_role_policy = jsonencode( + { + Statement = [ + { + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:NHSDigital/national-document-repository-infrastructure:*", + "repo:NHSDigital/national-document-repository:*", + ] + } + } + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" + } + }, + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DomainCGpit-Administrators_e00623801cb4b59e" + } + }, + ] + Version = "2012-10-17" + } + ) + description = "This role is to provide access for GitHub actions to the development environment. " + force_detach_policies = false + managed_policy_arns = [ + "arn:aws:iam::${var.aws_account_id}:policy/config-policy", + "arn:aws:iam::${var.aws_account_id}:policy/ecr-github-access-policy", + "arn:aws:iam::${var.aws_account_id}:policy/github_actions_terraform_full", + "arn:aws:iam::${var.aws_account_id}:policy/github_mtls_gateway", + "arn:aws:iam::${var.aws_account_id}:policy/github_terraform_tagging_policy", + "arn:aws:iam::${var.aws_account_id}:policy/lambda-github-access-policy", + "arn:aws:iam::${var.aws_account_id}:policy/repo_app_config", + "arn:aws:iam::${var.aws_account_id}:policy/terraform-github-dynamodb-access-policy", + "arn:aws:iam::${var.aws_account_id}:policy/terraform-github-s3-access-policy", + "arn:aws:iam::aws:policy/ReadOnlyAccess", + ] + max_session_duration = 3600 + name = "github-actions-dev-role" + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} + tags_all = {} + + inline_policy { + name = "cloudtrail" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cloudtrail:AddTags", + "cloudtrail:CreateTrail", + "cloudtrail:StartLogging", + "cloudtrail:DeleteTrail", + ] + Effect = "Allow" + Resource = [ + "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:trail/*", + "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:eventdatastore/*", + "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:channel/*", + ] + Sid = "VisualEditor0" + }, + { + Action = "organizations:ListAWSServiceAccessForOrganization" + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor1" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "cloudwatch_logs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "logs:DescribeLogGroups", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutRetentionPolicy", + "logs:PutResourcePolicy", + "logs:DeleteResourcePolicy", + "logs:DeleteRetentionPolicy", + "logs:TagResource", + "logs:UntagResource", + "logs:AssociateKmsKey", + "logs:DisassociateKmsKey", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*" + Sid = "Statement1" + }, + { + Action = [ + "logs:PutDeliverySource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:logs:us-east-1:${var.aws_account_id}:delivery-source:*", + ] + Sid = "Statement2" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "ecs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecs:UpdateCluster", + "ecs:PutClusterCapacityProviders", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "github-actions-waf-override" + policy = jsonencode( + { + Statement = [ + { + Action = "apigateway:SetWebACL" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "lambda_layer_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "lambda:GetLayerVersion", + "lambda:PublishLayerVersion", + "lambda:DeleteLayerVersion", + "lambda:ListLayerVersions", + "lambda:ListLayers", + "lambda:AddLayerVersionPermission", + "lambda:GetLayerVersionPolicy", + "lambda:RemoveLayerVersionPermission", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "rum_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-identity:SetIdentityPoolRoles", + "cognito-identity:CreateIdentityPool", + "cognito-identity:DeleteIdentityPool", + "cognito-identity:UpdateIdentityPool", + ] + Effect = "Allow" + Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" + Sid = "VisualEditor0" + }, + { + Action = [ + "rum:TagResource", + "rum:UntagResource", + "rum:ListTagsForResource", + "iam:PassRole", + "rum:UpdateAppMonitor", + "rum:GetAppMonitor", + "rum:CreateAppMonitor", + "rum:DeleteAppMonitor", + ] + Effect = "Allow" + Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" + Sid = "VisualEditor1" + }, + { + Action = [ + "logs:DeleteLogGroup", + "logs:DeleteResourcePolicy", + "logs:DescribeLogGroups", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" + Sid = "VisualEditor2" + }, + { + Action = [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries", + "logs:DescribeResourcePolicies", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "step-functions" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "states:DescribeStateMachine", + "states:UpdateStateMachine", + "states:DeleteStateMachine", + "states:CreateStateMachine", + "states:TagResource", + "states:UntagResource", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } +} + + +# aws_iam_policy.config_policy_dev[0]: +resource "aws_iam_policy" "config_policy_dev" { + count = var.environment == "dev" ? 1 : 0 + description = null + name = "config-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "config:DeleteDeliveryChannel", + "config:PutConfigurationRecorder", + "config:StopConfigurationRecorder", + "config:StartConfigurationRecorder", + "config:PutDeliveryChannel", + "config:DeleteConfigurationRecorder", + "config:DescribeConfigurationRecorderStatus", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.ecr_github_access_policy_dev[0]: +resource "aws_iam_policy" "ecr_github_access_policy_dev" { + count = var.environment == "dev" ? 1 : 0 + description = null + name = "ecr-github-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + ] + Effect = "Allow" + Resource = "arn:aws:ecr:eu-west-2:*:repository/*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.github_actions_terraform_full_dev[0]: +resource "aws_iam_policy" "github_actions_terraform_full_dev" { + count = var.environment == "dev" ? 1 : 0 + description = "All permissions required for Terraform to do its thing." + name = "github_actions_terraform_full" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteVpcEndpoints", + "ec2:AttachInternetGateway", + "iam:PutRolePolicy", + "ecr:DeleteRepository", + "scheduler:DeleteSchedule", + "ec2:CreateRoute", + "cloudwatch:ListTagsForResource", + "ecr:TagResource", + "dynamodb:DescribeContinuousBackups", + "events:RemoveTargets", + "lambda:DeleteFunction", + "iam:ListRolePolicies", + "ecs:TagResource", + "ecr:GetLifecyclePolicy", + "iam:GetRole", + "dynamodb:BatchWriteItem", + "elasticloadbalancing:CreateTargetGroup", + "ecr:GetAuthorizationToken", + "application-autoscaling:DeleteScalingPolicy", + "kms:RetireGrant", + "elasticloadbalancing:AddTags", + "ec2:DeleteNatGateway", + "lambda:PublishVersion", + "apigateway:POST", + "lambda:DeleteEventSourceMapping", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "dynamodb:UpdateTable", + "ec2:ModifyVpcEndpoint", + "logs:ListTagsLogGroup", + "kms:PutKeyPolicy", + "events:PutRule", + "ec2:CreateVpc", + "dynamodb:ListTagsOfResource", + "iam:PassRole", + "logs:DeleteMetricFilter", + "sqs:createqueue", + "iam:DeleteRolePolicy", + "application-autoscaling:TagResource", + "ec2:ReleaseAddress", + "lambda:UpdateEventSourceMapping", + "elasticloadbalancing:CreateLoadBalancer", + "apigateway:PUT", + "route53:ListTagsForResource", + "ec2:DescribeSecurityGroups", + "iam:CreatePolicy", + "sqs:TagQueue", + "iam:CreateServiceLinkedRole", + "kms:CreateAlias", + "elasticloadbalancing:DescribeTargetGroups", + "route53:AssociateVPCWithHostedZone", + "elasticloadbalancing:DeleteListener", + "iam:UpdateAssumeRolePolicy", + "iam:GetPolicyVersion", + "wafv2:AssociateWebACL", + "ec2:DeleteSubnet", + "elasticloadbalancing:SetWebACL", + "ecs:UpdateService", + "elasticloadbalancing:DescribeLoadBalancers", + "ssm:DeleteParameter", + "cloudfront:*", + "kms:GetKeyRotationStatus", + "dynamodb:DescribeTable", + "ssm:AddTagsToResource", + "ecs:RegisterTaskDefinition", + "route53:ListResourceRecordSets", + "ecr:CreateRepository", + "ecs:DeleteService", + "application-autoscaling:UntagResource", + "ec2:DescribePrefixLists", + "backup:CreateBackupVault", + "backup:UpdateBackupPlan", + "sqs:DeleteQueue", + "ec2:DeleteVpc", + "kms:DeleteAlias", + "sns:DeleteTopic", + "wafv2:DeleteWebACL", + "dynamodb:DeleteItem", + "iam:DeletePolicy", + "sns:SetTopicAttributes", + "ses:VerifyDomainDkim", + "lambda:PutFunctionConcurrency", + "dynamodb:UpdateContinuousBackups", + "ecs:CreateService", + "elasticloadbalancing:CreateListener", + "kms:ScheduleKeyDeletion", + "ecr:DescribeRepositories", + "ecs:DescribeServices", + "iam:CreatePolicyVersion", + "ecs:UntagResource", + "sqs:ListQueues", + "wafv2:UpdateWebACL", + "dynamodb:DescribeTimeToLive", + "kms:UpdateAlias", + "backup:GetBackupSelection", + "kms:ListKeys", + "events:PutTargets", + "lambda:AddPermission", + "ecr:SetRepositoryPolicy", + "ec2:DeleteSecurityGroup", + "application-autoscaling:DeregisterScalableTarget", + "backup:DeleteBackupPlan", + "ses:SetIdentityMailFromDomain", + "lambda:CreateFunction", + "sqs:DeleteMessage", + "elasticloadbalancing:ModifyListener", + "cloudwatch:DeleteAlarms", + "secretsmanager:DeleteSecret", + "wafv2:CreateRegexPatternSet", + "wafv2:CreateWebACL", + "dynamodb:DeleteTable", + "ecs:DescribeTaskDefinition", + "ec2:DeleteRouteTable", + "ec2:CreateInternetGateway", + "ec2:RevokeSecurityGroupEgress", + "sns:Subscribe", + "ec2:DeleteInternetGateway", + "wafv2:TagResource", + "dynamodb:UpdateTimeToLive", + "iam:GetPolicy", + "ec2:CreateTags", + "sns:CreateTopic", + "ecs:DeleteCluster", + "iam:UpdateRoleDescription", + "iam:DeleteRole", + "ec2:DisassociateRouteTable", + "backup:GetBackupPlan", + "wafv2:DeleteRegexPatternSet", + "dynamodb:CreateTable", + "ec2:RevokeSecurityGroupIngress", + "lambda:UpdateFunctionCode", + "ec2:CreateDefaultVpc", + "ec2:CreateSubnet", + "ec2:DescribeSubnets", + "iam:GetRolePolicy", + "sqs:setqueueattributes", + "ec2:DisassociateAddress", + "kms:UntagResource", + "ec2:CreateNatGateway", + "kms:ListResourceTags", + "ecr:ListTagsForResource", + "ses:VerifyDomainIdentity", + "ecs:DeregisterTaskDefinition", + "apigateway:DELETE", + "apigateway:SetWebACL", + "backup:CreateBackupSelection", + "scheduler:UpdateSchedule", + "ec2:DescribeAvailabilityZones", + "kms:CreateKey", + "kms:EnableKeyRotation", + "ecr:PutLifecyclePolicy", + "s3:*", + "kms:GetKeyPolicy", + "route53:ListHostedZones", + "backup:DeleteBackupVault", + "lambda:UpdateFunctionConfiguration", + "elasticloadbalancing:DeleteTargetGroup", + "events:DeleteRule", + "backup:DescribeBackupVault", + "ec2:DescribeVpcs", + "kms:ListAliases", + "backup:CreateBackupPlan", + "ses:DeleteIdentity", + "lambda:RemovePermission", + "backup:ListTags", + "route53:GetHostedZone", + "sns:Unsubscribe", + "iam:CreateRole", + "iam:AttachRolePolicy", + "lambda:EnableReplication", + "ec2:AssociateRouteTable", + "elasticloadbalancing:DeleteLoadBalancer", + "ec2:DescribeInternetGateways", + "backup:DeleteBackupSelection", + "iam:DetachRolePolicy", + "cloudwatch:UntagResource", + "iam:ListAttachedRolePolicies", + "dynamodb:GetItem", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "ec2:DescribeRouteTables", + "application-autoscaling:RegisterScalableTarget", + "dynamodb:PutItem", + "ecs:CreateCluster", + "route53:ChangeResourceRecordSets", + "ec2:CreateRouteTable", + "ec2:DetachInternetGateway", + "ecr:DeleteLifecyclePolicy", + "logs:CreateLogGroup", + "backup-storage:MountCapsule", + "ecs:DescribeClusters", + "ssm:PutParameter", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "logs:CreateLogDelivery", + "logs:PutMetricFilter", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "ec2:DescribeSecurityGroupRules", + "application-autoscaling:PutScalingPolicy", + "ec2:DescribeVpcEndpoints", + "route53:GetChange", + "ec2:DeleteTags", + "lambda:GetLayerVersion", + "lambda:CreateEventSourceMapping", + "kms:TagResource", + "elasticloadbalancing:DescribeListeners", + "dynamodb:TagResource", + "ec2:CreateSecurityGroup", + "apigateway:PATCH", + "kms:DescribeKey", + "application-autoscaling:ListTagsForResource", + "ec2:ModifyVpcAttribute", + "ecr:DeleteRepositoryPolicy", + "ec2:AuthorizeSecurityGroupEgress", + "elasticloadbalancing:ModifyListenerAttributes", + "kms:UpdateKeyDescription", + "logs:DescribeLogGroups", + "logs:DeleteLogGroup", + "elasticloadbalancing:DescribeTags", + "ec2:DeleteRoute", + "backup:DeleteRecoveryPoint", + "ec2:AllocateAddress", + "cloudwatch:PutMetricAlarm", + "cloudwatch:TagResource", + "ec2:CreateVpcEndpoint", + "elasticloadbalancing:SetSecurityGroups", + "scheduler:CreateSchedule", + "logs:PutRetentionPolicy", + "lambda:GetPolicy", + "iam:DeletePolicyVersion", + "ecr:GetRepositoryPolicy", + "cognito-idp:*", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.github_mtls_gateway_dev[0]: +resource "aws_iam_policy" "github_mtls_gateway_dev" { + count = var.environment == "dev" ? 1 : 0 + description = null + name = "github_mtls_gateway" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "acm:RequestCertificate", + "route53:ListHostedZones", + "acm:ListCertificates", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor1" + }, + { + Action = [ + "acm:DeleteCertificate", + "acm:DescribeCertificate", + "acm:GetCertificate", + "route53:GetHostedZone", + "route53:ChangeResourceRecordSets", + "apigateway:AddCertificateToDomain", + "acm:AddTagsToCertificate", + "apigateway:RemoveCertificateFromDomain", + "acm:ListTagsForCertificate", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames", + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:route53:::hostedzone/*", + "arn:aws:acm:eu-west-2:${var.aws_account_id}:certificate/*", + ] + Sid = "VisualEditor2" + }, + { + Action = [ + "apigateway:AddCertificateToDomain", + "apigateway:RemoveCertificateFromDomain", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:apigateway:eu-west-2::/domainnames", + ] + Sid = "VisualEditor3" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor4" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.github_terraform_tagging_policy_dev[0]: +resource "aws_iam_policy" "github_terraform_tagging_policy_dev" { + count = var.environment == "dev" ? 1 : 0 + description = null + name = "github_terraform_tagging_policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "sns:TagResource", + "backup:TagResource", + "resource-groups:GetGroupQuery", + "lambda:TagResource", + "resource-groups:UpdateGroup", + "iam:UntagRole", + "iam:TagRole", + "resource-groups:GetTags", + "sns:UntagResource", + "resource-groups:Untag", + "lambda:UntagResource", + "elasticloadbalancing:RemoveTags", + "cognito-identity:UntagResource", + "resource-groups:GetGroup", + "resource-groups:GetGroupConfiguration", + "backup:UntagResource", + "cognito-identity:TagResource", + "resource-groups:Tag", + "resource-groups:UpdateGroupQuery", + "iam:TagPolicy", + "resource-groups:DeleteGroup", + "events:TagResource", + "elasticloadbalancing:AddTags", + "iam:UntagPolicy", + "resource-groups:ListGroupResources", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:lambda:*:${var.aws_account_id}:event-source-mapping:*", + "arn:aws:lambda:*:${var.aws_account_id}:function:*", + "arn:aws:lambda:*:${var.aws_account_id}:code-signing-config:*", + "arn:aws:iam::${var.aws_account_id}:role/*", + "arn:aws:iam::${var.aws_account_id}:policy/*", + "arn:aws:sns:*:${var.aws_account_id}:*", + "arn:aws:backup:*:${var.aws_account_id}:legal-hold:*", + "arn:aws:backup:*:${var.aws_account_id}:framework:*-*", + "arn:aws:backup:*:${var.aws_account_id}:backup-vault:*", + "arn:aws:backup:*:${var.aws_account_id}:report-plan:*-*", + "arn:aws:backup:*:${var.aws_account_id}:backup-plan:*", + "arn:aws:backup:*:${var.aws_account_id}:restore-testing-plan:*-*", + "arn:aws:cognito-identity:*:${var.aws_account_id}:identitypool/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", + "arn:aws:resource-groups:*:${var.aws_account_id}:group/*", + "arn:aws:events:*:${var.aws_account_id}:event-bus/*", + "arn:aws:events:*:${var.aws_account_id}:rule/*/*", + ] + Sid = "VisualEditor0" + }, + { + Action = [ + "events:TagResource", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + "arn:aws:events:*:${var.aws_account_id}:rule/*", + ] + Sid = "VisualEditor1" + }, + { + Action = [ + "resource-groups:SearchResources", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor2" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.lambda_github_access_policy_dev[0]: +resource "aws_iam_policy" "lambda_github_access_policy_dev" { + count = var.environment == "dev" ? 1 : 0 + description = "These permissions allow GitHub to push to a Lambda function." + name = "lambda-github-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "lambda:CreateFunction", + "s3:PutObject", + "lambda:UpdateFunctionCode", + "kms:TagResource", + "kms:UntagResource", + "kms:Encrypt", + "kms:Decrypt", + "lambda:InvokeFunction", + "lambda:GetFunction", + "lambda:UpdateFunctionConfiguration", + "lambda:GetFunctionConfiguration", + "lambda:DeleteFunctionConcurrency", + "kms:CreateGrant", + ] + Effect = "Allow" + Resource = [ + "arn:aws:kms:*:${var.aws_account_id}:key/*", + "arn:aws:lambda:eu-west-2:*:function:*", + ] + Sid = "VisualEditor0" + }, + { + Action = "iam:ListRoles" + Effect = "Allow" + Resource = "arn:aws:lambda:eu-west-2:*:function:*" + Sid = "VisualEditor1" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.repo_app_config_dev[0]: +resource "aws_iam_policy" "repo_app_config_dev" { + count = var.environment == "dev" ? 1 : 0 + description = null + name = "repo_app_config" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "appconfig:ListTagsForResource", + "appconfig:StartDeployment", + "appconfig:DeleteApplication", + "appconfig:GetLatestConfiguration", + "appconfig:TagResource", + "appconfig:CreateConfigurationProfile", + "appconfig:CreateExtensionAssociation", + "appconfig:DeleteConfigurationProfile", + "appconfig:CreateDeploymentStrategy", + "appconfig:CreateApplication", + "appconfig:GetDeploymentStrategy", + "appconfig:GetHostedConfigurationVersion", + "appconfig:ListExtensionAssociations", + "appconfig:ListDeploymentStrategies", + "appconfig:CreateHostedConfigurationVersion", + "appconfig:DeleteEnvironment", + "appconfig:UntagResource", + "appconfig:ListHostedConfigurationVersions", + "appconfig:ListEnvironments", + "appconfig:UpdateDeploymentStrategy", + "appconfig:GetExtensionAssociation", + "appconfig:GetExtension", + "appconfig:ListDeployments", + "appconfig:GetDeployment", + "appconfig:ListExtensions", + "appconfig:DeleteHostedConfigurationVersion", + "appconfig:StopDeployment", + "appconfig:CreateEnvironment", + "appconfig:UpdateEnvironment", + "appconfig:GetEnvironment", + "appconfig:ListConfigurationProfiles", + "appconfig:DeleteDeploymentStrategy", + "appconfig:ListApplications", + "appconfig:UpdateApplication", + "appconfig:CreateExtension", + "appconfig:GetConfiguration", + "appconfig:GetApplication", + "appconfig:UpdateConfigurationProfile", + "appconfig:GetConfigurationProfile", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0]: +resource "aws_iam_policy" "terraform_github_dynamodb_access_policy_dev" { + count = var.environment == "dev" ? 1 : 0 + description = "Dynamo DB specific access policies required by terraform via GitHub" + name = "terraform-github-dynamodb-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:DeleteItem", + "dynamodb:UpdateTimeToLive", + ] + Effect = "Allow" + Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.terraform_github_s3_access_policy_dev[0]: +resource "aws_iam_policy" "terraform_github_s3_access_policy_dev" { + count = var.environment == "dev" ? 1 : 0 + description = "S3 specific access policies required by terraform via GitHub" + name = "terraform-github-s3-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = "s3:ListBucket" + Effect = "Allow" + Resource = "arn:aws:s3:::ndr-dev-terraform-state-${var.aws_account_id}" + }, + { + Action = [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:DeleteBucketPolicy", + "s3:PutBucketPolicy", + ] + Effect = "Allow" + Resource = "arn:aws:s3:::ndr-dev-terraform-state-${var.aws_account_id}/ndr/terraform.tfstate" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + diff --git a/pre_core/iam_github_pre-prod.tf b/pre_core/iam_github_pre-prod.tf new file mode 100644 index 000000000..8e91b4294 --- /dev/null +++ b/pre_core/iam_github_pre-prod.tf @@ -0,0 +1,918 @@ +# aws_iam_role.github_role_pre-prod[0]: +resource "aws_iam_role" "github_role_pre-prod" { + count = var.environment == "pre-prod" ? 1 : 0 + assume_role_policy = jsonencode( + { + Statement = [ + { + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:NHSDigital/national-document-repository-infrastructure:*", + "repo:NHSDigital/national-document-repository:*", + ] + } + } + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" + } + }, + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + AWS = "arn:aws:sts::${var.aws_account_id}:assumed-role/AWSReservedSSO_DomainCGpit-Administrators_3f00be4c22ce78e5/ABKH2@hscic.gov.uk" + } + }, + ] + Version = "2012-10-17" + } + ) + description = "This role is to provide access for GitHub actions to the pre-prod environment. " + force_detach_policies = false + managed_policy_arns = [ + "arn:aws:iam::${var.aws_account_id}:policy/github-actions-policy", + "arn:aws:iam::${var.aws_account_id}:policy/github-extended-policy-1", + "arn:aws:iam::aws:policy/ReadOnlyAccess", + ] + max_session_duration = 3600 + name = "Github-Actions-pre-prod-role" + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} + tags_all = {} + + inline_policy { + name = "cloudfront_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cloudfront:CreateCachePolicy", + "cloudfront:DeleteCachePolicy", + "cloudfront:CreateOriginAccessControl", + "cloudfront:CreateDistribution", + "cloudfront:TagResource", + "cloudfront:UntagResource", + "cloudfront:DeleteDistribution", + "lambda:EnableReplication", + "cloudfront:UpdateDistribution", + "cloudfront:DeleteOriginAccessControl", + "cloudfront:CreateInvalidation", + "cloudfront:UpdateOriginAccessControl", + "cloudfront:CreateOriginRequestPolicy", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "cloudwatch_logs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "logs:ListTagsLogGroup", + "logs:CreateLogDelivery", + "logs:PutMetricFilter", + "logs:DeleteMetricFilter", + "logs:DescribeLogGroups", + "logs:PutRetentionPolicy", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutResourcePolicy", + ] + Effect = "Allow" + Resource = "*" + Sid = "AllowLogGroup" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "ecr_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecr:InitiateLayerUpload", + "ecr:BatchDeleteImage", + "ecr:CompleteLayerUpload", + "ecr:InitiateLayerUpload", + "ecr:PutImage", + "ecr:UploadLayerPart", + ] + Effect = "Allow" + Resource = [ + "arn:aws:ecr:eu-west-2:${var.aws_account_id}:repository/ndr-pre-prod-app", + "arn:aws:ecr:eu-west-2:${var.aws_account_id}:repository/pre-prod-data-collection", + ] + Sid = "AllowAppAndOdsUpdate" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "ecs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecs:UpdateCluster", + "ecs:PutClusterCapacityProviders", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "github-extended-policy-virus-scanner" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ssm:CreateDocument", + "iam:TagRole", + "SNS:TagResource", + "cognito-idp:CreateUserPool", + "cognito-idp:TagResource", + "cognito-idp:SetUserPoolMfaConfig", + "iam:CreateInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:DeleteInstanceProfile", + "cloudformation:CreateResource", + "cognito-idp:DeleteUserPool", + "cognito-idp:CreateGroup", + "cognito-idp:AdminCreateUser", + "cognito-idp:CreateUserPoolClient", + "cognito-idp:AdminAddUserToGroup", + ] + Effect = "Allow" + Resource = "*" + Sid = "Statement1" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "lambda" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "lambda:CreateFunction", + "lambda:DeleteFunctionConcurrency", + "lambda:GetFunction", + "lambda:GetFunctionConfiguration", + "lambda:InvokeFunction", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration", + "kms:CreateGrant", + "kms:Decrypt", + "kms:Encrypt", + "kms:TagResource", + "kms:UntagResource", + "s3:PutObject", + ] + Effect = "Allow" + Resource = [ + "arn:aws:kms:*:${var.aws_account_id}:key/*", + "arn:aws:lambda:eu-west-2:*:function:*", + ] + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "mtls-gateway" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "acm:RequestCertificate", + "route53:ListHostedZones", + "acm:ListCertificates", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor1" + }, + { + Action = [ + "acm:DeleteCertificate", + "acm:DescribeCertificate", + "acm:GetCertificate", + "route53:GetHostedZone", + "route53:ChangeResourceRecordSets", + "apigateway:AddCertificateToDomain", + "acm:AddTagsToCertificate", + "apigateway:RemoveCertificateFromDomain", + "acm:ListTagsForCertificate", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames", + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:route53:::hostedzone/*", + "arn:aws:acm:eu-west-2:${var.aws_account_id}:certificate/*", + ] + Sid = "VisualEditor2" + }, + { + Action = [ + "apigateway:AddCertificateToDomain", + "apigateway:RemoveCertificateFromDomain", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:apigateway:eu-west-2::/domainnames", + ] + Sid = "VisualEditor3" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor4" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "resource_tagging" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "resource-groups:GetGroupQuery", + "backup:TagResource", + "sns:TagResource", + "lambda:TagResource", + "resource-groups:UpdateGroup", + "iam:UntagRole", + "iam:TagRole", + "resource-groups:GetTags", + "sns:UntagResource", + "resource-groups:Untag", + "lambda:UntagResource", + "elasticloadbalancing:RemoveTags", + "cognito-identity:UntagResource", + "resource-groups:GetGroup", + "resource-groups:GetGroupConfiguration", + "backup:UntagResource", + "cognito-identity:TagResource", + "resource-groups:Tag", + "logs:UntagResource", + "resource-groups:UpdateGroupQuery", + "iam:TagPolicy", + "logs:TagResource", + "events:TagResource", + "resource-groups:DeleteGroup", + "elasticloadbalancing:AddTags", + "iam:UntagPolicy", + "resource-groups:ListGroupResources", + "iam:UntagInstanceProfile", + "events:UntagResource", + "iam:TagInstanceProfile", + ] + Effect = "Allow" + Resource = [ + "arn:aws:events:*:${var.aws_account_id}:event-bus/*", + "arn:aws:events:*:${var.aws_account_id}:rule/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", + "arn:aws:lambda:*:${var.aws_account_id}:event-source-mapping:*", + "arn:aws:lambda:*:${var.aws_account_id}:code-signing-config:*", + "arn:aws:lambda:*:${var.aws_account_id}:function:*", + "arn:aws:cognito-identity:*:${var.aws_account_id}:identitypool/*", + "arn:aws:resource-groups:*:${var.aws_account_id}:group/*", + "arn:aws:backup:*:${var.aws_account_id}:backup-plan:*", + "arn:aws:backup:*:${var.aws_account_id}:report-plan:*-*", + "arn:aws:backup:*:${var.aws_account_id}:restore-testing-plan:*-*", + "arn:aws:backup:*:${var.aws_account_id}:backup-vault:*", + "arn:aws:backup:*:${var.aws_account_id}:legal-hold:*", + "arn:aws:backup:*:${var.aws_account_id}:framework:*-*", + "arn:aws:iam::${var.aws_account_id}:policy/*", + "arn:aws:iam::${var.aws_account_id}:instance-profile/*", + "arn:aws:iam::${var.aws_account_id}:role/*", + "arn:aws:sns:*:${var.aws_account_id}:*", + "arn:aws:logs:*:${var.aws_account_id}:log-group:*", + "arn:aws:logs:*:${var.aws_account_id}:delivery-source:*", + "arn:aws:logs:*:${var.aws_account_id}:delivery:*", + "arn:aws:logs:*:${var.aws_account_id}:destination:*", + "arn:aws:logs:*:${var.aws_account_id}:delivery-destination:*", + "arn:aws:logs:*:${var.aws_account_id}:anomaly-detector:*", + ] + Sid = "VisualEditor0" + }, + { + Action = [ + "events:TagResource", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:events:*:${var.aws_account_id}:rule/*", + ] + Sid = "VisualEditor1" + }, + { + Action = [ + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + ] + Sid = "VisualEditor2" + }, + { + Action = [ + "resource-groups:SearchResources", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "rum_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-identity:SetIdentityPoolRoles", + "cognito-identity:CreateIdentityPool", + "cognito-identity:DeleteIdentityPool", + "cognito-identity:UpdateIdentityPool", + ] + Effect = "Allow" + Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" + Sid = "AllowIdentityPool" + }, + { + Action = [ + "rum:TagResource", + "rum:UntagResource", + "rum:ListTagsForResource", + "iam:PassRole", + "rum:UpdateAppMonitor", + "rum:GetAppMonitor", + "rum:CreateAppMonitor", + "rum:DeleteAppMonitor", + ] + Effect = "Allow" + Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" + Sid = "AllowAppMonitor" + }, + { + Action = [ + "logs:DeleteLogGroup", + "logs:DeleteResourcePolicy", + "logs:DescribeLogGroups", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" + Sid = "AllowRumServiceLogs" + }, + { + Action = [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries", + "logs:DescribeResourcePolicies", + ] + Effect = "Allow" + Resource = "*" + Sid = "AllowRumServiceAllLogs" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "scheduler_policy" + policy = jsonencode( + { + Statement = [ + { + Action = "scheduler:DeleteSchedule" + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "step_functions" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "states:DescribeStateMachine", + "states:UpdateStateMachine", + "states:DeleteStateMachine", + "states:CreateStateMachine", + "states:TagResource", + "states:UntagResource", + ] + Effect = "Allow" + Resource = "arn:aws:states:eu-west-2:${var.aws_account_id}:stateMachine:*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } +} + + +# aws_iam_policy.github_actions_policy_pre-prod[0]: +resource "aws_iam_policy" "github_actions_policy_pre-prod" { + count = var.environment == "pre-prod" ? 1 : 0 + description = null + name = "github-actions-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "apigateway:DELETE", + "apigateway:PATCH", + "apigateway:POST", + "apigateway:PUT", + "cloudwatch:DeleteAlarms", + "cloudwatch:PutMetricAlarm", + "dynamodb:CreateTable", + "dynamodb:DeleteItem", + "dynamodb:DeleteTable", + "dynamodb:DescribeContinuousBackups", + "dynamodb:DescribeTable", + "dynamodb:DescribeTimeToLive", + "dynamodb:GetItem", + "dynamodb:ListTagsOfResource", + "dynamodb:PutItem", + "dynamodb:TagResource", + "dynamodb:UpdateTimeToLive", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateDefaultVpc", + "ec2:CreateInternetGateway", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:CreateVpcEndpoint", + "ec2:DeleteInternetGateway", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:DeleteSubnet", + "ec2:DeleteVpc", + "ec2:DeleteVpcEndpoints", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribePrefixLists", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroupRules", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeVpcs", + "ec2:DetachInternetGateway", + "ec2:DisassociateRouteTable", + "ec2:ModifyVpcAttribute", + "ec2:ModifyVpcEndpoint", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ecr:CreateRepository", + "ecr:DeleteLifecyclePolicy", + "ecr:DeleteRepository", + "ecr:DeleteRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:GetAuthorizationToken", + "ecr:GetLifecyclePolicy", + "ecr:GetRepositoryPolicy", + "ecr:ListTagsForResource", + "ecr:PutLifecyclePolicy", + "ecr:SetRepositoryPolicy", + "ecr:TagResource", + "ecs:CreateCluster", + "ecs:CreateService", + "ecs:DeleteCluster", + "ecs:DeleteService", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeClusters", + "ecs:DescribeServices", + "ecs:DescribeTaskDefinition", + "ecs:RegisterTaskDefinition", + "ecs:UpdateService", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:SetSecurityGroups", + "events:PutRule", + "events:PutTargets", + "iam:AttachRolePolicy", + "iam:CreatePolicy", + "iam:CreatePolicyVersion", + "iam:CreateRole", + "iam:DeletePolicy", + "iam:DeletePolicyVersion", + "iam:DeleteRole", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:ListRolePolicies", + "iam:PassRole", + "iam:PutRolePolicy", + "kms:RetireGrant", + "lambda:AddPermission", + "lambda:CreateEventSourceMapping", + "lambda:DeleteEventSourceMapping", + "lambda:DeleteFunction", + "lambda:GetPolicy", + "lambda:RemovePermission", + "logs:CreateLogGroup", + "logs:DeleteLogGroup", + "logs:DescribeLogGroups", + "logs:ListTagsLogGroup", + "route53:AssociateVPCWithHostedZone", + "route53:ChangeResourceRecordSets", + "route53:GetChange", + "route53:GetHostedZone", + "route53:ListHostedZones", + "route53:ListResourceRecordSets", + "route53:ListTagsForResource", + "s3:CreateBucket", + "s3:DeleteBucket", + "s3:DeleteBucketPolicy", + "s3:DeleteObject", + "s3:DeleteObjectTagging", + "s3:DeleteObjectVersion", + "s3:DeleteObjectVersionTagging", + "s3:GetAccelerateConfiguration", + "s3:GetBucketAcl", + "s3:GetBucketCORS", + "s3:GetBucketLogging", + "s3:GetBucketObjectLockConfiguration", + "s3:GetBucketOwnershipControls", + "s3:GetBucketPolicy", + "s3:GetBucketRequestPayment", + "s3:GetBucketTagging", + "s3:GetBucketVersioning", + "s3:GetBucketWebsite", + "s3:GetEncryptionConfiguration", + "s3:GetLifecycleConfiguration", + "s3:GetObject", + "s3:GetReplicationConfiguration", + "s3:ListBucket", + "s3:PutBucketAcl", + "s3:PutBucketCORS", + "s3:PutBucketOwnershipControls", + "s3:PutBucketPolicy", + "s3:PutBucketTagging", + "s3:PutLifecycleConfiguration", + "s3:PutObject", + "secretsmanager:DeleteSecret", + "sns:CreateTopic", + "sns:DeleteTopic", + "sns:SetTopicAttributes", + "sns:Subscribe", + "sns:Unsubscribe", + "sqs:DeleteMessage", + "sqs:DeleteQueue", + "sqs:ListQueues", + "sqs:createqueue", + "sqs:setqueueattributes", + "ssm:AddTagsToResource", + "ssm:DeleteParameter", + "ssm:PutParameter", + "events:RemoveTargets", + "wafv2:CreateRegexPatternSet", + "wafv2:TagResource", + "wafv2:CreateWebACL", + "wafv2:AssociateWebACL", + "elasticloadbalancing:SetWebACL", + "events:DeleteRule", + "wafv2:DeleteRegexPatternSet", + "wafv2:DeleteWebACL", + "s3:PutIntelligentTieringConfiguration", + "ecs:UntagResource", + "lambda:UpdateFunctionConfiguration", + "lambda:UpdateFunctionCode", + "sqs:tagqueue", + "kms:TagResource", + "wafv2:UpdateWebACL", + "dynamodb:UpdateTable", + "kms:CreateKey", + "dynamodb:UpdateContinuousBackups", + "backup:CreateBackupVault", + "application-autoscaling:RegisterScalableTarget", + "application-autoscaling:TagResource", + "s3:PutBucketVersioning", + "kms:CreateAlias", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:EnableKeyRotation", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListKeys", + "kms:ListResourceTags", + "kms:PutKeyPolicy", + "kms:UntagResource", + "kms:UpdateAlias", + "kms:UpdateKeyDescription", + "kms:ScheduleKeyDeletion", + "application-autoscaling:PutScalingPolicy", + "application-autoscaling:DeleteScalingPolicy", + "application-autoscaling:DeregisterScalableTarget", + "application-autoscaling:UntagResource", + "application-autoscaling:ListTagsForResource", + "cloudwatch:TagResource", + "cloudwatch:UntagResource", + "cloudwatch:ListTagsForResource", + "backup-storage:MountCapsule", + "backup:CreateBackupPlan", + "lambda:PutFunctionConcurrency", + "backup:CreateBackupSelection", + "backup:UpdateBackupPlan", + "backup:DescribeBackupJob", + "backup:ListTags", + "backup:TagResource", + "backup:DeleteBackupVault", + "backup:DeleteBackupSelection", + "iam:UpdateRoleDescription", + "logs:PutMetricFilter", + "ec2:AllocateAddress", + "ec2:CreateNatGateway", + "scheduler:CreateSchedule", + "scheduler:UpdateSchedule", + ] + Effect = "Allow" + Resource = "*" + Sid = "Statement1" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.github_extended_policy_1_pre-prod[0]: +resource "aws_iam_policy" "github_extended_policy_1_pre-prod" { + count = var.environment == "pre-prod" ? 1 : 0 + description = "more required items for GitHub access" + name = "github-extended-policy-1" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ses:SetIdentityMailFromDomain", + "lambda:CreateFunction", + "appconfig:StartDeployment", + "elasticloadbalancing:ModifyListener", + "appconfig:TagResource", + "appconfig:CreateDeploymentStrategy", + "lambda:ListLayers", + "ecs:TagResource", + "appconfig:DeleteHostedConfigurationVersion", + "lambda:PublishVersion", + "dynamodb:UpdateTable", + "ec2:DisassociateAddress", + "kms:ListResourceTags", + "ecr:ListTagsForResource", + "lambda:RemoveLayerVersionPermission", + "ses:VerifyDomainIdentity", + "ecs:DeregisterTaskDefinition", + "apigateway:DELETE", + "logs:DeleteMetricFilter", + "apigateway:SetWebACL", + "ec2:DescribeAvailabilityZones", + "backup:CreateBackupSelection", + "kms:CreateKey", + "ec2:ReleaseAddress", + "kms:EnableKeyRotation", + "ecr:PutLifecyclePolicy", + "lambda:UpdateEventSourceMapping", + "backup:DeleteBackupVault", + "kms:GetKeyPolicy", + "route53:ListHostedZones", + "elasticloadbalancing:DeleteTargetGroup", + "appconfig:CreateEnvironment", + "backup:DescribeBackupVault", + "events:DeleteRule", + "iam:CreateServiceLinkedRole", + "appconfig:DeleteDeploymentStrategy", + "ec2:DescribeVpcs", + "kms:ListAliases", + "backup:CreateBackupPlan", + "ses:DeleteIdentity", + "lambda:RemovePermission", + "backup:ListTags", + "route53:GetHostedZone", + "sns:Unsubscribe", + "iam:CreateRole", + "iam:AttachRolePolicy", + "appconfig:CreateApplication", + "ec2:AssociateRouteTable", + "ec2:DescribeInternetGateways", + "elasticloadbalancing:DeleteLoadBalancer", + "backup:DeleteBackupSelection", + "iam:DetachRolePolicy", + "cloudwatch:UntagResource", + "iam:ListAttachedRolePolicies", + "dynamodb:GetItem", + "lambda:ListLayerVersions", + "ec2:DescribeRouteTables", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "application-autoscaling:RegisterScalableTarget", + "dynamodb:PutItem", + "ecs:CreateCluster", + "ec2:CreateRouteTable", + "route53:ChangeResourceRecordSets", + "lambda:AddLayerVersionPermission", + "ec2:DetachInternetGateway", + "logs:CreateLogGroup", + "ecr:DeleteLifecyclePolicy", + "backup-storage:MountCapsule", + "ecs:DescribeClusters", + "ssm:PutParameter", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "logs:PutMetricFilter", + "ec2:DescribeSecurityGroupRules", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "s3:PutBucketLogging", + "application-autoscaling:PutScalingPolicy", + "ec2:DescribeVpcEndpoints", + "appconfig:CreateConfigurationProfile", + "route53:GetChange", + "lambda:GetLayerVersion", + "lambda:PublishLayerVersion", + "ses:VerifyDomainDkim", + "lambda:CreateEventSourceMapping", + "lambda:GetLayerVersionPolicy", + "kms:TagResource", + "dynamodb:TagResource", + "elasticloadbalancing:DescribeListeners", + "ec2:CreateSecurityGroup", + "apigateway:PATCH", + "appconfig:CreateHostedConfigurationVersion", + "lambda:DeleteLayerVersion", + "application-autoscaling:ListTagsForResource", + "kms:DescribeKey", + "ec2:ModifyVpcAttribute", + "ecs:UntagResource", + "ecr:DeleteRepositoryPolicy", + "s3:GetBucketPublicAccessBlock", + "ec2:AuthorizeSecurityGroupEgress", + "elasticloadbalancing:ModifyListenerAttributes", + "s3:PutBucketPublicAccessBlock", + "logs:DescribeLogGroups", + "kms:UpdateKeyDescription", + "logs:DeleteLogGroup", + "elasticloadbalancing:DescribeTags", + "ec2:DeleteRoute", + "backup:DeleteRecoveryPoint", + "ec2:AllocateAddress", + "cloudwatch:PutMetricAlarm", + "cloudwatch:TagResource", + "ec2:CreateVpcEndpoint", + "elasticloadbalancing:SetSecurityGroups", + "lambda:DeleteFunctionConcurrency", + "lambda:GetPolicy", + "iam:DeletePolicyVersion", + "ecr:GetRepositoryPolicy", + "s3:PutBucketNotification", + "iam:UpdateAssumeRolePolicy", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + diff --git a/pre_core/iam_github_test.tf b/pre_core/iam_github_test.tf new file mode 100644 index 000000000..26570ccb9 --- /dev/null +++ b/pre_core/iam_github_test.tf @@ -0,0 +1,719 @@ +# aws_iam_role.github_role_test[0]: +resource "aws_iam_role" "github_role_test" { + count = var.environment == "test" ? 1 : 0 + assume_role_policy = jsonencode( + { + Statement = [ + { + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:NHSDigital/national-document-repository-infrastructure:*", + "repo:NHSDigital/national-document-repository:*", + ] + } + } + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" + } + }, + ] + Version = "2012-10-17" + } + ) + description = "This role is for the deployment of infrastructure and code from GitHub" + force_detach_policies = false + managed_policy_arns = [ + "arn:aws:iam::${var.aws_account_id}:policy/github-action-policy", + "arn:aws:iam::${var.aws_account_id}:policy/github-action-policy-2", + "arn:aws:iam::aws:policy/ReadOnlyAccess", + ] + max_session_duration = 3600 + name = "github-action-role" + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} + tags_all = {} + + inline_policy { + name = "cloudfront_policies" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cloudfront:CreateCachePolicy", + "cloudfront:DeleteCachePolicy", + "cloudfront:CreateOriginAccessControl", + "cloudfront:CreateDistribution", + "cloudfront:TagResource", + "cloudfront:UntagResource", + "cloudfront:DeleteDistribution", + "lambda:EnableReplication", + "cloudfront:UpdateDistribution", + "cloudfront:DeleteOriginAccessControl", + "cloudfront:CreateInvalidation", + "cloudfront:CreateOriginRequestPolicy", + "cloudfront:DeleteOriginRequestPolicy", + "cloudfront:UpdateOriginRequestPolicy", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "cloudwatch_logs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "logs:DescribeLogGroups", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutRetentionPolicy", + "logs:PutResourcePolicy", + "logs:DeleteResourcePolicy", + "logs:DeleteRetentionPolicy", + "logs:TagResource", + "logs:UntagResource", + "logs:AssociateKmsKey", + "logs:DisassociateKmsKey", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*" + Sid = "Statement1" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "resource_tagging" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "resource-groups:GetGroupQuery", + "backup:TagResource", + "sns:TagResource", + "lambda:TagResource", + "resource-groups:UpdateGroup", + "iam:UntagRole", + "iam:TagRole", + "resource-groups:GetTags", + "sns:UntagResource", + "resource-groups:Untag", + "lambda:UntagResource", + "elasticloadbalancing:RemoveTags", + "cognito-identity:UntagResource", + "resource-groups:GetGroup", + "resource-groups:GetGroupConfiguration", + "backup:UntagResource", + "cognito-identity:TagResource", + "resource-groups:Tag", + "logs:UntagResource", + "resource-groups:UpdateGroupQuery", + "iam:TagPolicy", + "logs:TagResource", + "events:TagResource", + "resource-groups:DeleteGroup", + "elasticloadbalancing:AddTags", + "iam:UntagPolicy", + "resource-groups:ListGroupResources", + "iam:UntagInstanceProfile", + "events:UntagResource", + "iam:TagInstanceProfile", + ] + Effect = "Allow" + Resource = [ + "arn:aws:events:*:694282683086:event-bus/*", + "arn:aws:events:*:694282683086:rule/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", + "arn:aws:lambda:*:694282683086:event-source-mapping:*", + "arn:aws:lambda:*:694282683086:code-signing-config:*", + "arn:aws:lambda:*:694282683086:function:*", + "arn:aws:cognito-identity:*:694282683086:identitypool/*", + "arn:aws:resource-groups:*:694282683086:group/*", + "arn:aws:backup:*:694282683086:backup-plan:*", + "arn:aws:backup:*:694282683086:report-plan:*-*", + "arn:aws:backup:*:694282683086:restore-testing-plan:*-*", + "arn:aws:backup:*:694282683086:backup-vault:*", + "arn:aws:backup:*:694282683086:legal-hold:*", + "arn:aws:backup:*:694282683086:framework:*-*", + "arn:aws:iam::694282683086:policy/*", + "arn:aws:iam::694282683086:instance-profile/*", + "arn:aws:iam::694282683086:role/*", + "arn:aws:sns:*:694282683086:*", + "arn:aws:logs:*:694282683086:log-group:*", + "arn:aws:logs:*:694282683086:delivery-source:*", + "arn:aws:logs:*:694282683086:delivery:*", + "arn:aws:logs:*:694282683086:destination:*", + "arn:aws:logs:*:694282683086:delivery-destination:*", + "arn:aws:logs:*:694282683086:anomaly-detector:*", + "*", + ] + Sid = "VisualEditor0" + }, + { + Action = [ + "events:TagResource", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", + "arn:aws:events:*:694282683086:rule/*", + ] + Sid = "VisualEditor1" + }, + { + Action = [ + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", + ] + Sid = "VisualEditor2" + }, + { + Action = [ + "resource-groups:SearchResources", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "rum_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-identity:SetIdentityPoolRoles", + "cognito-identity:CreateIdentityPool", + "cognito-identity:DeleteIdentityPool", + "cognito-identity:UpdateIdentityPool", + ] + Effect = "Allow" + Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" + Sid = "VisualEditor0" + }, + { + Action = [ + "rum:TagResource", + "rum:UntagResource", + "rum:ListTagsForResource", + "iam:PassRole", + "rum:UpdateAppMonitor", + "rum:GetAppMonitor", + "rum:CreateAppMonitor", + "rum:DeleteAppMonitor", + ] + Effect = "Allow" + Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" + Sid = "VisualEditor1" + }, + { + Action = [ + "logs:DeleteLogGroup", + "logs:DeleteResourcePolicy", + "logs:DescribeLogGroups", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" + Sid = "VisualEditor2" + }, + { + Action = [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries", + "logs:DescribeResourcePolicies", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "scheduler-policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "scheduler:TagResource", + "scheduler:CreateSchedule", + "scheduler:UntagResource", + "scheduler:DeleteSchedule", + "scheduler:UpdateSchedule", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "virus-scan-cognito" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-idp:TagResource", + "cognito-idp:DeleteUserPool", + "cognito-idp:AdminCreateUser", + "cognito-idp:CreateUserPoolClient", + "cognito-idp:CreateGroup", + "cognito-idp:CreateUserPool", + "cognito-idp:SetUserPoolMfaConfig", + "cognito-idp:AdminAddUserToGroup", + "cloudformation:CreateResource", + "cloudformation:DeleteResource", + "cognito-idp:DeleteGroup", + "appconfig:DeleteEnvironment", + "appconfig:DeleteConfigurationProfile", + "iam:RemoveRoleFromInstanceProfile", + "cognito-idp:DeleteUserPoolClient", + "cognito-idp:AdminRemoveUserFromGroup", + "cognito-idp:AdminDeleteUser", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } +} + + +# aws_iam_policy.github_action_policy_test[0]: +resource "aws_iam_policy" "github_action_policy_test" { + count = var.environment == "test" ? 1 : 0 + description = null + name = "github-action-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteVpcEndpoints", + "ec2:AttachInternetGateway", + "iam:PutRolePolicy", + "ecr:DeleteRepository", + "ec2:CreateRoute", + "cloudwatch:ListTagsForResource", + "ecr:TagResource", + "dynamodb:DescribeContinuousBackups", + "events:RemoveTargets", + "lambda:DeleteFunction", + "iam:ListRolePolicies", + "ecs:TagResource", + "ecr:GetLifecyclePolicy", + "iam:GetRole", + "elasticloadbalancing:CreateTargetGroup", + "ecr:GetAuthorizationToken", + "application-autoscaling:DeleteScalingPolicy", + "kms:RetireGrant", + "elasticloadbalancing:AddTags", + "ec2:DeleteNatGateway", + "apigateway:POST", + "lambda:DeleteEventSourceMapping", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "ec2:ModifyVpcEndpoint", + "logs:ListTagsLogGroup", + "kms:PutKeyPolicy", + "events:PutRule", + "ec2:CreateVpc", + "dynamodb:ListTagsOfResource", + "iam:PassRole", + "sqs:createqueue", + "iam:DeleteRolePolicy", + "application-autoscaling:TagResource", + "elasticloadbalancing:CreateLoadBalancer", + "lambda:UpdateEventSourceMapping", + "apigateway:PUT", + "route53:ListTagsForResource", + "ec2:DescribeSecurityGroups", + "iam:CreatePolicy", + "sqs:TagQueue", + "kms:CreateAlias", + "elasticloadbalancing:DescribeTargetGroups", + "route53:AssociateVPCWithHostedZone", + "elasticloadbalancing:DeleteListener", + "iam:GetPolicyVersion", + "wafv2:AssociateWebACL", + "ec2:DeleteSubnet", + "elasticloadbalancing:SetWebACL", + "elasticloadbalancing:DescribeLoadBalancers", + "ecs:UpdateService", + "ssm:DeleteParameter", + "kms:GetKeyRotationStatus", + "dynamodb:DescribeTable", + "ssm:AddTagsToResource", + "ecs:RegisterTaskDefinition", + "route53:ListResourceRecordSets", + "ecr:CreateRepository", + "ecs:DeleteService", + "application-autoscaling:UntagResource", + "ec2:DescribePrefixLists", + "backup:CreateBackupVault", + "backup:UpdateBackupPlan", + "sqs:DeleteQueue", + "ec2:DeleteVpc", + "kms:DeleteAlias", + "sns:DeleteTopic", + "wafv2:DeleteWebACL", + "dynamodb:DeleteItem", + "iam:DeletePolicy", + "sns:SetTopicAttributes", + "lambda:PutFunctionConcurrency", + "dynamodb:UpdateContinuousBackups", + "elasticloadbalancing:CreateListener", + "ecs:CreateService", + "kms:ScheduleKeyDeletion", + "ecs:DescribeServices", + "ecr:DescribeRepositories", + "iam:CreatePolicyVersion", + "ecs:UntagResource", + "sqs:ListQueues", + "wafv2:UpdateWebACL", + "dynamodb:DescribeTimeToLive", + "kms:UpdateAlias", + "backup:GetBackupSelection", + "events:PutTargets", + "kms:ListKeys", + "lambda:AddPermission", + "ec2:DeleteSecurityGroup", + "ecr:SetRepositoryPolicy", + "application-autoscaling:DeregisterScalableTarget", + "backup:DeleteBackupPlan", + "sqs:DeleteMessage", + "cloudwatch:DeleteAlarms", + "secretsmanager:DeleteSecret", + "wafv2:CreateRegexPatternSet", + "wafv2:CreateWebACL", + "dynamodb:DeleteTable", + "ecs:DescribeTaskDefinition", + "ec2:DeleteRouteTable", + "ec2:CreateInternetGateway", + "ec2:RevokeSecurityGroupEgress", + "sns:Subscribe", + "ec2:DeleteInternetGateway", + "wafv2:TagResource", + "dynamodb:UpdateTimeToLive", + "iam:GetPolicy", + "ec2:CreateTags", + "sns:CreateTopic", + "ecs:DeleteCluster", + "iam:UpdateRoleDescription", + "iam:DeleteRole", + "ec2:DisassociateRouteTable", + "backup:GetBackupPlan", + "wafv2:DeleteRegexPatternSet", + "ec2:RevokeSecurityGroupIngress", + "dynamodb:CreateTable", + "ec2:CreateDefaultVpc", + "ec2:CreateSubnet", + "ec2:DescribeSubnets", + "iam:GetRolePolicy", + "sqs:setqueueattributes", + "kms:UntagResource", + "ec2:CreateNatGateway", + "kms:ListResourceTags", + "ecr:ListTagsForResource", + "ecs:DeregisterTaskDefinition", + "apigateway:DELETE", + "backup:CreateBackupSelection", + "ec2:DescribeAvailabilityZones", + "kms:CreateKey", + "kms:EnableKeyRotation", + "ecr:PutLifecyclePolicy", + "s3:*", + "backup:DeleteBackupVault", + "kms:GetKeyPolicy", + "route53:ListHostedZones", + "elasticloadbalancing:DeleteTargetGroup", + "events:DeleteRule", + "backup:DescribeBackupVault", + "ec2:DescribeVpcs", + "kms:ListAliases", + "backup:CreateBackupPlan", + "lambda:RemovePermission", + "backup:ListTags", + "route53:GetHostedZone", + "iam:CreateRole", + "sns:Unsubscribe", + "iam:AttachRolePolicy", + "ec2:AssociateRouteTable", + "elasticloadbalancing:DeleteLoadBalancer", + "ec2:DescribeInternetGateways", + "iam:DetachRolePolicy", + "backup:DeleteBackupSelection", + "cloudwatch:UntagResource", + "iam:ListAttachedRolePolicies", + "dynamodb:GetItem", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "ec2:DescribeRouteTables", + "application-autoscaling:RegisterScalableTarget", + "dynamodb:PutItem", + "ecs:CreateCluster", + "ec2:CreateRouteTable", + "route53:ChangeResourceRecordSets", + "ec2:DetachInternetGateway", + "logs:CreateLogGroup", + "ecr:DeleteLifecyclePolicy", + "backup-storage:MountCapsule", + "ecs:DescribeClusters", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "ssm:PutParameter", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "ec2:DescribeSecurityGroupRules", + "application-autoscaling:PutScalingPolicy", + "ec2:DescribeVpcEndpoints", + "route53:GetChange", + "lambda:CreateEventSourceMapping", + "kms:TagResource", + "elasticloadbalancing:DescribeListeners", + "dynamodb:TagResource", + "ec2:CreateSecurityGroup", + "apigateway:PATCH", + "application-autoscaling:ListTagsForResource", + "kms:DescribeKey", + "ec2:ModifyVpcAttribute", + "ecr:DeleteRepositoryPolicy", + "ec2:AuthorizeSecurityGroupEgress", + "logs:DescribeLogGroups", + "kms:UpdateKeyDescription", + "logs:DeleteLogGroup", + "elasticloadbalancing:DescribeTags", + "ec2:DeleteRoute", + "backup:DeleteRecoveryPoint", + "cloudwatch:PutMetricAlarm", + "cloudwatch:TagResource", + "ec2:CreateVpcEndpoint", + "elasticloadbalancing:SetSecurityGroups", + "iam:DeletePolicyVersion", + "lambda:GetPolicy", + "ecr:GetRepositoryPolicy", + "ec2:AllocateAddress", + "ec2:ReleaseAddress", + "ec2:DisassociateAddress", + "logs:PutMetricFilter", + "logs:DeleteMetricFilter", + "ses:VerifyDomainIdentity", + "ses:VerifyDomainDkim", + "ses:DeleteIdentity", + "ses:SetIdentityMailFromDomain", + "dynamodb:UpdateTable", + "elasticloadbalancing:ModifyListener", + "lambda:GetLayerVersion", + "iam:CreatePolicyVersion", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "s3:PutObject", + "iam:ListRoles", + "lambda:UpdateFunctionCode", + "lambda:CreateFunction", + "lambda:GetFunction", + "lambda:UpdateFunctionConfiguration", + "lambda:GetFunctionConfiguration", + "appconfig:ListTagsForResource", + "appconfig:StartDeployment", + "appconfig:DeleteApplication", + "appconfig:GetLatestConfiguration", + "ecr:PutImage", + ] + Effect = "Allow" + Resource = [ + "*", + ] + Sid = "Statement1" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.github_action_policy_2_test[0]: +resource "aws_iam_policy" "github_action_policy_2_test" { + count = var.environment == "test" ? 1 : 0 + description = null + name = "github-action-policy-2" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "acm:RequestCertificate", + "acm:AddTagsToCertificate", + "ecs:PutClusterCapacityProviders", + "backup:ListRecoveryPointsByBackupVault", + "appconfig:TagResource", + "appconfig:CreateConfigurationProfile", + "appconfig:CreateExtensionAssociation", + "appconfig:DeleteConfigurationProfile", + "appconfig:CreateDeploymentStrategy", + "appconfig:CreateApplication", + "appconfig:GetDeploymentStrategy", + "appconfig:GetHostedConfigurationVersion", + "appconfig:ListExtensionAssociations", + "appconfig:ListDeploymentStrategies", + "appconfig:CreateHostedConfigurationVersion", + "appconfig:DeleteEnvironment", + "appconfig:UntagResource", + "appconfig:ListHostedConfigurationVersions", + "appconfig:ListEnvironments", + "appconfig:UpdateDeploymentStrategy", + "appconfig:GetExtensionAssociation", + "appconfig:GetExtension", + "appconfig:ListDeployments", + "appconfig:GetDeployment", + "appconfig:ListExtensions", + "appconfig:DeleteHostedConfigurationVersion", + "appconfig:StopDeployment", + "appconfig:CreateEnvironment", + "appconfig:UpdateEnvironment", + "appconfig:GetEnvironment", + "appconfig:ListConfigurationProfiles", + "appconfig:DeleteDeploymentStrategy", + "appconfig:ListApplications", + "appconfig:UpdateApplication", + "appconfig:CreateExtension", + "appconfig:GetConfiguration", + "appconfig:GetApplication", + "appconfig:UpdateConfigurationProfile", + "appconfig:GetConfigurationProfile", + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:DeleteItem", + "dynamodb:UpdateTimeToLive", + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "lambda:GetLayerVersion", + "lambda:PublishLayerVersion", + "lambda:DeleteLayerVersion", + "lambda:ListLayerVersions", + "lambda:ListLayers", + "lambda:AddLayerVersionPermission", + "lambda:GetLayerVersionPolicy", + "lambda:RemoveLayerVersionPermission", + "lambda:DeleteFunctionConcurrency", + "lambda:PublishVersion", + "iam:CreateServiceLinkedRole", + "iam:UpdateAssumeRolePolicy", + "elasticloadbalancing:ModifyListenerAttributes", + "apigateway:SetWebACL", + "backup:ListRecoveryPointsByBackupVault", + "iam:UpdateAssumeRolePolicy", + "iam:TagRole", + "iam:CreateInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:DeleteInstanceProfile", + "iam:TagPolicy", + "ssm:CreateDocument", + "ssm:DeleteDocument", + "sns:TagResource", + "ec2:DeleteNetworkInterface", + "resource-groups:DeleteGroup", + "events:TagResource", + "kms:Encrypt", + "kms:CreateGrant", + ] + Effect = "Allow" + Resource = [ + "*", + ] + Sid = "Statement1" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + diff --git a/pre_core/policy_tool.py b/pre_core/policy_tool.py new file mode 100644 index 000000000..d70f6abd4 --- /dev/null +++ b/pre_core/policy_tool.py @@ -0,0 +1,98 @@ +import json +import os +import subprocess +import sys + + +def get_policy_names(env, role_name): + filename = f"../infrastructure/iam_roles/{env}_{role_name}.json" + with open(filename, 'r') as file: + policies = json.load(file) + attached_policies = [p for p in policies["attached"] if p != "ReadOnlyAccess"] + return sorted(attached_policies) + + +def create_dummy_resources(env, policy_names): + filename = f"dummy_import_{env}.tf" + with open(filename, 'w') as file: + file.write(f'resource "aws_iam_role" "github_role_{env}" {{\n') + file.write(f' count = var.environment == "{env}" ? 1 : 0\n') + file.write('}\n\n') + + for policy_name in policy_names: + file.write(f'resource "aws_iam_policy" "{policy_name.replace("-", "_")}_{env}" {{\n') + file.write(f' count = var.environment == "{env}" ? 1 : 0\n') + file.write('}\n\n') + + +def run_command(command): + print(f"Running command: {command}") + result = os.system(command) + if result != 0: + print(f"Command failed with exit code {result}") + sys.exit(result) + + +def import_resources(aws_account_id, env, role_name, policy_names): + run_command(f'terraform import -var environment={env} -var aws_account_id={aws_account_id} aws_iam_role.github_role_{env}[0] {role_name}') + for policy_name in policy_names: + resource_name = policy_name.replace("-", "_") + run_command(f'terraform import -var environment={env} -var aws_account_id={aws_account_id} aws_iam_policy.{resource_name}_{env}[0] arn:aws:iam::{aws_account_id}:policy/{policy_name}') + + +def tidy_resource_file(aws_account_id, env, source): + ignore_lines = [ + "arn", + "attachment_count", + "policy_id", + "id", + "create_date", + "unique_id", +] + output = [] + for line in source.split("\n"): + if [i for i in ignore_lines if f" {i} " in line]: + continue + + if line.startswith("resource "): + output.append(line.rstrip()) + output.append(f' count = var.environment == "{env}" ? 1 : 0') + continue + + # line = line.replace(aws_account_id, "${var.aws_account_id}") + output.append(line.replace(aws_account_id, "${var.aws_account_id}")) + + return "\n".join(output) + + +def generate_tf_file(aws_account_id, env, role_name, policy_names): + filename = f"imported_{env}.tf.txt" + with open(filename, 'w') as file: + command = f"terraform state show -no-color aws_iam_role.github_role_{env}[0]" + result = subprocess.run(command.split(" "), stdout=subprocess.PIPE).stdout.decode('utf-8') + file.write(f"{tidy_resource_file(aws_account_id, env, result)}\n\n") + + for policy_name in policy_names: + command = f"terraform state show -no-color aws_iam_policy.{policy_name.replace('-', '_')}_{env}[0]" + result = subprocess.run(command.split(" "), stdout=subprocess.PIPE).stdout.decode('utf-8') + file.write(f"{tidy_resource_file(aws_account_id, env, result)}\n\n") + + + + +command, aws_account_id, env, role_name = sys.argv[1:] +print(f"AWS Account ID: {aws_account_id}") +print(f"Command: {command}") + +if command == "import": + print("Importing policies...") + policy_names = get_policy_names(env, role_name) + print(policy_names) + create_dummy_resources(env, policy_names) + import_resources(aws_account_id, env, role_name, policy_names) + +if command == "generate-tf-file": + print("Generating TF file...") + policy_names = get_policy_names(env, role_name) + print(policy_names) + generate_tf_file(aws_account_id, env, role_name, policy_names) \ No newline at end of file diff --git a/pre_core/providers.tf b/pre_core/providers.tf new file mode 100644 index 000000000..cf2f7c229 --- /dev/null +++ b/pre_core/providers.tf @@ -0,0 +1,6 @@ +provider "aws" { + region = var.region + allowed_account_ids = [ + var.aws_account_id, + ] +} \ No newline at end of file diff --git a/pre_core/terraform.tf b/pre_core/terraform.tf new file mode 100644 index 000000000..5aacc3663 --- /dev/null +++ b/pre_core/terraform.tf @@ -0,0 +1,22 @@ +# Based on settings in infrastructure/main.tf +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + # awscc = { + # source = "hashicorp/awscc" + # version = "~> 1.0" + # } + } + + + # backend "s3" { + # use_lockfile = true + # region = "eu-west-2" + # # key = "ndr/terraform.tfstate" + # key = "ndr_pre_core/terraform.tfstate" + # encrypt = true + # } +} \ No newline at end of file diff --git a/pre_core/variables.tf b/pre_core/variables.tf new file mode 100644 index 000000000..b238a9e7d --- /dev/null +++ b/pre_core/variables.tf @@ -0,0 +1,15 @@ +variable "environment" { + description = "Environment to bootstrap (dev, pre-prod, prod, etc)" + type = string +} + +variable "region" { + type = string + default = "eu-west-2" + description = "The region to be used for bootstrapping" +} + +variable "aws_account_id" { + type = string + description = "The AWS Account ID (numeric)" +} From ce09860265cd37c8cd1f6a90990f45580a91e59c Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 10 Dec 2025 10:04:51 +0000 Subject: [PATCH 02/48] [ndr-297] formatting changes on tf files --- pre_core/iam_github_dev.tf | 1788 +++++++++++++++--------------- pre_core/iam_github_pre-prod.tf | 1794 +++++++++++++++---------------- pre_core/iam_github_test.tf | 1396 ++++++++++++------------ 3 files changed, 2489 insertions(+), 2489 deletions(-) diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index 6aa6dde02..6cdd7d86b 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -1,957 +1,957 @@ # aws_iam_role.github_role_dev[0]: resource "aws_iam_role" "github_role_dev" { - count = var.environment == "dev" ? 1 : 0 - assume_role_policy = jsonencode( + count = var.environment == "dev" ? 1 : 0 + assume_role_policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = "sts:AssumeRoleWithWebIdentity" - Condition = { - StringEquals = { - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" - } - StringLike = { - "token.actions.githubusercontent.com:sub" = [ - "repo:NHSDigital/national-document-repository-infrastructure:*", - "repo:NHSDigital/national-document-repository:*", - ] - } - } - Effect = "Allow" - Principal = { - Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" - } - }, - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - AWS = "arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DomainCGpit-Administrators_e00623801cb4b59e" - } - }, - ] - Version = "2012-10-17" - } - ) - description = "This role is to provide access for GitHub actions to the development environment. " - force_detach_policies = false - managed_policy_arns = [ - "arn:aws:iam::${var.aws_account_id}:policy/config-policy", - "arn:aws:iam::${var.aws_account_id}:policy/ecr-github-access-policy", - "arn:aws:iam::${var.aws_account_id}:policy/github_actions_terraform_full", - "arn:aws:iam::${var.aws_account_id}:policy/github_mtls_gateway", - "arn:aws:iam::${var.aws_account_id}:policy/github_terraform_tagging_policy", - "arn:aws:iam::${var.aws_account_id}:policy/lambda-github-access-policy", - "arn:aws:iam::${var.aws_account_id}:policy/repo_app_config", - "arn:aws:iam::${var.aws_account_id}:policy/terraform-github-dynamodb-access-policy", - "arn:aws:iam::${var.aws_account_id}:policy/terraform-github-s3-access-policy", - "arn:aws:iam::aws:policy/ReadOnlyAccess", - ] - max_session_duration = 3600 - name = "github-actions-dev-role" - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} - tags_all = {} - - inline_policy { - name = "cloudtrail" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cloudtrail:AddTags", - "cloudtrail:CreateTrail", - "cloudtrail:StartLogging", - "cloudtrail:DeleteTrail", - ] - Effect = "Allow" - Resource = [ - "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:trail/*", - "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:eventdatastore/*", - "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:channel/*", - ] - Sid = "VisualEditor0" - }, - { - Action = "organizations:ListAWSServiceAccessForOrganization" - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor1" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "cloudwatch_logs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "logs:DescribeLogGroups", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutRetentionPolicy", - "logs:PutResourcePolicy", - "logs:DeleteResourcePolicy", - "logs:DeleteRetentionPolicy", - "logs:TagResource", - "logs:UntagResource", - "logs:AssociateKmsKey", - "logs:DisassociateKmsKey", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*" - Sid = "Statement1" - }, - { - Action = [ - "logs:PutDeliverySource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:logs:us-east-1:${var.aws_account_id}:delivery-source:*", - ] - Sid = "Statement2" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "ecs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecs:UpdateCluster", - "ecs:PutClusterCapacityProviders", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "github-actions-waf-override" - policy = jsonencode( - { - Statement = [ - { - Action = "apigateway:SetWebACL" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" - }, - ] - Version = "2012-10-17" + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" } - ) - } - inline_policy { - name = "lambda_layer_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "lambda:DeleteLayerVersion", - "lambda:ListLayerVersions", - "lambda:ListLayers", - "lambda:AddLayerVersionPermission", - "lambda:GetLayerVersionPolicy", - "lambda:RemoveLayerVersionPermission", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "rum_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool", - ] - Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" - Sid = "VisualEditor0" - }, - { - Action = [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor", - ] - Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" - Sid = "VisualEditor1" - }, - { - Action = [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" - Sid = "VisualEditor2" - }, - { - Action = [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "step-functions" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "states:DescribeStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:CreateStateMachine", - "states:TagResource", - "states:UntagResource", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:NHSDigital/national-document-repository-infrastructure:*", + "repo:NHSDigital/national-document-repository:*", + ] } - ) + } + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" + } + }, + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DomainCGpit-Administrators_e00623801cb4b59e" + } + }, + ] + Version = "2012-10-17" } + ) + description = "This role is to provide access for GitHub actions to the development environment. " + force_detach_policies = false + managed_policy_arns = [ + "arn:aws:iam::${var.aws_account_id}:policy/config-policy", + "arn:aws:iam::${var.aws_account_id}:policy/ecr-github-access-policy", + "arn:aws:iam::${var.aws_account_id}:policy/github_actions_terraform_full", + "arn:aws:iam::${var.aws_account_id}:policy/github_mtls_gateway", + "arn:aws:iam::${var.aws_account_id}:policy/github_terraform_tagging_policy", + "arn:aws:iam::${var.aws_account_id}:policy/lambda-github-access-policy", + "arn:aws:iam::${var.aws_account_id}:policy/repo_app_config", + "arn:aws:iam::${var.aws_account_id}:policy/terraform-github-dynamodb-access-policy", + "arn:aws:iam::${var.aws_account_id}:policy/terraform-github-s3-access-policy", + "arn:aws:iam::aws:policy/ReadOnlyAccess", + ] + max_session_duration = 3600 + name = "github-actions-dev-role" + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} + tags_all = {} + + inline_policy { + name = "cloudtrail" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cloudtrail:AddTags", + "cloudtrail:CreateTrail", + "cloudtrail:StartLogging", + "cloudtrail:DeleteTrail", + ] + Effect = "Allow" + Resource = [ + "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:trail/*", + "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:eventdatastore/*", + "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:channel/*", + ] + Sid = "VisualEditor0" + }, + { + Action = "organizations:ListAWSServiceAccessForOrganization" + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor1" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "cloudwatch_logs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "logs:DescribeLogGroups", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutRetentionPolicy", + "logs:PutResourcePolicy", + "logs:DeleteResourcePolicy", + "logs:DeleteRetentionPolicy", + "logs:TagResource", + "logs:UntagResource", + "logs:AssociateKmsKey", + "logs:DisassociateKmsKey", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*" + Sid = "Statement1" + }, + { + Action = [ + "logs:PutDeliverySource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:logs:us-east-1:${var.aws_account_id}:delivery-source:*", + ] + Sid = "Statement2" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "ecs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecs:UpdateCluster", + "ecs:PutClusterCapacityProviders", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "github-actions-waf-override" + policy = jsonencode( + { + Statement = [ + { + Action = "apigateway:SetWebACL" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "lambda_layer_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "lambda:GetLayerVersion", + "lambda:PublishLayerVersion", + "lambda:DeleteLayerVersion", + "lambda:ListLayerVersions", + "lambda:ListLayers", + "lambda:AddLayerVersionPermission", + "lambda:GetLayerVersionPolicy", + "lambda:RemoveLayerVersionPermission", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "rum_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-identity:SetIdentityPoolRoles", + "cognito-identity:CreateIdentityPool", + "cognito-identity:DeleteIdentityPool", + "cognito-identity:UpdateIdentityPool", + ] + Effect = "Allow" + Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" + Sid = "VisualEditor0" + }, + { + Action = [ + "rum:TagResource", + "rum:UntagResource", + "rum:ListTagsForResource", + "iam:PassRole", + "rum:UpdateAppMonitor", + "rum:GetAppMonitor", + "rum:CreateAppMonitor", + "rum:DeleteAppMonitor", + ] + Effect = "Allow" + Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" + Sid = "VisualEditor1" + }, + { + Action = [ + "logs:DeleteLogGroup", + "logs:DeleteResourcePolicy", + "logs:DescribeLogGroups", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" + Sid = "VisualEditor2" + }, + { + Action = [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries", + "logs:DescribeResourcePolicies", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "step-functions" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "states:DescribeStateMachine", + "states:UpdateStateMachine", + "states:DeleteStateMachine", + "states:CreateStateMachine", + "states:TagResource", + "states:UntagResource", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } } # aws_iam_policy.config_policy_dev[0]: resource "aws_iam_policy" "config_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "config-policy" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "dev" ? 1 : 0 + description = null + name = "config-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = [ - "config:DeleteDeliveryChannel", - "config:PutConfigurationRecorder", - "config:StopConfigurationRecorder", - "config:StartConfigurationRecorder", - "config:PutDeliveryChannel", - "config:DeleteConfigurationRecorder", - "config:DescribeConfigurationRecorderStatus", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = [ + "config:DeleteDeliveryChannel", + "config:PutConfigurationRecorder", + "config:StopConfigurationRecorder", + "config:StartConfigurationRecorder", + "config:PutDeliveryChannel", + "config:DeleteConfigurationRecorder", + "config:DescribeConfigurationRecorderStatus", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } # aws_iam_policy.ecr_github_access_policy_dev[0]: resource "aws_iam_policy" "ecr_github_access_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "ecr-github-access-policy" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "dev" ? 1 : 0 + description = null + name = "ecr-github-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "ecr:PutImage", - ] - Effect = "Allow" - Resource = "arn:aws:ecr:eu-west-2:*:repository/*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + ] + Effect = "Allow" + Resource = "arn:aws:ecr:eu-west-2:*:repository/*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } # aws_iam_policy.github_actions_terraform_full_dev[0]: resource "aws_iam_policy" "github_actions_terraform_full_dev" { - count = var.environment == "dev" ? 1 : 0 - description = "All permissions required for Terraform to do its thing." - name = "github_actions_terraform_full" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "dev" ? 1 : 0 + description = "All permissions required for Terraform to do its thing." + name = "github_actions_terraform_full" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteVpcEndpoints", - "ec2:AttachInternetGateway", - "iam:PutRolePolicy", - "ecr:DeleteRepository", - "scheduler:DeleteSchedule", - "ec2:CreateRoute", - "cloudwatch:ListTagsForResource", - "ecr:TagResource", - "dynamodb:DescribeContinuousBackups", - "events:RemoveTargets", - "lambda:DeleteFunction", - "iam:ListRolePolicies", - "ecs:TagResource", - "ecr:GetLifecyclePolicy", - "iam:GetRole", - "dynamodb:BatchWriteItem", - "elasticloadbalancing:CreateTargetGroup", - "ecr:GetAuthorizationToken", - "application-autoscaling:DeleteScalingPolicy", - "kms:RetireGrant", - "elasticloadbalancing:AddTags", - "ec2:DeleteNatGateway", - "lambda:PublishVersion", - "apigateway:POST", - "lambda:DeleteEventSourceMapping", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "dynamodb:UpdateTable", - "ec2:ModifyVpcEndpoint", - "logs:ListTagsLogGroup", - "kms:PutKeyPolicy", - "events:PutRule", - "ec2:CreateVpc", - "dynamodb:ListTagsOfResource", - "iam:PassRole", - "logs:DeleteMetricFilter", - "sqs:createqueue", - "iam:DeleteRolePolicy", - "application-autoscaling:TagResource", - "ec2:ReleaseAddress", - "lambda:UpdateEventSourceMapping", - "elasticloadbalancing:CreateLoadBalancer", - "apigateway:PUT", - "route53:ListTagsForResource", - "ec2:DescribeSecurityGroups", - "iam:CreatePolicy", - "sqs:TagQueue", - "iam:CreateServiceLinkedRole", - "kms:CreateAlias", - "elasticloadbalancing:DescribeTargetGroups", - "route53:AssociateVPCWithHostedZone", - "elasticloadbalancing:DeleteListener", - "iam:UpdateAssumeRolePolicy", - "iam:GetPolicyVersion", - "wafv2:AssociateWebACL", - "ec2:DeleteSubnet", - "elasticloadbalancing:SetWebACL", - "ecs:UpdateService", - "elasticloadbalancing:DescribeLoadBalancers", - "ssm:DeleteParameter", - "cloudfront:*", - "kms:GetKeyRotationStatus", - "dynamodb:DescribeTable", - "ssm:AddTagsToResource", - "ecs:RegisterTaskDefinition", - "route53:ListResourceRecordSets", - "ecr:CreateRepository", - "ecs:DeleteService", - "application-autoscaling:UntagResource", - "ec2:DescribePrefixLists", - "backup:CreateBackupVault", - "backup:UpdateBackupPlan", - "sqs:DeleteQueue", - "ec2:DeleteVpc", - "kms:DeleteAlias", - "sns:DeleteTopic", - "wafv2:DeleteWebACL", - "dynamodb:DeleteItem", - "iam:DeletePolicy", - "sns:SetTopicAttributes", - "ses:VerifyDomainDkim", - "lambda:PutFunctionConcurrency", - "dynamodb:UpdateContinuousBackups", - "ecs:CreateService", - "elasticloadbalancing:CreateListener", - "kms:ScheduleKeyDeletion", - "ecr:DescribeRepositories", - "ecs:DescribeServices", - "iam:CreatePolicyVersion", - "ecs:UntagResource", - "sqs:ListQueues", - "wafv2:UpdateWebACL", - "dynamodb:DescribeTimeToLive", - "kms:UpdateAlias", - "backup:GetBackupSelection", - "kms:ListKeys", - "events:PutTargets", - "lambda:AddPermission", - "ecr:SetRepositoryPolicy", - "ec2:DeleteSecurityGroup", - "application-autoscaling:DeregisterScalableTarget", - "backup:DeleteBackupPlan", - "ses:SetIdentityMailFromDomain", - "lambda:CreateFunction", - "sqs:DeleteMessage", - "elasticloadbalancing:ModifyListener", - "cloudwatch:DeleteAlarms", - "secretsmanager:DeleteSecret", - "wafv2:CreateRegexPatternSet", - "wafv2:CreateWebACL", - "dynamodb:DeleteTable", - "ecs:DescribeTaskDefinition", - "ec2:DeleteRouteTable", - "ec2:CreateInternetGateway", - "ec2:RevokeSecurityGroupEgress", - "sns:Subscribe", - "ec2:DeleteInternetGateway", - "wafv2:TagResource", - "dynamodb:UpdateTimeToLive", - "iam:GetPolicy", - "ec2:CreateTags", - "sns:CreateTopic", - "ecs:DeleteCluster", - "iam:UpdateRoleDescription", - "iam:DeleteRole", - "ec2:DisassociateRouteTable", - "backup:GetBackupPlan", - "wafv2:DeleteRegexPatternSet", - "dynamodb:CreateTable", - "ec2:RevokeSecurityGroupIngress", - "lambda:UpdateFunctionCode", - "ec2:CreateDefaultVpc", - "ec2:CreateSubnet", - "ec2:DescribeSubnets", - "iam:GetRolePolicy", - "sqs:setqueueattributes", - "ec2:DisassociateAddress", - "kms:UntagResource", - "ec2:CreateNatGateway", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "ses:VerifyDomainIdentity", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "apigateway:SetWebACL", - "backup:CreateBackupSelection", - "scheduler:UpdateSchedule", - "ec2:DescribeAvailabilityZones", - "kms:CreateKey", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "s3:*", - "kms:GetKeyPolicy", - "route53:ListHostedZones", - "backup:DeleteBackupVault", - "lambda:UpdateFunctionConfiguration", - "elasticloadbalancing:DeleteTargetGroup", - "events:DeleteRule", - "backup:DescribeBackupVault", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "ses:DeleteIdentity", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "sns:Unsubscribe", - "iam:CreateRole", - "iam:AttachRolePolicy", - "lambda:EnableReplication", - "ec2:AssociateRouteTable", - "elasticloadbalancing:DeleteLoadBalancer", - "ec2:DescribeInternetGateways", - "backup:DeleteBackupSelection", - "iam:DetachRolePolicy", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "ec2:DescribeRouteTables", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "route53:ChangeResourceRecordSets", - "ec2:CreateRouteTable", - "ec2:DetachInternetGateway", - "ecr:DeleteLifecyclePolicy", - "logs:CreateLogGroup", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "ssm:PutParameter", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "logs:CreateLogDelivery", - "logs:PutMetricFilter", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "ec2:DescribeSecurityGroupRules", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "route53:GetChange", - "ec2:DeleteTags", - "lambda:GetLayerVersion", - "lambda:CreateEventSourceMapping", - "kms:TagResource", - "elasticloadbalancing:DescribeListeners", - "dynamodb:TagResource", - "ec2:CreateSecurityGroup", - "apigateway:PATCH", - "kms:DescribeKey", - "application-autoscaling:ListTagsForResource", - "ec2:ModifyVpcAttribute", - "ecr:DeleteRepositoryPolicy", - "ec2:AuthorizeSecurityGroupEgress", - "elasticloadbalancing:ModifyListenerAttributes", - "kms:UpdateKeyDescription", - "logs:DescribeLogGroups", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "ec2:AllocateAddress", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "scheduler:CreateSchedule", - "logs:PutRetentionPolicy", - "lambda:GetPolicy", - "iam:DeletePolicyVersion", - "ecr:GetRepositoryPolicy", - "cognito-idp:*", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteVpcEndpoints", + "ec2:AttachInternetGateway", + "iam:PutRolePolicy", + "ecr:DeleteRepository", + "scheduler:DeleteSchedule", + "ec2:CreateRoute", + "cloudwatch:ListTagsForResource", + "ecr:TagResource", + "dynamodb:DescribeContinuousBackups", + "events:RemoveTargets", + "lambda:DeleteFunction", + "iam:ListRolePolicies", + "ecs:TagResource", + "ecr:GetLifecyclePolicy", + "iam:GetRole", + "dynamodb:BatchWriteItem", + "elasticloadbalancing:CreateTargetGroup", + "ecr:GetAuthorizationToken", + "application-autoscaling:DeleteScalingPolicy", + "kms:RetireGrant", + "elasticloadbalancing:AddTags", + "ec2:DeleteNatGateway", + "lambda:PublishVersion", + "apigateway:POST", + "lambda:DeleteEventSourceMapping", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "dynamodb:UpdateTable", + "ec2:ModifyVpcEndpoint", + "logs:ListTagsLogGroup", + "kms:PutKeyPolicy", + "events:PutRule", + "ec2:CreateVpc", + "dynamodb:ListTagsOfResource", + "iam:PassRole", + "logs:DeleteMetricFilter", + "sqs:createqueue", + "iam:DeleteRolePolicy", + "application-autoscaling:TagResource", + "ec2:ReleaseAddress", + "lambda:UpdateEventSourceMapping", + "elasticloadbalancing:CreateLoadBalancer", + "apigateway:PUT", + "route53:ListTagsForResource", + "ec2:DescribeSecurityGroups", + "iam:CreatePolicy", + "sqs:TagQueue", + "iam:CreateServiceLinkedRole", + "kms:CreateAlias", + "elasticloadbalancing:DescribeTargetGroups", + "route53:AssociateVPCWithHostedZone", + "elasticloadbalancing:DeleteListener", + "iam:UpdateAssumeRolePolicy", + "iam:GetPolicyVersion", + "wafv2:AssociateWebACL", + "ec2:DeleteSubnet", + "elasticloadbalancing:SetWebACL", + "ecs:UpdateService", + "elasticloadbalancing:DescribeLoadBalancers", + "ssm:DeleteParameter", + "cloudfront:*", + "kms:GetKeyRotationStatus", + "dynamodb:DescribeTable", + "ssm:AddTagsToResource", + "ecs:RegisterTaskDefinition", + "route53:ListResourceRecordSets", + "ecr:CreateRepository", + "ecs:DeleteService", + "application-autoscaling:UntagResource", + "ec2:DescribePrefixLists", + "backup:CreateBackupVault", + "backup:UpdateBackupPlan", + "sqs:DeleteQueue", + "ec2:DeleteVpc", + "kms:DeleteAlias", + "sns:DeleteTopic", + "wafv2:DeleteWebACL", + "dynamodb:DeleteItem", + "iam:DeletePolicy", + "sns:SetTopicAttributes", + "ses:VerifyDomainDkim", + "lambda:PutFunctionConcurrency", + "dynamodb:UpdateContinuousBackups", + "ecs:CreateService", + "elasticloadbalancing:CreateListener", + "kms:ScheduleKeyDeletion", + "ecr:DescribeRepositories", + "ecs:DescribeServices", + "iam:CreatePolicyVersion", + "ecs:UntagResource", + "sqs:ListQueues", + "wafv2:UpdateWebACL", + "dynamodb:DescribeTimeToLive", + "kms:UpdateAlias", + "backup:GetBackupSelection", + "kms:ListKeys", + "events:PutTargets", + "lambda:AddPermission", + "ecr:SetRepositoryPolicy", + "ec2:DeleteSecurityGroup", + "application-autoscaling:DeregisterScalableTarget", + "backup:DeleteBackupPlan", + "ses:SetIdentityMailFromDomain", + "lambda:CreateFunction", + "sqs:DeleteMessage", + "elasticloadbalancing:ModifyListener", + "cloudwatch:DeleteAlarms", + "secretsmanager:DeleteSecret", + "wafv2:CreateRegexPatternSet", + "wafv2:CreateWebACL", + "dynamodb:DeleteTable", + "ecs:DescribeTaskDefinition", + "ec2:DeleteRouteTable", + "ec2:CreateInternetGateway", + "ec2:RevokeSecurityGroupEgress", + "sns:Subscribe", + "ec2:DeleteInternetGateway", + "wafv2:TagResource", + "dynamodb:UpdateTimeToLive", + "iam:GetPolicy", + "ec2:CreateTags", + "sns:CreateTopic", + "ecs:DeleteCluster", + "iam:UpdateRoleDescription", + "iam:DeleteRole", + "ec2:DisassociateRouteTable", + "backup:GetBackupPlan", + "wafv2:DeleteRegexPatternSet", + "dynamodb:CreateTable", + "ec2:RevokeSecurityGroupIngress", + "lambda:UpdateFunctionCode", + "ec2:CreateDefaultVpc", + "ec2:CreateSubnet", + "ec2:DescribeSubnets", + "iam:GetRolePolicy", + "sqs:setqueueattributes", + "ec2:DisassociateAddress", + "kms:UntagResource", + "ec2:CreateNatGateway", + "kms:ListResourceTags", + "ecr:ListTagsForResource", + "ses:VerifyDomainIdentity", + "ecs:DeregisterTaskDefinition", + "apigateway:DELETE", + "apigateway:SetWebACL", + "backup:CreateBackupSelection", + "scheduler:UpdateSchedule", + "ec2:DescribeAvailabilityZones", + "kms:CreateKey", + "kms:EnableKeyRotation", + "ecr:PutLifecyclePolicy", + "s3:*", + "kms:GetKeyPolicy", + "route53:ListHostedZones", + "backup:DeleteBackupVault", + "lambda:UpdateFunctionConfiguration", + "elasticloadbalancing:DeleteTargetGroup", + "events:DeleteRule", + "backup:DescribeBackupVault", + "ec2:DescribeVpcs", + "kms:ListAliases", + "backup:CreateBackupPlan", + "ses:DeleteIdentity", + "lambda:RemovePermission", + "backup:ListTags", + "route53:GetHostedZone", + "sns:Unsubscribe", + "iam:CreateRole", + "iam:AttachRolePolicy", + "lambda:EnableReplication", + "ec2:AssociateRouteTable", + "elasticloadbalancing:DeleteLoadBalancer", + "ec2:DescribeInternetGateways", + "backup:DeleteBackupSelection", + "iam:DetachRolePolicy", + "cloudwatch:UntagResource", + "iam:ListAttachedRolePolicies", + "dynamodb:GetItem", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "ec2:DescribeRouteTables", + "application-autoscaling:RegisterScalableTarget", + "dynamodb:PutItem", + "ecs:CreateCluster", + "route53:ChangeResourceRecordSets", + "ec2:CreateRouteTable", + "ec2:DetachInternetGateway", + "ecr:DeleteLifecyclePolicy", + "logs:CreateLogGroup", + "backup-storage:MountCapsule", + "ecs:DescribeClusters", + "ssm:PutParameter", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "logs:CreateLogDelivery", + "logs:PutMetricFilter", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "ec2:DescribeSecurityGroupRules", + "application-autoscaling:PutScalingPolicy", + "ec2:DescribeVpcEndpoints", + "route53:GetChange", + "ec2:DeleteTags", + "lambda:GetLayerVersion", + "lambda:CreateEventSourceMapping", + "kms:TagResource", + "elasticloadbalancing:DescribeListeners", + "dynamodb:TagResource", + "ec2:CreateSecurityGroup", + "apigateway:PATCH", + "kms:DescribeKey", + "application-autoscaling:ListTagsForResource", + "ec2:ModifyVpcAttribute", + "ecr:DeleteRepositoryPolicy", + "ec2:AuthorizeSecurityGroupEgress", + "elasticloadbalancing:ModifyListenerAttributes", + "kms:UpdateKeyDescription", + "logs:DescribeLogGroups", + "logs:DeleteLogGroup", + "elasticloadbalancing:DescribeTags", + "ec2:DeleteRoute", + "backup:DeleteRecoveryPoint", + "ec2:AllocateAddress", + "cloudwatch:PutMetricAlarm", + "cloudwatch:TagResource", + "ec2:CreateVpcEndpoint", + "elasticloadbalancing:SetSecurityGroups", + "scheduler:CreateSchedule", + "logs:PutRetentionPolicy", + "lambda:GetPolicy", + "iam:DeletePolicyVersion", + "ecr:GetRepositoryPolicy", + "cognito-idp:*", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } # aws_iam_policy.github_mtls_gateway_dev[0]: resource "aws_iam_policy" "github_mtls_gateway_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "github_mtls_gateway" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "dev" ? 1 : 0 + description = null + name = "github_mtls_gateway" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = [ - "acm:RequestCertificate", - "route53:ListHostedZones", - "acm:ListCertificates", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor1" - }, - { - Action = [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "route53:GetHostedZone", - "route53:ChangeResourceRecordSets", - "apigateway:AddCertificateToDomain", - "acm:AddTagsToCertificate", - "apigateway:RemoveCertificateFromDomain", - "acm:ListTagsForCertificate", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames", - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:route53:::hostedzone/*", - "arn:aws:acm:eu-west-2:${var.aws_account_id}:certificate/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "apigateway:AddCertificateToDomain", - "apigateway:RemoveCertificateFromDomain", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:apigateway:eu-west-2::/domainnames", - ] - Sid = "VisualEditor3" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor4" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = [ + "acm:RequestCertificate", + "route53:ListHostedZones", + "acm:ListCertificates", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor1" + }, + { + Action = [ + "acm:DeleteCertificate", + "acm:DescribeCertificate", + "acm:GetCertificate", + "route53:GetHostedZone", + "route53:ChangeResourceRecordSets", + "apigateway:AddCertificateToDomain", + "acm:AddTagsToCertificate", + "apigateway:RemoveCertificateFromDomain", + "acm:ListTagsForCertificate", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames", + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:route53:::hostedzone/*", + "arn:aws:acm:eu-west-2:${var.aws_account_id}:certificate/*", + ] + Sid = "VisualEditor2" + }, + { + Action = [ + "apigateway:AddCertificateToDomain", + "apigateway:RemoveCertificateFromDomain", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:apigateway:eu-west-2::/domainnames", + ] + Sid = "VisualEditor3" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor4" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } # aws_iam_policy.github_terraform_tagging_policy_dev[0]: resource "aws_iam_policy" "github_terraform_tagging_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "github_terraform_tagging_policy" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "dev" ? 1 : 0 + description = null + name = "github_terraform_tagging_policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = [ - "sns:TagResource", - "backup:TagResource", - "resource-groups:GetGroupQuery", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "resource-groups:DeleteGroup", - "events:TagResource", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:lambda:*:${var.aws_account_id}:event-source-mapping:*", - "arn:aws:lambda:*:${var.aws_account_id}:function:*", - "arn:aws:lambda:*:${var.aws_account_id}:code-signing-config:*", - "arn:aws:iam::${var.aws_account_id}:role/*", - "arn:aws:iam::${var.aws_account_id}:policy/*", - "arn:aws:sns:*:${var.aws_account_id}:*", - "arn:aws:backup:*:${var.aws_account_id}:legal-hold:*", - "arn:aws:backup:*:${var.aws_account_id}:framework:*-*", - "arn:aws:backup:*:${var.aws_account_id}:backup-vault:*", - "arn:aws:backup:*:${var.aws_account_id}:report-plan:*-*", - "arn:aws:backup:*:${var.aws_account_id}:backup-plan:*", - "arn:aws:backup:*:${var.aws_account_id}:restore-testing-plan:*-*", - "arn:aws:cognito-identity:*:${var.aws_account_id}:identitypool/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", - "arn:aws:resource-groups:*:${var.aws_account_id}:group/*", - "arn:aws:events:*:${var.aws_account_id}:event-bus/*", - "arn:aws:events:*:${var.aws_account_id}:rule/*/*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", - "arn:aws:events:*:${var.aws_account_id}:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor2" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = [ + "sns:TagResource", + "backup:TagResource", + "resource-groups:GetGroupQuery", + "lambda:TagResource", + "resource-groups:UpdateGroup", + "iam:UntagRole", + "iam:TagRole", + "resource-groups:GetTags", + "sns:UntagResource", + "resource-groups:Untag", + "lambda:UntagResource", + "elasticloadbalancing:RemoveTags", + "cognito-identity:UntagResource", + "resource-groups:GetGroup", + "resource-groups:GetGroupConfiguration", + "backup:UntagResource", + "cognito-identity:TagResource", + "resource-groups:Tag", + "resource-groups:UpdateGroupQuery", + "iam:TagPolicy", + "resource-groups:DeleteGroup", + "events:TagResource", + "elasticloadbalancing:AddTags", + "iam:UntagPolicy", + "resource-groups:ListGroupResources", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:lambda:*:${var.aws_account_id}:event-source-mapping:*", + "arn:aws:lambda:*:${var.aws_account_id}:function:*", + "arn:aws:lambda:*:${var.aws_account_id}:code-signing-config:*", + "arn:aws:iam::${var.aws_account_id}:role/*", + "arn:aws:iam::${var.aws_account_id}:policy/*", + "arn:aws:sns:*:${var.aws_account_id}:*", + "arn:aws:backup:*:${var.aws_account_id}:legal-hold:*", + "arn:aws:backup:*:${var.aws_account_id}:framework:*-*", + "arn:aws:backup:*:${var.aws_account_id}:backup-vault:*", + "arn:aws:backup:*:${var.aws_account_id}:report-plan:*-*", + "arn:aws:backup:*:${var.aws_account_id}:backup-plan:*", + "arn:aws:backup:*:${var.aws_account_id}:restore-testing-plan:*-*", + "arn:aws:cognito-identity:*:${var.aws_account_id}:identitypool/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", + "arn:aws:resource-groups:*:${var.aws_account_id}:group/*", + "arn:aws:events:*:${var.aws_account_id}:event-bus/*", + "arn:aws:events:*:${var.aws_account_id}:rule/*/*", + ] + Sid = "VisualEditor0" + }, + { + Action = [ + "events:TagResource", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + "arn:aws:events:*:${var.aws_account_id}:rule/*", + ] + Sid = "VisualEditor1" + }, + { + Action = [ + "resource-groups:SearchResources", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor2" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } # aws_iam_policy.lambda_github_access_policy_dev[0]: resource "aws_iam_policy" "lambda_github_access_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = "These permissions allow GitHub to push to a Lambda function." - name = "lambda-github-access-policy" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "dev" ? 1 : 0 + description = "These permissions allow GitHub to push to a Lambda function." + name = "lambda-github-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = [ - "lambda:CreateFunction", - "s3:PutObject", - "lambda:UpdateFunctionCode", - "kms:TagResource", - "kms:UntagResource", - "kms:Encrypt", - "kms:Decrypt", - "lambda:InvokeFunction", - "lambda:GetFunction", - "lambda:UpdateFunctionConfiguration", - "lambda:GetFunctionConfiguration", - "lambda:DeleteFunctionConcurrency", - "kms:CreateGrant", - ] - Effect = "Allow" - Resource = [ - "arn:aws:kms:*:${var.aws_account_id}:key/*", - "arn:aws:lambda:eu-west-2:*:function:*", - ] - Sid = "VisualEditor0" - }, - { - Action = "iam:ListRoles" - Effect = "Allow" - Resource = "arn:aws:lambda:eu-west-2:*:function:*" - Sid = "VisualEditor1" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = [ + "lambda:CreateFunction", + "s3:PutObject", + "lambda:UpdateFunctionCode", + "kms:TagResource", + "kms:UntagResource", + "kms:Encrypt", + "kms:Decrypt", + "lambda:InvokeFunction", + "lambda:GetFunction", + "lambda:UpdateFunctionConfiguration", + "lambda:GetFunctionConfiguration", + "lambda:DeleteFunctionConcurrency", + "kms:CreateGrant", + ] + Effect = "Allow" + Resource = [ + "arn:aws:kms:*:${var.aws_account_id}:key/*", + "arn:aws:lambda:eu-west-2:*:function:*", + ] + Sid = "VisualEditor0" + }, + { + Action = "iam:ListRoles" + Effect = "Allow" + Resource = "arn:aws:lambda:eu-west-2:*:function:*" + Sid = "VisualEditor1" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } # aws_iam_policy.repo_app_config_dev[0]: resource "aws_iam_policy" "repo_app_config_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "repo_app_config" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "dev" ? 1 : 0 + description = null + name = "repo_app_config" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = [ - "appconfig:ListTagsForResource", - "appconfig:StartDeployment", - "appconfig:DeleteApplication", - "appconfig:GetLatestConfiguration", - "appconfig:TagResource", - "appconfig:CreateConfigurationProfile", - "appconfig:CreateExtensionAssociation", - "appconfig:DeleteConfigurationProfile", - "appconfig:CreateDeploymentStrategy", - "appconfig:CreateApplication", - "appconfig:GetDeploymentStrategy", - "appconfig:GetHostedConfigurationVersion", - "appconfig:ListExtensionAssociations", - "appconfig:ListDeploymentStrategies", - "appconfig:CreateHostedConfigurationVersion", - "appconfig:DeleteEnvironment", - "appconfig:UntagResource", - "appconfig:ListHostedConfigurationVersions", - "appconfig:ListEnvironments", - "appconfig:UpdateDeploymentStrategy", - "appconfig:GetExtensionAssociation", - "appconfig:GetExtension", - "appconfig:ListDeployments", - "appconfig:GetDeployment", - "appconfig:ListExtensions", - "appconfig:DeleteHostedConfigurationVersion", - "appconfig:StopDeployment", - "appconfig:CreateEnvironment", - "appconfig:UpdateEnvironment", - "appconfig:GetEnvironment", - "appconfig:ListConfigurationProfiles", - "appconfig:DeleteDeploymentStrategy", - "appconfig:ListApplications", - "appconfig:UpdateApplication", - "appconfig:CreateExtension", - "appconfig:GetConfiguration", - "appconfig:GetApplication", - "appconfig:UpdateConfigurationProfile", - "appconfig:GetConfigurationProfile", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = [ + "appconfig:ListTagsForResource", + "appconfig:StartDeployment", + "appconfig:DeleteApplication", + "appconfig:GetLatestConfiguration", + "appconfig:TagResource", + "appconfig:CreateConfigurationProfile", + "appconfig:CreateExtensionAssociation", + "appconfig:DeleteConfigurationProfile", + "appconfig:CreateDeploymentStrategy", + "appconfig:CreateApplication", + "appconfig:GetDeploymentStrategy", + "appconfig:GetHostedConfigurationVersion", + "appconfig:ListExtensionAssociations", + "appconfig:ListDeploymentStrategies", + "appconfig:CreateHostedConfigurationVersion", + "appconfig:DeleteEnvironment", + "appconfig:UntagResource", + "appconfig:ListHostedConfigurationVersions", + "appconfig:ListEnvironments", + "appconfig:UpdateDeploymentStrategy", + "appconfig:GetExtensionAssociation", + "appconfig:GetExtension", + "appconfig:ListDeployments", + "appconfig:GetDeployment", + "appconfig:ListExtensions", + "appconfig:DeleteHostedConfigurationVersion", + "appconfig:StopDeployment", + "appconfig:CreateEnvironment", + "appconfig:UpdateEnvironment", + "appconfig:GetEnvironment", + "appconfig:ListConfigurationProfiles", + "appconfig:DeleteDeploymentStrategy", + "appconfig:ListApplications", + "appconfig:UpdateApplication", + "appconfig:CreateExtension", + "appconfig:GetConfiguration", + "appconfig:GetApplication", + "appconfig:UpdateConfigurationProfile", + "appconfig:GetConfigurationProfile", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } # aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0]: resource "aws_iam_policy" "terraform_github_dynamodb_access_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = "Dynamo DB specific access policies required by terraform via GitHub" - name = "terraform-github-dynamodb-access-policy" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "dev" ? 1 : 0 + description = "Dynamo DB specific access policies required by terraform via GitHub" + name = "terraform-github-dynamodb-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = [ - "dynamodb:DescribeTable", - "dynamodb:GetItem", - "dynamodb:PutItem", - "dynamodb:DeleteItem", - "dynamodb:UpdateTimeToLive", - ] - Effect = "Allow" - Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = [ + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:DeleteItem", + "dynamodb:UpdateTimeToLive", + ] + Effect = "Allow" + Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } # aws_iam_policy.terraform_github_s3_access_policy_dev[0]: resource "aws_iam_policy" "terraform_github_s3_access_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = "S3 specific access policies required by terraform via GitHub" - name = "terraform-github-s3-access-policy" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "dev" ? 1 : 0 + description = "S3 specific access policies required by terraform via GitHub" + name = "terraform-github-s3-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = "s3:ListBucket" - Effect = "Allow" - Resource = "arn:aws:s3:::ndr-dev-terraform-state-${var.aws_account_id}" - }, - { - Action = [ - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:DeleteBucketPolicy", - "s3:PutBucketPolicy", - ] - Effect = "Allow" - Resource = "arn:aws:s3:::ndr-dev-terraform-state-${var.aws_account_id}/ndr/terraform.tfstate" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = "s3:ListBucket" + Effect = "Allow" + Resource = "arn:aws:s3:::ndr-dev-terraform-state-${var.aws_account_id}" + }, + { + Action = [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:DeleteBucketPolicy", + "s3:PutBucketPolicy", + ] + Effect = "Allow" + Resource = "arn:aws:s3:::ndr-dev-terraform-state-${var.aws_account_id}/ndr/terraform.tfstate" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } diff --git a/pre_core/iam_github_pre-prod.tf b/pre_core/iam_github_pre-prod.tf index 8e91b4294..9b701afd2 100644 --- a/pre_core/iam_github_pre-prod.tf +++ b/pre_core/iam_github_pre-prod.tf @@ -1,918 +1,918 @@ # aws_iam_role.github_role_pre-prod[0]: resource "aws_iam_role" "github_role_pre-prod" { - count = var.environment == "pre-prod" ? 1 : 0 - assume_role_policy = jsonencode( + count = var.environment == "pre-prod" ? 1 : 0 + assume_role_policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = "sts:AssumeRoleWithWebIdentity" - Condition = { - StringEquals = { - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" - } - StringLike = { - "token.actions.githubusercontent.com:sub" = [ - "repo:NHSDigital/national-document-repository-infrastructure:*", - "repo:NHSDigital/national-document-repository:*", - ] - } - } - Effect = "Allow" - Principal = { - Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" - } - }, - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - AWS = "arn:aws:sts::${var.aws_account_id}:assumed-role/AWSReservedSSO_DomainCGpit-Administrators_3f00be4c22ce78e5/ABKH2@hscic.gov.uk" - } - }, - ] - Version = "2012-10-17" - } - ) - description = "This role is to provide access for GitHub actions to the pre-prod environment. " - force_detach_policies = false - managed_policy_arns = [ - "arn:aws:iam::${var.aws_account_id}:policy/github-actions-policy", - "arn:aws:iam::${var.aws_account_id}:policy/github-extended-policy-1", - "arn:aws:iam::aws:policy/ReadOnlyAccess", - ] - max_session_duration = 3600 - name = "Github-Actions-pre-prod-role" - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} - tags_all = {} - - inline_policy { - name = "cloudfront_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cloudfront:CreateCachePolicy", - "cloudfront:DeleteCachePolicy", - "cloudfront:CreateOriginAccessControl", - "cloudfront:CreateDistribution", - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:DeleteDistribution", - "lambda:EnableReplication", - "cloudfront:UpdateDistribution", - "cloudfront:DeleteOriginAccessControl", - "cloudfront:CreateInvalidation", - "cloudfront:UpdateOriginAccessControl", - "cloudfront:CreateOriginRequestPolicy", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" } - ) - } - inline_policy { - name = "cloudwatch_logs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "logs:ListTagsLogGroup", - "logs:CreateLogDelivery", - "logs:PutMetricFilter", - "logs:DeleteMetricFilter", - "logs:DescribeLogGroups", - "logs:PutRetentionPolicy", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutResourcePolicy", - ] - Effect = "Allow" - Resource = "*" - Sid = "AllowLogGroup" - }, - ] - Version = "2012-10-17" + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:NHSDigital/national-document-repository-infrastructure:*", + "repo:NHSDigital/national-document-repository:*", + ] } - ) - } - inline_policy { - name = "ecr_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecr:InitiateLayerUpload", - "ecr:BatchDeleteImage", - "ecr:CompleteLayerUpload", - "ecr:InitiateLayerUpload", - "ecr:PutImage", - "ecr:UploadLayerPart", - ] - Effect = "Allow" - Resource = [ - "arn:aws:ecr:eu-west-2:${var.aws_account_id}:repository/ndr-pre-prod-app", - "arn:aws:ecr:eu-west-2:${var.aws_account_id}:repository/pre-prod-data-collection", - ] - Sid = "AllowAppAndOdsUpdate" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "ecs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecs:UpdateCluster", - "ecs:PutClusterCapacityProviders", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "github-extended-policy-virus-scanner" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ssm:CreateDocument", - "iam:TagRole", - "SNS:TagResource", - "cognito-idp:CreateUserPool", - "cognito-idp:TagResource", - "cognito-idp:SetUserPoolMfaConfig", - "iam:CreateInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:DeleteInstanceProfile", - "cloudformation:CreateResource", - "cognito-idp:DeleteUserPool", - "cognito-idp:CreateGroup", - "cognito-idp:AdminCreateUser", - "cognito-idp:CreateUserPoolClient", - "cognito-idp:AdminAddUserToGroup", - ] - Effect = "Allow" - Resource = "*" - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "lambda" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "lambda:CreateFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:GetFunction", - "lambda:GetFunctionConfiguration", - "lambda:InvokeFunction", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration", - "kms:CreateGrant", - "kms:Decrypt", - "kms:Encrypt", - "kms:TagResource", - "kms:UntagResource", - "s3:PutObject", - ] - Effect = "Allow" - Resource = [ - "arn:aws:kms:*:${var.aws_account_id}:key/*", - "arn:aws:lambda:eu-west-2:*:function:*", - ] - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "mtls-gateway" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "acm:RequestCertificate", - "route53:ListHostedZones", - "acm:ListCertificates", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor1" - }, - { - Action = [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "route53:GetHostedZone", - "route53:ChangeResourceRecordSets", - "apigateway:AddCertificateToDomain", - "acm:AddTagsToCertificate", - "apigateway:RemoveCertificateFromDomain", - "acm:ListTagsForCertificate", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames", - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:route53:::hostedzone/*", - "arn:aws:acm:eu-west-2:${var.aws_account_id}:certificate/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "apigateway:AddCertificateToDomain", - "apigateway:RemoveCertificateFromDomain", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:apigateway:eu-west-2::/domainnames", - ] - Sid = "VisualEditor3" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor4" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "resource_tagging" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "resource-groups:GetGroupQuery", - "backup:TagResource", - "sns:TagResource", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "logs:UntagResource", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "logs:TagResource", - "events:TagResource", - "resource-groups:DeleteGroup", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "iam:UntagInstanceProfile", - "events:UntagResource", - "iam:TagInstanceProfile", - ] - Effect = "Allow" - Resource = [ - "arn:aws:events:*:${var.aws_account_id}:event-bus/*", - "arn:aws:events:*:${var.aws_account_id}:rule/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", - "arn:aws:lambda:*:${var.aws_account_id}:event-source-mapping:*", - "arn:aws:lambda:*:${var.aws_account_id}:code-signing-config:*", - "arn:aws:lambda:*:${var.aws_account_id}:function:*", - "arn:aws:cognito-identity:*:${var.aws_account_id}:identitypool/*", - "arn:aws:resource-groups:*:${var.aws_account_id}:group/*", - "arn:aws:backup:*:${var.aws_account_id}:backup-plan:*", - "arn:aws:backup:*:${var.aws_account_id}:report-plan:*-*", - "arn:aws:backup:*:${var.aws_account_id}:restore-testing-plan:*-*", - "arn:aws:backup:*:${var.aws_account_id}:backup-vault:*", - "arn:aws:backup:*:${var.aws_account_id}:legal-hold:*", - "arn:aws:backup:*:${var.aws_account_id}:framework:*-*", - "arn:aws:iam::${var.aws_account_id}:policy/*", - "arn:aws:iam::${var.aws_account_id}:instance-profile/*", - "arn:aws:iam::${var.aws_account_id}:role/*", - "arn:aws:sns:*:${var.aws_account_id}:*", - "arn:aws:logs:*:${var.aws_account_id}:log-group:*", - "arn:aws:logs:*:${var.aws_account_id}:delivery-source:*", - "arn:aws:logs:*:${var.aws_account_id}:delivery:*", - "arn:aws:logs:*:${var.aws_account_id}:destination:*", - "arn:aws:logs:*:${var.aws_account_id}:delivery-destination:*", - "arn:aws:logs:*:${var.aws_account_id}:anomaly-detector:*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:events:*:${var.aws_account_id}:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "rum_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool", - ] - Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" - Sid = "AllowIdentityPool" - }, - { - Action = [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor", - ] - Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" - Sid = "AllowAppMonitor" - }, - { - Action = [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" - Sid = "AllowRumServiceLogs" - }, - { - Action = [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies", - ] - Effect = "Allow" - Resource = "*" - Sid = "AllowRumServiceAllLogs" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "scheduler_policy" - policy = jsonencode( - { - Statement = [ - { - Action = "scheduler:DeleteSchedule" - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "step_functions" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "states:DescribeStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:CreateStateMachine", - "states:TagResource", - "states:UntagResource", - ] - Effect = "Allow" - Resource = "arn:aws:states:eu-west-2:${var.aws_account_id}:stateMachine:*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) + } + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" + } + }, + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + AWS = "arn:aws:sts::${var.aws_account_id}:assumed-role/AWSReservedSSO_DomainCGpit-Administrators_3f00be4c22ce78e5/ABKH2@hscic.gov.uk" + } + }, + ] + Version = "2012-10-17" } + ) + description = "This role is to provide access for GitHub actions to the pre-prod environment. " + force_detach_policies = false + managed_policy_arns = [ + "arn:aws:iam::${var.aws_account_id}:policy/github-actions-policy", + "arn:aws:iam::${var.aws_account_id}:policy/github-extended-policy-1", + "arn:aws:iam::aws:policy/ReadOnlyAccess", + ] + max_session_duration = 3600 + name = "Github-Actions-pre-prod-role" + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} + tags_all = {} + + inline_policy { + name = "cloudfront_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cloudfront:CreateCachePolicy", + "cloudfront:DeleteCachePolicy", + "cloudfront:CreateOriginAccessControl", + "cloudfront:CreateDistribution", + "cloudfront:TagResource", + "cloudfront:UntagResource", + "cloudfront:DeleteDistribution", + "lambda:EnableReplication", + "cloudfront:UpdateDistribution", + "cloudfront:DeleteOriginAccessControl", + "cloudfront:CreateInvalidation", + "cloudfront:UpdateOriginAccessControl", + "cloudfront:CreateOriginRequestPolicy", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "cloudwatch_logs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "logs:ListTagsLogGroup", + "logs:CreateLogDelivery", + "logs:PutMetricFilter", + "logs:DeleteMetricFilter", + "logs:DescribeLogGroups", + "logs:PutRetentionPolicy", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutResourcePolicy", + ] + Effect = "Allow" + Resource = "*" + Sid = "AllowLogGroup" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "ecr_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecr:InitiateLayerUpload", + "ecr:BatchDeleteImage", + "ecr:CompleteLayerUpload", + "ecr:InitiateLayerUpload", + "ecr:PutImage", + "ecr:UploadLayerPart", + ] + Effect = "Allow" + Resource = [ + "arn:aws:ecr:eu-west-2:${var.aws_account_id}:repository/ndr-pre-prod-app", + "arn:aws:ecr:eu-west-2:${var.aws_account_id}:repository/pre-prod-data-collection", + ] + Sid = "AllowAppAndOdsUpdate" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "ecs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecs:UpdateCluster", + "ecs:PutClusterCapacityProviders", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "github-extended-policy-virus-scanner" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ssm:CreateDocument", + "iam:TagRole", + "SNS:TagResource", + "cognito-idp:CreateUserPool", + "cognito-idp:TagResource", + "cognito-idp:SetUserPoolMfaConfig", + "iam:CreateInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:DeleteInstanceProfile", + "cloudformation:CreateResource", + "cognito-idp:DeleteUserPool", + "cognito-idp:CreateGroup", + "cognito-idp:AdminCreateUser", + "cognito-idp:CreateUserPoolClient", + "cognito-idp:AdminAddUserToGroup", + ] + Effect = "Allow" + Resource = "*" + Sid = "Statement1" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "lambda" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "lambda:CreateFunction", + "lambda:DeleteFunctionConcurrency", + "lambda:GetFunction", + "lambda:GetFunctionConfiguration", + "lambda:InvokeFunction", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration", + "kms:CreateGrant", + "kms:Decrypt", + "kms:Encrypt", + "kms:TagResource", + "kms:UntagResource", + "s3:PutObject", + ] + Effect = "Allow" + Resource = [ + "arn:aws:kms:*:${var.aws_account_id}:key/*", + "arn:aws:lambda:eu-west-2:*:function:*", + ] + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "mtls-gateway" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "acm:RequestCertificate", + "route53:ListHostedZones", + "acm:ListCertificates", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor1" + }, + { + Action = [ + "acm:DeleteCertificate", + "acm:DescribeCertificate", + "acm:GetCertificate", + "route53:GetHostedZone", + "route53:ChangeResourceRecordSets", + "apigateway:AddCertificateToDomain", + "acm:AddTagsToCertificate", + "apigateway:RemoveCertificateFromDomain", + "acm:ListTagsForCertificate", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames", + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:route53:::hostedzone/*", + "arn:aws:acm:eu-west-2:${var.aws_account_id}:certificate/*", + ] + Sid = "VisualEditor2" + }, + { + Action = [ + "apigateway:AddCertificateToDomain", + "apigateway:RemoveCertificateFromDomain", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:apigateway:eu-west-2::/domainnames", + ] + Sid = "VisualEditor3" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor4" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "resource_tagging" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "resource-groups:GetGroupQuery", + "backup:TagResource", + "sns:TagResource", + "lambda:TagResource", + "resource-groups:UpdateGroup", + "iam:UntagRole", + "iam:TagRole", + "resource-groups:GetTags", + "sns:UntagResource", + "resource-groups:Untag", + "lambda:UntagResource", + "elasticloadbalancing:RemoveTags", + "cognito-identity:UntagResource", + "resource-groups:GetGroup", + "resource-groups:GetGroupConfiguration", + "backup:UntagResource", + "cognito-identity:TagResource", + "resource-groups:Tag", + "logs:UntagResource", + "resource-groups:UpdateGroupQuery", + "iam:TagPolicy", + "logs:TagResource", + "events:TagResource", + "resource-groups:DeleteGroup", + "elasticloadbalancing:AddTags", + "iam:UntagPolicy", + "resource-groups:ListGroupResources", + "iam:UntagInstanceProfile", + "events:UntagResource", + "iam:TagInstanceProfile", + ] + Effect = "Allow" + Resource = [ + "arn:aws:events:*:${var.aws_account_id}:event-bus/*", + "arn:aws:events:*:${var.aws_account_id}:rule/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", + "arn:aws:lambda:*:${var.aws_account_id}:event-source-mapping:*", + "arn:aws:lambda:*:${var.aws_account_id}:code-signing-config:*", + "arn:aws:lambda:*:${var.aws_account_id}:function:*", + "arn:aws:cognito-identity:*:${var.aws_account_id}:identitypool/*", + "arn:aws:resource-groups:*:${var.aws_account_id}:group/*", + "arn:aws:backup:*:${var.aws_account_id}:backup-plan:*", + "arn:aws:backup:*:${var.aws_account_id}:report-plan:*-*", + "arn:aws:backup:*:${var.aws_account_id}:restore-testing-plan:*-*", + "arn:aws:backup:*:${var.aws_account_id}:backup-vault:*", + "arn:aws:backup:*:${var.aws_account_id}:legal-hold:*", + "arn:aws:backup:*:${var.aws_account_id}:framework:*-*", + "arn:aws:iam::${var.aws_account_id}:policy/*", + "arn:aws:iam::${var.aws_account_id}:instance-profile/*", + "arn:aws:iam::${var.aws_account_id}:role/*", + "arn:aws:sns:*:${var.aws_account_id}:*", + "arn:aws:logs:*:${var.aws_account_id}:log-group:*", + "arn:aws:logs:*:${var.aws_account_id}:delivery-source:*", + "arn:aws:logs:*:${var.aws_account_id}:delivery:*", + "arn:aws:logs:*:${var.aws_account_id}:destination:*", + "arn:aws:logs:*:${var.aws_account_id}:delivery-destination:*", + "arn:aws:logs:*:${var.aws_account_id}:anomaly-detector:*", + ] + Sid = "VisualEditor0" + }, + { + Action = [ + "events:TagResource", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:events:*:${var.aws_account_id}:rule/*", + ] + Sid = "VisualEditor1" + }, + { + Action = [ + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + ] + Sid = "VisualEditor2" + }, + { + Action = [ + "resource-groups:SearchResources", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "rum_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-identity:SetIdentityPoolRoles", + "cognito-identity:CreateIdentityPool", + "cognito-identity:DeleteIdentityPool", + "cognito-identity:UpdateIdentityPool", + ] + Effect = "Allow" + Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" + Sid = "AllowIdentityPool" + }, + { + Action = [ + "rum:TagResource", + "rum:UntagResource", + "rum:ListTagsForResource", + "iam:PassRole", + "rum:UpdateAppMonitor", + "rum:GetAppMonitor", + "rum:CreateAppMonitor", + "rum:DeleteAppMonitor", + ] + Effect = "Allow" + Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" + Sid = "AllowAppMonitor" + }, + { + Action = [ + "logs:DeleteLogGroup", + "logs:DeleteResourcePolicy", + "logs:DescribeLogGroups", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" + Sid = "AllowRumServiceLogs" + }, + { + Action = [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries", + "logs:DescribeResourcePolicies", + ] + Effect = "Allow" + Resource = "*" + Sid = "AllowRumServiceAllLogs" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "scheduler_policy" + policy = jsonencode( + { + Statement = [ + { + Action = "scheduler:DeleteSchedule" + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "step_functions" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "states:DescribeStateMachine", + "states:UpdateStateMachine", + "states:DeleteStateMachine", + "states:CreateStateMachine", + "states:TagResource", + "states:UntagResource", + ] + Effect = "Allow" + Resource = "arn:aws:states:eu-west-2:${var.aws_account_id}:stateMachine:*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } } # aws_iam_policy.github_actions_policy_pre-prod[0]: resource "aws_iam_policy" "github_actions_policy_pre-prod" { - count = var.environment == "pre-prod" ? 1 : 0 - description = null - name = "github-actions-policy" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "pre-prod" ? 1 : 0 + description = null + name = "github-actions-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = [ - "apigateway:DELETE", - "apigateway:PATCH", - "apigateway:POST", - "apigateway:PUT", - "cloudwatch:DeleteAlarms", - "cloudwatch:PutMetricAlarm", - "dynamodb:CreateTable", - "dynamodb:DeleteItem", - "dynamodb:DeleteTable", - "dynamodb:DescribeContinuousBackups", - "dynamodb:DescribeTable", - "dynamodb:DescribeTimeToLive", - "dynamodb:GetItem", - "dynamodb:ListTagsOfResource", - "dynamodb:PutItem", - "dynamodb:TagResource", - "dynamodb:UpdateTimeToLive", - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateDefaultVpc", - "ec2:CreateInternetGateway", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:DeleteInternetGateway", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSubnet", - "ec2:DeleteVpc", - "ec2:DeleteVpcEndpoints", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribePrefixLists", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcs", - "ec2:DetachInternetGateway", - "ec2:DisassociateRouteTable", - "ec2:ModifyVpcAttribute", - "ec2:ModifyVpcEndpoint", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ecr:CreateRepository", - "ecr:DeleteLifecyclePolicy", - "ecr:DeleteRepository", - "ecr:DeleteRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:GetAuthorizationToken", - "ecr:GetLifecyclePolicy", - "ecr:GetRepositoryPolicy", - "ecr:ListTagsForResource", - "ecr:PutLifecyclePolicy", - "ecr:SetRepositoryPolicy", - "ecr:TagResource", - "ecs:CreateCluster", - "ecs:CreateService", - "ecs:DeleteCluster", - "ecs:DeleteService", - "ecs:DeregisterTaskDefinition", - "ecs:DescribeClusters", - "ecs:DescribeServices", - "ecs:DescribeTaskDefinition", - "ecs:RegisterTaskDefinition", - "ecs:UpdateService", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:SetSecurityGroups", - "events:PutRule", - "events:PutTargets", - "iam:AttachRolePolicy", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:PutRolePolicy", - "kms:RetireGrant", - "lambda:AddPermission", - "lambda:CreateEventSourceMapping", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:GetPolicy", - "lambda:RemovePermission", - "logs:CreateLogGroup", - "logs:DeleteLogGroup", - "logs:DescribeLogGroups", - "logs:ListTagsLogGroup", - "route53:AssociateVPCWithHostedZone", - "route53:ChangeResourceRecordSets", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListHostedZones", - "route53:ListResourceRecordSets", - "route53:ListTagsForResource", - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:DeleteBucketPolicy", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersion", - "s3:DeleteObjectVersionTagging", - "s3:GetAccelerateConfiguration", - "s3:GetBucketAcl", - "s3:GetBucketCORS", - "s3:GetBucketLogging", - "s3:GetBucketObjectLockConfiguration", - "s3:GetBucketOwnershipControls", - "s3:GetBucketPolicy", - "s3:GetBucketRequestPayment", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetBucketWebsite", - "s3:GetEncryptionConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetObject", - "s3:GetReplicationConfiguration", - "s3:ListBucket", - "s3:PutBucketAcl", - "s3:PutBucketCORS", - "s3:PutBucketOwnershipControls", - "s3:PutBucketPolicy", - "s3:PutBucketTagging", - "s3:PutLifecycleConfiguration", - "s3:PutObject", - "secretsmanager:DeleteSecret", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:SetTopicAttributes", - "sns:Subscribe", - "sns:Unsubscribe", - "sqs:DeleteMessage", - "sqs:DeleteQueue", - "sqs:ListQueues", - "sqs:createqueue", - "sqs:setqueueattributes", - "ssm:AddTagsToResource", - "ssm:DeleteParameter", - "ssm:PutParameter", - "events:RemoveTargets", - "wafv2:CreateRegexPatternSet", - "wafv2:TagResource", - "wafv2:CreateWebACL", - "wafv2:AssociateWebACL", - "elasticloadbalancing:SetWebACL", - "events:DeleteRule", - "wafv2:DeleteRegexPatternSet", - "wafv2:DeleteWebACL", - "s3:PutIntelligentTieringConfiguration", - "ecs:UntagResource", - "lambda:UpdateFunctionConfiguration", - "lambda:UpdateFunctionCode", - "sqs:tagqueue", - "kms:TagResource", - "wafv2:UpdateWebACL", - "dynamodb:UpdateTable", - "kms:CreateKey", - "dynamodb:UpdateContinuousBackups", - "backup:CreateBackupVault", - "application-autoscaling:RegisterScalableTarget", - "application-autoscaling:TagResource", - "s3:PutBucketVersioning", - "kms:CreateAlias", - "kms:DeleteAlias", - "kms:DescribeKey", - "kms:EnableKeyRotation", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListKeys", - "kms:ListResourceTags", - "kms:PutKeyPolicy", - "kms:UntagResource", - "kms:UpdateAlias", - "kms:UpdateKeyDescription", - "kms:ScheduleKeyDeletion", - "application-autoscaling:PutScalingPolicy", - "application-autoscaling:DeleteScalingPolicy", - "application-autoscaling:DeregisterScalableTarget", - "application-autoscaling:UntagResource", - "application-autoscaling:ListTagsForResource", - "cloudwatch:TagResource", - "cloudwatch:UntagResource", - "cloudwatch:ListTagsForResource", - "backup-storage:MountCapsule", - "backup:CreateBackupPlan", - "lambda:PutFunctionConcurrency", - "backup:CreateBackupSelection", - "backup:UpdateBackupPlan", - "backup:DescribeBackupJob", - "backup:ListTags", - "backup:TagResource", - "backup:DeleteBackupVault", - "backup:DeleteBackupSelection", - "iam:UpdateRoleDescription", - "logs:PutMetricFilter", - "ec2:AllocateAddress", - "ec2:CreateNatGateway", - "scheduler:CreateSchedule", - "scheduler:UpdateSchedule", - ] - Effect = "Allow" - Resource = "*" - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = [ + "apigateway:DELETE", + "apigateway:PATCH", + "apigateway:POST", + "apigateway:PUT", + "cloudwatch:DeleteAlarms", + "cloudwatch:PutMetricAlarm", + "dynamodb:CreateTable", + "dynamodb:DeleteItem", + "dynamodb:DeleteTable", + "dynamodb:DescribeContinuousBackups", + "dynamodb:DescribeTable", + "dynamodb:DescribeTimeToLive", + "dynamodb:GetItem", + "dynamodb:ListTagsOfResource", + "dynamodb:PutItem", + "dynamodb:TagResource", + "dynamodb:UpdateTimeToLive", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateDefaultVpc", + "ec2:CreateInternetGateway", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:CreateVpcEndpoint", + "ec2:DeleteInternetGateway", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:DeleteSubnet", + "ec2:DeleteVpc", + "ec2:DeleteVpcEndpoints", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribePrefixLists", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroupRules", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeVpcs", + "ec2:DetachInternetGateway", + "ec2:DisassociateRouteTable", + "ec2:ModifyVpcAttribute", + "ec2:ModifyVpcEndpoint", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ecr:CreateRepository", + "ecr:DeleteLifecyclePolicy", + "ecr:DeleteRepository", + "ecr:DeleteRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:GetAuthorizationToken", + "ecr:GetLifecyclePolicy", + "ecr:GetRepositoryPolicy", + "ecr:ListTagsForResource", + "ecr:PutLifecyclePolicy", + "ecr:SetRepositoryPolicy", + "ecr:TagResource", + "ecs:CreateCluster", + "ecs:CreateService", + "ecs:DeleteCluster", + "ecs:DeleteService", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeClusters", + "ecs:DescribeServices", + "ecs:DescribeTaskDefinition", + "ecs:RegisterTaskDefinition", + "ecs:UpdateService", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:SetSecurityGroups", + "events:PutRule", + "events:PutTargets", + "iam:AttachRolePolicy", + "iam:CreatePolicy", + "iam:CreatePolicyVersion", + "iam:CreateRole", + "iam:DeletePolicy", + "iam:DeletePolicyVersion", + "iam:DeleteRole", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:ListRolePolicies", + "iam:PassRole", + "iam:PutRolePolicy", + "kms:RetireGrant", + "lambda:AddPermission", + "lambda:CreateEventSourceMapping", + "lambda:DeleteEventSourceMapping", + "lambda:DeleteFunction", + "lambda:GetPolicy", + "lambda:RemovePermission", + "logs:CreateLogGroup", + "logs:DeleteLogGroup", + "logs:DescribeLogGroups", + "logs:ListTagsLogGroup", + "route53:AssociateVPCWithHostedZone", + "route53:ChangeResourceRecordSets", + "route53:GetChange", + "route53:GetHostedZone", + "route53:ListHostedZones", + "route53:ListResourceRecordSets", + "route53:ListTagsForResource", + "s3:CreateBucket", + "s3:DeleteBucket", + "s3:DeleteBucketPolicy", + "s3:DeleteObject", + "s3:DeleteObjectTagging", + "s3:DeleteObjectVersion", + "s3:DeleteObjectVersionTagging", + "s3:GetAccelerateConfiguration", + "s3:GetBucketAcl", + "s3:GetBucketCORS", + "s3:GetBucketLogging", + "s3:GetBucketObjectLockConfiguration", + "s3:GetBucketOwnershipControls", + "s3:GetBucketPolicy", + "s3:GetBucketRequestPayment", + "s3:GetBucketTagging", + "s3:GetBucketVersioning", + "s3:GetBucketWebsite", + "s3:GetEncryptionConfiguration", + "s3:GetLifecycleConfiguration", + "s3:GetObject", + "s3:GetReplicationConfiguration", + "s3:ListBucket", + "s3:PutBucketAcl", + "s3:PutBucketCORS", + "s3:PutBucketOwnershipControls", + "s3:PutBucketPolicy", + "s3:PutBucketTagging", + "s3:PutLifecycleConfiguration", + "s3:PutObject", + "secretsmanager:DeleteSecret", + "sns:CreateTopic", + "sns:DeleteTopic", + "sns:SetTopicAttributes", + "sns:Subscribe", + "sns:Unsubscribe", + "sqs:DeleteMessage", + "sqs:DeleteQueue", + "sqs:ListQueues", + "sqs:createqueue", + "sqs:setqueueattributes", + "ssm:AddTagsToResource", + "ssm:DeleteParameter", + "ssm:PutParameter", + "events:RemoveTargets", + "wafv2:CreateRegexPatternSet", + "wafv2:TagResource", + "wafv2:CreateWebACL", + "wafv2:AssociateWebACL", + "elasticloadbalancing:SetWebACL", + "events:DeleteRule", + "wafv2:DeleteRegexPatternSet", + "wafv2:DeleteWebACL", + "s3:PutIntelligentTieringConfiguration", + "ecs:UntagResource", + "lambda:UpdateFunctionConfiguration", + "lambda:UpdateFunctionCode", + "sqs:tagqueue", + "kms:TagResource", + "wafv2:UpdateWebACL", + "dynamodb:UpdateTable", + "kms:CreateKey", + "dynamodb:UpdateContinuousBackups", + "backup:CreateBackupVault", + "application-autoscaling:RegisterScalableTarget", + "application-autoscaling:TagResource", + "s3:PutBucketVersioning", + "kms:CreateAlias", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:EnableKeyRotation", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListKeys", + "kms:ListResourceTags", + "kms:PutKeyPolicy", + "kms:UntagResource", + "kms:UpdateAlias", + "kms:UpdateKeyDescription", + "kms:ScheduleKeyDeletion", + "application-autoscaling:PutScalingPolicy", + "application-autoscaling:DeleteScalingPolicy", + "application-autoscaling:DeregisterScalableTarget", + "application-autoscaling:UntagResource", + "application-autoscaling:ListTagsForResource", + "cloudwatch:TagResource", + "cloudwatch:UntagResource", + "cloudwatch:ListTagsForResource", + "backup-storage:MountCapsule", + "backup:CreateBackupPlan", + "lambda:PutFunctionConcurrency", + "backup:CreateBackupSelection", + "backup:UpdateBackupPlan", + "backup:DescribeBackupJob", + "backup:ListTags", + "backup:TagResource", + "backup:DeleteBackupVault", + "backup:DeleteBackupSelection", + "iam:UpdateRoleDescription", + "logs:PutMetricFilter", + "ec2:AllocateAddress", + "ec2:CreateNatGateway", + "scheduler:CreateSchedule", + "scheduler:UpdateSchedule", + ] + Effect = "Allow" + Resource = "*" + Sid = "Statement1" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } # aws_iam_policy.github_extended_policy_1_pre-prod[0]: resource "aws_iam_policy" "github_extended_policy_1_pre-prod" { - count = var.environment == "pre-prod" ? 1 : 0 - description = "more required items for GitHub access" - name = "github-extended-policy-1" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "pre-prod" ? 1 : 0 + description = "more required items for GitHub access" + name = "github-extended-policy-1" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = [ - "ses:SetIdentityMailFromDomain", - "lambda:CreateFunction", - "appconfig:StartDeployment", - "elasticloadbalancing:ModifyListener", - "appconfig:TagResource", - "appconfig:CreateDeploymentStrategy", - "lambda:ListLayers", - "ecs:TagResource", - "appconfig:DeleteHostedConfigurationVersion", - "lambda:PublishVersion", - "dynamodb:UpdateTable", - "ec2:DisassociateAddress", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "lambda:RemoveLayerVersionPermission", - "ses:VerifyDomainIdentity", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "logs:DeleteMetricFilter", - "apigateway:SetWebACL", - "ec2:DescribeAvailabilityZones", - "backup:CreateBackupSelection", - "kms:CreateKey", - "ec2:ReleaseAddress", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "lambda:UpdateEventSourceMapping", - "backup:DeleteBackupVault", - "kms:GetKeyPolicy", - "route53:ListHostedZones", - "elasticloadbalancing:DeleteTargetGroup", - "appconfig:CreateEnvironment", - "backup:DescribeBackupVault", - "events:DeleteRule", - "iam:CreateServiceLinkedRole", - "appconfig:DeleteDeploymentStrategy", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "ses:DeleteIdentity", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "sns:Unsubscribe", - "iam:CreateRole", - "iam:AttachRolePolicy", - "appconfig:CreateApplication", - "ec2:AssociateRouteTable", - "ec2:DescribeInternetGateways", - "elasticloadbalancing:DeleteLoadBalancer", - "backup:DeleteBackupSelection", - "iam:DetachRolePolicy", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "lambda:ListLayerVersions", - "ec2:DescribeRouteTables", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "ec2:CreateRouteTable", - "route53:ChangeResourceRecordSets", - "lambda:AddLayerVersionPermission", - "ec2:DetachInternetGateway", - "logs:CreateLogGroup", - "ecr:DeleteLifecyclePolicy", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "ssm:PutParameter", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "logs:PutMetricFilter", - "ec2:DescribeSecurityGroupRules", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "s3:PutBucketLogging", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "appconfig:CreateConfigurationProfile", - "route53:GetChange", - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "ses:VerifyDomainDkim", - "lambda:CreateEventSourceMapping", - "lambda:GetLayerVersionPolicy", - "kms:TagResource", - "dynamodb:TagResource", - "elasticloadbalancing:DescribeListeners", - "ec2:CreateSecurityGroup", - "apigateway:PATCH", - "appconfig:CreateHostedConfigurationVersion", - "lambda:DeleteLayerVersion", - "application-autoscaling:ListTagsForResource", - "kms:DescribeKey", - "ec2:ModifyVpcAttribute", - "ecs:UntagResource", - "ecr:DeleteRepositoryPolicy", - "s3:GetBucketPublicAccessBlock", - "ec2:AuthorizeSecurityGroupEgress", - "elasticloadbalancing:ModifyListenerAttributes", - "s3:PutBucketPublicAccessBlock", - "logs:DescribeLogGroups", - "kms:UpdateKeyDescription", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "ec2:AllocateAddress", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "lambda:DeleteFunctionConcurrency", - "lambda:GetPolicy", - "iam:DeletePolicyVersion", - "ecr:GetRepositoryPolicy", - "s3:PutBucketNotification", - "iam:UpdateAssumeRolePolicy", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = [ + "ses:SetIdentityMailFromDomain", + "lambda:CreateFunction", + "appconfig:StartDeployment", + "elasticloadbalancing:ModifyListener", + "appconfig:TagResource", + "appconfig:CreateDeploymentStrategy", + "lambda:ListLayers", + "ecs:TagResource", + "appconfig:DeleteHostedConfigurationVersion", + "lambda:PublishVersion", + "dynamodb:UpdateTable", + "ec2:DisassociateAddress", + "kms:ListResourceTags", + "ecr:ListTagsForResource", + "lambda:RemoveLayerVersionPermission", + "ses:VerifyDomainIdentity", + "ecs:DeregisterTaskDefinition", + "apigateway:DELETE", + "logs:DeleteMetricFilter", + "apigateway:SetWebACL", + "ec2:DescribeAvailabilityZones", + "backup:CreateBackupSelection", + "kms:CreateKey", + "ec2:ReleaseAddress", + "kms:EnableKeyRotation", + "ecr:PutLifecyclePolicy", + "lambda:UpdateEventSourceMapping", + "backup:DeleteBackupVault", + "kms:GetKeyPolicy", + "route53:ListHostedZones", + "elasticloadbalancing:DeleteTargetGroup", + "appconfig:CreateEnvironment", + "backup:DescribeBackupVault", + "events:DeleteRule", + "iam:CreateServiceLinkedRole", + "appconfig:DeleteDeploymentStrategy", + "ec2:DescribeVpcs", + "kms:ListAliases", + "backup:CreateBackupPlan", + "ses:DeleteIdentity", + "lambda:RemovePermission", + "backup:ListTags", + "route53:GetHostedZone", + "sns:Unsubscribe", + "iam:CreateRole", + "iam:AttachRolePolicy", + "appconfig:CreateApplication", + "ec2:AssociateRouteTable", + "ec2:DescribeInternetGateways", + "elasticloadbalancing:DeleteLoadBalancer", + "backup:DeleteBackupSelection", + "iam:DetachRolePolicy", + "cloudwatch:UntagResource", + "iam:ListAttachedRolePolicies", + "dynamodb:GetItem", + "lambda:ListLayerVersions", + "ec2:DescribeRouteTables", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "application-autoscaling:RegisterScalableTarget", + "dynamodb:PutItem", + "ecs:CreateCluster", + "ec2:CreateRouteTable", + "route53:ChangeResourceRecordSets", + "lambda:AddLayerVersionPermission", + "ec2:DetachInternetGateway", + "logs:CreateLogGroup", + "ecr:DeleteLifecyclePolicy", + "backup-storage:MountCapsule", + "ecs:DescribeClusters", + "ssm:PutParameter", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "logs:PutMetricFilter", + "ec2:DescribeSecurityGroupRules", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "s3:PutBucketLogging", + "application-autoscaling:PutScalingPolicy", + "ec2:DescribeVpcEndpoints", + "appconfig:CreateConfigurationProfile", + "route53:GetChange", + "lambda:GetLayerVersion", + "lambda:PublishLayerVersion", + "ses:VerifyDomainDkim", + "lambda:CreateEventSourceMapping", + "lambda:GetLayerVersionPolicy", + "kms:TagResource", + "dynamodb:TagResource", + "elasticloadbalancing:DescribeListeners", + "ec2:CreateSecurityGroup", + "apigateway:PATCH", + "appconfig:CreateHostedConfigurationVersion", + "lambda:DeleteLayerVersion", + "application-autoscaling:ListTagsForResource", + "kms:DescribeKey", + "ec2:ModifyVpcAttribute", + "ecs:UntagResource", + "ecr:DeleteRepositoryPolicy", + "s3:GetBucketPublicAccessBlock", + "ec2:AuthorizeSecurityGroupEgress", + "elasticloadbalancing:ModifyListenerAttributes", + "s3:PutBucketPublicAccessBlock", + "logs:DescribeLogGroups", + "kms:UpdateKeyDescription", + "logs:DeleteLogGroup", + "elasticloadbalancing:DescribeTags", + "ec2:DeleteRoute", + "backup:DeleteRecoveryPoint", + "ec2:AllocateAddress", + "cloudwatch:PutMetricAlarm", + "cloudwatch:TagResource", + "ec2:CreateVpcEndpoint", + "elasticloadbalancing:SetSecurityGroups", + "lambda:DeleteFunctionConcurrency", + "lambda:GetPolicy", + "iam:DeletePolicyVersion", + "ecr:GetRepositoryPolicy", + "s3:PutBucketNotification", + "iam:UpdateAssumeRolePolicy", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } diff --git a/pre_core/iam_github_test.tf b/pre_core/iam_github_test.tf index 26570ccb9..08468f23d 100644 --- a/pre_core/iam_github_test.tf +++ b/pre_core/iam_github_test.tf @@ -1,719 +1,719 @@ # aws_iam_role.github_role_test[0]: resource "aws_iam_role" "github_role_test" { - count = var.environment == "test" ? 1 : 0 - assume_role_policy = jsonencode( + count = var.environment == "test" ? 1 : 0 + assume_role_policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = "sts:AssumeRoleWithWebIdentity" - Condition = { - StringEquals = { - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" - } - StringLike = { - "token.actions.githubusercontent.com:sub" = [ - "repo:NHSDigital/national-document-repository-infrastructure:*", - "repo:NHSDigital/national-document-repository:*", - ] - } - } - Effect = "Allow" - Principal = { - Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" - } - }, - ] - Version = "2012-10-17" - } - ) - description = "This role is for the deployment of infrastructure and code from GitHub" - force_detach_policies = false - managed_policy_arns = [ - "arn:aws:iam::${var.aws_account_id}:policy/github-action-policy", - "arn:aws:iam::${var.aws_account_id}:policy/github-action-policy-2", - "arn:aws:iam::aws:policy/ReadOnlyAccess", - ] - max_session_duration = 3600 - name = "github-action-role" - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} - tags_all = {} - - inline_policy { - name = "cloudfront_policies" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cloudfront:CreateCachePolicy", - "cloudfront:DeleteCachePolicy", - "cloudfront:CreateOriginAccessControl", - "cloudfront:CreateDistribution", - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:DeleteDistribution", - "lambda:EnableReplication", - "cloudfront:UpdateDistribution", - "cloudfront:DeleteOriginAccessControl", - "cloudfront:CreateInvalidation", - "cloudfront:CreateOriginRequestPolicy", - "cloudfront:DeleteOriginRequestPolicy", - "cloudfront:UpdateOriginRequestPolicy", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "cloudwatch_logs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "logs:DescribeLogGroups", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutRetentionPolicy", - "logs:PutResourcePolicy", - "logs:DeleteResourcePolicy", - "logs:DeleteRetentionPolicy", - "logs:TagResource", - "logs:UntagResource", - "logs:AssociateKmsKey", - "logs:DisassociateKmsKey", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*" - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "resource_tagging" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "resource-groups:GetGroupQuery", - "backup:TagResource", - "sns:TagResource", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "logs:UntagResource", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "logs:TagResource", - "events:TagResource", - "resource-groups:DeleteGroup", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "iam:UntagInstanceProfile", - "events:UntagResource", - "iam:TagInstanceProfile", - ] - Effect = "Allow" - Resource = [ - "arn:aws:events:*:694282683086:event-bus/*", - "arn:aws:events:*:694282683086:rule/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", - "arn:aws:lambda:*:694282683086:event-source-mapping:*", - "arn:aws:lambda:*:694282683086:code-signing-config:*", - "arn:aws:lambda:*:694282683086:function:*", - "arn:aws:cognito-identity:*:694282683086:identitypool/*", - "arn:aws:resource-groups:*:694282683086:group/*", - "arn:aws:backup:*:694282683086:backup-plan:*", - "arn:aws:backup:*:694282683086:report-plan:*-*", - "arn:aws:backup:*:694282683086:restore-testing-plan:*-*", - "arn:aws:backup:*:694282683086:backup-vault:*", - "arn:aws:backup:*:694282683086:legal-hold:*", - "arn:aws:backup:*:694282683086:framework:*-*", - "arn:aws:iam::694282683086:policy/*", - "arn:aws:iam::694282683086:instance-profile/*", - "arn:aws:iam::694282683086:role/*", - "arn:aws:sns:*:694282683086:*", - "arn:aws:logs:*:694282683086:log-group:*", - "arn:aws:logs:*:694282683086:delivery-source:*", - "arn:aws:logs:*:694282683086:delivery:*", - "arn:aws:logs:*:694282683086:destination:*", - "arn:aws:logs:*:694282683086:delivery-destination:*", - "arn:aws:logs:*:694282683086:anomaly-detector:*", - "*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", - "arn:aws:events:*:694282683086:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "rum_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool", - ] - Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" - Sid = "VisualEditor0" - }, - { - Action = [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor", - ] - Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" - Sid = "VisualEditor1" - }, - { - Action = [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" - Sid = "VisualEditor2" - }, - { - Action = [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "scheduler-policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "scheduler:TagResource", - "scheduler:CreateSchedule", - "scheduler:UntagResource", - "scheduler:DeleteSchedule", - "scheduler:UpdateSchedule", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" } - ) - } - inline_policy { - name = "virus-scan-cognito" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-idp:TagResource", - "cognito-idp:DeleteUserPool", - "cognito-idp:AdminCreateUser", - "cognito-idp:CreateUserPoolClient", - "cognito-idp:CreateGroup", - "cognito-idp:CreateUserPool", - "cognito-idp:SetUserPoolMfaConfig", - "cognito-idp:AdminAddUserToGroup", - "cloudformation:CreateResource", - "cloudformation:DeleteResource", - "cognito-idp:DeleteGroup", - "appconfig:DeleteEnvironment", - "appconfig:DeleteConfigurationProfile", - "iam:RemoveRoleFromInstanceProfile", - "cognito-idp:DeleteUserPoolClient", - "cognito-idp:AdminRemoveUserFromGroup", - "cognito-idp:AdminDeleteUser", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:NHSDigital/national-document-repository-infrastructure:*", + "repo:NHSDigital/national-document-repository:*", + ] } - ) + } + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" + } + }, + ] + Version = "2012-10-17" } + ) + description = "This role is for the deployment of infrastructure and code from GitHub" + force_detach_policies = false + managed_policy_arns = [ + "arn:aws:iam::${var.aws_account_id}:policy/github-action-policy", + "arn:aws:iam::${var.aws_account_id}:policy/github-action-policy-2", + "arn:aws:iam::aws:policy/ReadOnlyAccess", + ] + max_session_duration = 3600 + name = "github-action-role" + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} + tags_all = {} + + inline_policy { + name = "cloudfront_policies" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cloudfront:CreateCachePolicy", + "cloudfront:DeleteCachePolicy", + "cloudfront:CreateOriginAccessControl", + "cloudfront:CreateDistribution", + "cloudfront:TagResource", + "cloudfront:UntagResource", + "cloudfront:DeleteDistribution", + "lambda:EnableReplication", + "cloudfront:UpdateDistribution", + "cloudfront:DeleteOriginAccessControl", + "cloudfront:CreateInvalidation", + "cloudfront:CreateOriginRequestPolicy", + "cloudfront:DeleteOriginRequestPolicy", + "cloudfront:UpdateOriginRequestPolicy", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "cloudwatch_logs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "logs:DescribeLogGroups", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutRetentionPolicy", + "logs:PutResourcePolicy", + "logs:DeleteResourcePolicy", + "logs:DeleteRetentionPolicy", + "logs:TagResource", + "logs:UntagResource", + "logs:AssociateKmsKey", + "logs:DisassociateKmsKey", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*" + Sid = "Statement1" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "resource_tagging" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "resource-groups:GetGroupQuery", + "backup:TagResource", + "sns:TagResource", + "lambda:TagResource", + "resource-groups:UpdateGroup", + "iam:UntagRole", + "iam:TagRole", + "resource-groups:GetTags", + "sns:UntagResource", + "resource-groups:Untag", + "lambda:UntagResource", + "elasticloadbalancing:RemoveTags", + "cognito-identity:UntagResource", + "resource-groups:GetGroup", + "resource-groups:GetGroupConfiguration", + "backup:UntagResource", + "cognito-identity:TagResource", + "resource-groups:Tag", + "logs:UntagResource", + "resource-groups:UpdateGroupQuery", + "iam:TagPolicy", + "logs:TagResource", + "events:TagResource", + "resource-groups:DeleteGroup", + "elasticloadbalancing:AddTags", + "iam:UntagPolicy", + "resource-groups:ListGroupResources", + "iam:UntagInstanceProfile", + "events:UntagResource", + "iam:TagInstanceProfile", + ] + Effect = "Allow" + Resource = [ + "arn:aws:events:*:694282683086:event-bus/*", + "arn:aws:events:*:694282683086:rule/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", + "arn:aws:lambda:*:694282683086:event-source-mapping:*", + "arn:aws:lambda:*:694282683086:code-signing-config:*", + "arn:aws:lambda:*:694282683086:function:*", + "arn:aws:cognito-identity:*:694282683086:identitypool/*", + "arn:aws:resource-groups:*:694282683086:group/*", + "arn:aws:backup:*:694282683086:backup-plan:*", + "arn:aws:backup:*:694282683086:report-plan:*-*", + "arn:aws:backup:*:694282683086:restore-testing-plan:*-*", + "arn:aws:backup:*:694282683086:backup-vault:*", + "arn:aws:backup:*:694282683086:legal-hold:*", + "arn:aws:backup:*:694282683086:framework:*-*", + "arn:aws:iam::694282683086:policy/*", + "arn:aws:iam::694282683086:instance-profile/*", + "arn:aws:iam::694282683086:role/*", + "arn:aws:sns:*:694282683086:*", + "arn:aws:logs:*:694282683086:log-group:*", + "arn:aws:logs:*:694282683086:delivery-source:*", + "arn:aws:logs:*:694282683086:delivery:*", + "arn:aws:logs:*:694282683086:destination:*", + "arn:aws:logs:*:694282683086:delivery-destination:*", + "arn:aws:logs:*:694282683086:anomaly-detector:*", + "*", + ] + Sid = "VisualEditor0" + }, + { + Action = [ + "events:TagResource", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", + "arn:aws:events:*:694282683086:rule/*", + ] + Sid = "VisualEditor1" + }, + { + Action = [ + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", + ] + Sid = "VisualEditor2" + }, + { + Action = [ + "resource-groups:SearchResources", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "rum_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-identity:SetIdentityPoolRoles", + "cognito-identity:CreateIdentityPool", + "cognito-identity:DeleteIdentityPool", + "cognito-identity:UpdateIdentityPool", + ] + Effect = "Allow" + Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" + Sid = "VisualEditor0" + }, + { + Action = [ + "rum:TagResource", + "rum:UntagResource", + "rum:ListTagsForResource", + "iam:PassRole", + "rum:UpdateAppMonitor", + "rum:GetAppMonitor", + "rum:CreateAppMonitor", + "rum:DeleteAppMonitor", + ] + Effect = "Allow" + Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" + Sid = "VisualEditor1" + }, + { + Action = [ + "logs:DeleteLogGroup", + "logs:DeleteResourcePolicy", + "logs:DescribeLogGroups", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" + Sid = "VisualEditor2" + }, + { + Action = [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries", + "logs:DescribeResourcePolicies", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "scheduler-policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "scheduler:TagResource", + "scheduler:CreateSchedule", + "scheduler:UntagResource", + "scheduler:DeleteSchedule", + "scheduler:UpdateSchedule", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "virus-scan-cognito" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-idp:TagResource", + "cognito-idp:DeleteUserPool", + "cognito-idp:AdminCreateUser", + "cognito-idp:CreateUserPoolClient", + "cognito-idp:CreateGroup", + "cognito-idp:CreateUserPool", + "cognito-idp:SetUserPoolMfaConfig", + "cognito-idp:AdminAddUserToGroup", + "cloudformation:CreateResource", + "cloudformation:DeleteResource", + "cognito-idp:DeleteGroup", + "appconfig:DeleteEnvironment", + "appconfig:DeleteConfigurationProfile", + "iam:RemoveRoleFromInstanceProfile", + "cognito-idp:DeleteUserPoolClient", + "cognito-idp:AdminRemoveUserFromGroup", + "cognito-idp:AdminDeleteUser", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } } # aws_iam_policy.github_action_policy_test[0]: resource "aws_iam_policy" "github_action_policy_test" { - count = var.environment == "test" ? 1 : 0 - description = null - name = "github-action-policy" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "test" ? 1 : 0 + description = null + name = "github-action-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteVpcEndpoints", - "ec2:AttachInternetGateway", - "iam:PutRolePolicy", - "ecr:DeleteRepository", - "ec2:CreateRoute", - "cloudwatch:ListTagsForResource", - "ecr:TagResource", - "dynamodb:DescribeContinuousBackups", - "events:RemoveTargets", - "lambda:DeleteFunction", - "iam:ListRolePolicies", - "ecs:TagResource", - "ecr:GetLifecyclePolicy", - "iam:GetRole", - "elasticloadbalancing:CreateTargetGroup", - "ecr:GetAuthorizationToken", - "application-autoscaling:DeleteScalingPolicy", - "kms:RetireGrant", - "elasticloadbalancing:AddTags", - "ec2:DeleteNatGateway", - "apigateway:POST", - "lambda:DeleteEventSourceMapping", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "ec2:ModifyVpcEndpoint", - "logs:ListTagsLogGroup", - "kms:PutKeyPolicy", - "events:PutRule", - "ec2:CreateVpc", - "dynamodb:ListTagsOfResource", - "iam:PassRole", - "sqs:createqueue", - "iam:DeleteRolePolicy", - "application-autoscaling:TagResource", - "elasticloadbalancing:CreateLoadBalancer", - "lambda:UpdateEventSourceMapping", - "apigateway:PUT", - "route53:ListTagsForResource", - "ec2:DescribeSecurityGroups", - "iam:CreatePolicy", - "sqs:TagQueue", - "kms:CreateAlias", - "elasticloadbalancing:DescribeTargetGroups", - "route53:AssociateVPCWithHostedZone", - "elasticloadbalancing:DeleteListener", - "iam:GetPolicyVersion", - "wafv2:AssociateWebACL", - "ec2:DeleteSubnet", - "elasticloadbalancing:SetWebACL", - "elasticloadbalancing:DescribeLoadBalancers", - "ecs:UpdateService", - "ssm:DeleteParameter", - "kms:GetKeyRotationStatus", - "dynamodb:DescribeTable", - "ssm:AddTagsToResource", - "ecs:RegisterTaskDefinition", - "route53:ListResourceRecordSets", - "ecr:CreateRepository", - "ecs:DeleteService", - "application-autoscaling:UntagResource", - "ec2:DescribePrefixLists", - "backup:CreateBackupVault", - "backup:UpdateBackupPlan", - "sqs:DeleteQueue", - "ec2:DeleteVpc", - "kms:DeleteAlias", - "sns:DeleteTopic", - "wafv2:DeleteWebACL", - "dynamodb:DeleteItem", - "iam:DeletePolicy", - "sns:SetTopicAttributes", - "lambda:PutFunctionConcurrency", - "dynamodb:UpdateContinuousBackups", - "elasticloadbalancing:CreateListener", - "ecs:CreateService", - "kms:ScheduleKeyDeletion", - "ecs:DescribeServices", - "ecr:DescribeRepositories", - "iam:CreatePolicyVersion", - "ecs:UntagResource", - "sqs:ListQueues", - "wafv2:UpdateWebACL", - "dynamodb:DescribeTimeToLive", - "kms:UpdateAlias", - "backup:GetBackupSelection", - "events:PutTargets", - "kms:ListKeys", - "lambda:AddPermission", - "ec2:DeleteSecurityGroup", - "ecr:SetRepositoryPolicy", - "application-autoscaling:DeregisterScalableTarget", - "backup:DeleteBackupPlan", - "sqs:DeleteMessage", - "cloudwatch:DeleteAlarms", - "secretsmanager:DeleteSecret", - "wafv2:CreateRegexPatternSet", - "wafv2:CreateWebACL", - "dynamodb:DeleteTable", - "ecs:DescribeTaskDefinition", - "ec2:DeleteRouteTable", - "ec2:CreateInternetGateway", - "ec2:RevokeSecurityGroupEgress", - "sns:Subscribe", - "ec2:DeleteInternetGateway", - "wafv2:TagResource", - "dynamodb:UpdateTimeToLive", - "iam:GetPolicy", - "ec2:CreateTags", - "sns:CreateTopic", - "ecs:DeleteCluster", - "iam:UpdateRoleDescription", - "iam:DeleteRole", - "ec2:DisassociateRouteTable", - "backup:GetBackupPlan", - "wafv2:DeleteRegexPatternSet", - "ec2:RevokeSecurityGroupIngress", - "dynamodb:CreateTable", - "ec2:CreateDefaultVpc", - "ec2:CreateSubnet", - "ec2:DescribeSubnets", - "iam:GetRolePolicy", - "sqs:setqueueattributes", - "kms:UntagResource", - "ec2:CreateNatGateway", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "backup:CreateBackupSelection", - "ec2:DescribeAvailabilityZones", - "kms:CreateKey", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "s3:*", - "backup:DeleteBackupVault", - "kms:GetKeyPolicy", - "route53:ListHostedZones", - "elasticloadbalancing:DeleteTargetGroup", - "events:DeleteRule", - "backup:DescribeBackupVault", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "iam:CreateRole", - "sns:Unsubscribe", - "iam:AttachRolePolicy", - "ec2:AssociateRouteTable", - "elasticloadbalancing:DeleteLoadBalancer", - "ec2:DescribeInternetGateways", - "iam:DetachRolePolicy", - "backup:DeleteBackupSelection", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "ec2:DescribeRouteTables", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "ec2:CreateRouteTable", - "route53:ChangeResourceRecordSets", - "ec2:DetachInternetGateway", - "logs:CreateLogGroup", - "ecr:DeleteLifecyclePolicy", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "ssm:PutParameter", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "ec2:DescribeSecurityGroupRules", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "route53:GetChange", - "lambda:CreateEventSourceMapping", - "kms:TagResource", - "elasticloadbalancing:DescribeListeners", - "dynamodb:TagResource", - "ec2:CreateSecurityGroup", - "apigateway:PATCH", - "application-autoscaling:ListTagsForResource", - "kms:DescribeKey", - "ec2:ModifyVpcAttribute", - "ecr:DeleteRepositoryPolicy", - "ec2:AuthorizeSecurityGroupEgress", - "logs:DescribeLogGroups", - "kms:UpdateKeyDescription", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "iam:DeletePolicyVersion", - "lambda:GetPolicy", - "ecr:GetRepositoryPolicy", - "ec2:AllocateAddress", - "ec2:ReleaseAddress", - "ec2:DisassociateAddress", - "logs:PutMetricFilter", - "logs:DeleteMetricFilter", - "ses:VerifyDomainIdentity", - "ses:VerifyDomainDkim", - "ses:DeleteIdentity", - "ses:SetIdentityMailFromDomain", - "dynamodb:UpdateTable", - "elasticloadbalancing:ModifyListener", - "lambda:GetLayerVersion", - "iam:CreatePolicyVersion", - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "s3:PutObject", - "iam:ListRoles", - "lambda:UpdateFunctionCode", - "lambda:CreateFunction", - "lambda:GetFunction", - "lambda:UpdateFunctionConfiguration", - "lambda:GetFunctionConfiguration", - "appconfig:ListTagsForResource", - "appconfig:StartDeployment", - "appconfig:DeleteApplication", - "appconfig:GetLatestConfiguration", - "ecr:PutImage", - ] - Effect = "Allow" - Resource = [ - "*", - ] - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteVpcEndpoints", + "ec2:AttachInternetGateway", + "iam:PutRolePolicy", + "ecr:DeleteRepository", + "ec2:CreateRoute", + "cloudwatch:ListTagsForResource", + "ecr:TagResource", + "dynamodb:DescribeContinuousBackups", + "events:RemoveTargets", + "lambda:DeleteFunction", + "iam:ListRolePolicies", + "ecs:TagResource", + "ecr:GetLifecyclePolicy", + "iam:GetRole", + "elasticloadbalancing:CreateTargetGroup", + "ecr:GetAuthorizationToken", + "application-autoscaling:DeleteScalingPolicy", + "kms:RetireGrant", + "elasticloadbalancing:AddTags", + "ec2:DeleteNatGateway", + "apigateway:POST", + "lambda:DeleteEventSourceMapping", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "ec2:ModifyVpcEndpoint", + "logs:ListTagsLogGroup", + "kms:PutKeyPolicy", + "events:PutRule", + "ec2:CreateVpc", + "dynamodb:ListTagsOfResource", + "iam:PassRole", + "sqs:createqueue", + "iam:DeleteRolePolicy", + "application-autoscaling:TagResource", + "elasticloadbalancing:CreateLoadBalancer", + "lambda:UpdateEventSourceMapping", + "apigateway:PUT", + "route53:ListTagsForResource", + "ec2:DescribeSecurityGroups", + "iam:CreatePolicy", + "sqs:TagQueue", + "kms:CreateAlias", + "elasticloadbalancing:DescribeTargetGroups", + "route53:AssociateVPCWithHostedZone", + "elasticloadbalancing:DeleteListener", + "iam:GetPolicyVersion", + "wafv2:AssociateWebACL", + "ec2:DeleteSubnet", + "elasticloadbalancing:SetWebACL", + "elasticloadbalancing:DescribeLoadBalancers", + "ecs:UpdateService", + "ssm:DeleteParameter", + "kms:GetKeyRotationStatus", + "dynamodb:DescribeTable", + "ssm:AddTagsToResource", + "ecs:RegisterTaskDefinition", + "route53:ListResourceRecordSets", + "ecr:CreateRepository", + "ecs:DeleteService", + "application-autoscaling:UntagResource", + "ec2:DescribePrefixLists", + "backup:CreateBackupVault", + "backup:UpdateBackupPlan", + "sqs:DeleteQueue", + "ec2:DeleteVpc", + "kms:DeleteAlias", + "sns:DeleteTopic", + "wafv2:DeleteWebACL", + "dynamodb:DeleteItem", + "iam:DeletePolicy", + "sns:SetTopicAttributes", + "lambda:PutFunctionConcurrency", + "dynamodb:UpdateContinuousBackups", + "elasticloadbalancing:CreateListener", + "ecs:CreateService", + "kms:ScheduleKeyDeletion", + "ecs:DescribeServices", + "ecr:DescribeRepositories", + "iam:CreatePolicyVersion", + "ecs:UntagResource", + "sqs:ListQueues", + "wafv2:UpdateWebACL", + "dynamodb:DescribeTimeToLive", + "kms:UpdateAlias", + "backup:GetBackupSelection", + "events:PutTargets", + "kms:ListKeys", + "lambda:AddPermission", + "ec2:DeleteSecurityGroup", + "ecr:SetRepositoryPolicy", + "application-autoscaling:DeregisterScalableTarget", + "backup:DeleteBackupPlan", + "sqs:DeleteMessage", + "cloudwatch:DeleteAlarms", + "secretsmanager:DeleteSecret", + "wafv2:CreateRegexPatternSet", + "wafv2:CreateWebACL", + "dynamodb:DeleteTable", + "ecs:DescribeTaskDefinition", + "ec2:DeleteRouteTable", + "ec2:CreateInternetGateway", + "ec2:RevokeSecurityGroupEgress", + "sns:Subscribe", + "ec2:DeleteInternetGateway", + "wafv2:TagResource", + "dynamodb:UpdateTimeToLive", + "iam:GetPolicy", + "ec2:CreateTags", + "sns:CreateTopic", + "ecs:DeleteCluster", + "iam:UpdateRoleDescription", + "iam:DeleteRole", + "ec2:DisassociateRouteTable", + "backup:GetBackupPlan", + "wafv2:DeleteRegexPatternSet", + "ec2:RevokeSecurityGroupIngress", + "dynamodb:CreateTable", + "ec2:CreateDefaultVpc", + "ec2:CreateSubnet", + "ec2:DescribeSubnets", + "iam:GetRolePolicy", + "sqs:setqueueattributes", + "kms:UntagResource", + "ec2:CreateNatGateway", + "kms:ListResourceTags", + "ecr:ListTagsForResource", + "ecs:DeregisterTaskDefinition", + "apigateway:DELETE", + "backup:CreateBackupSelection", + "ec2:DescribeAvailabilityZones", + "kms:CreateKey", + "kms:EnableKeyRotation", + "ecr:PutLifecyclePolicy", + "s3:*", + "backup:DeleteBackupVault", + "kms:GetKeyPolicy", + "route53:ListHostedZones", + "elasticloadbalancing:DeleteTargetGroup", + "events:DeleteRule", + "backup:DescribeBackupVault", + "ec2:DescribeVpcs", + "kms:ListAliases", + "backup:CreateBackupPlan", + "lambda:RemovePermission", + "backup:ListTags", + "route53:GetHostedZone", + "iam:CreateRole", + "sns:Unsubscribe", + "iam:AttachRolePolicy", + "ec2:AssociateRouteTable", + "elasticloadbalancing:DeleteLoadBalancer", + "ec2:DescribeInternetGateways", + "iam:DetachRolePolicy", + "backup:DeleteBackupSelection", + "cloudwatch:UntagResource", + "iam:ListAttachedRolePolicies", + "dynamodb:GetItem", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "ec2:DescribeRouteTables", + "application-autoscaling:RegisterScalableTarget", + "dynamodb:PutItem", + "ecs:CreateCluster", + "ec2:CreateRouteTable", + "route53:ChangeResourceRecordSets", + "ec2:DetachInternetGateway", + "logs:CreateLogGroup", + "ecr:DeleteLifecyclePolicy", + "backup-storage:MountCapsule", + "ecs:DescribeClusters", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "ssm:PutParameter", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "ec2:DescribeSecurityGroupRules", + "application-autoscaling:PutScalingPolicy", + "ec2:DescribeVpcEndpoints", + "route53:GetChange", + "lambda:CreateEventSourceMapping", + "kms:TagResource", + "elasticloadbalancing:DescribeListeners", + "dynamodb:TagResource", + "ec2:CreateSecurityGroup", + "apigateway:PATCH", + "application-autoscaling:ListTagsForResource", + "kms:DescribeKey", + "ec2:ModifyVpcAttribute", + "ecr:DeleteRepositoryPolicy", + "ec2:AuthorizeSecurityGroupEgress", + "logs:DescribeLogGroups", + "kms:UpdateKeyDescription", + "logs:DeleteLogGroup", + "elasticloadbalancing:DescribeTags", + "ec2:DeleteRoute", + "backup:DeleteRecoveryPoint", + "cloudwatch:PutMetricAlarm", + "cloudwatch:TagResource", + "ec2:CreateVpcEndpoint", + "elasticloadbalancing:SetSecurityGroups", + "iam:DeletePolicyVersion", + "lambda:GetPolicy", + "ecr:GetRepositoryPolicy", + "ec2:AllocateAddress", + "ec2:ReleaseAddress", + "ec2:DisassociateAddress", + "logs:PutMetricFilter", + "logs:DeleteMetricFilter", + "ses:VerifyDomainIdentity", + "ses:VerifyDomainDkim", + "ses:DeleteIdentity", + "ses:SetIdentityMailFromDomain", + "dynamodb:UpdateTable", + "elasticloadbalancing:ModifyListener", + "lambda:GetLayerVersion", + "iam:CreatePolicyVersion", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "s3:PutObject", + "iam:ListRoles", + "lambda:UpdateFunctionCode", + "lambda:CreateFunction", + "lambda:GetFunction", + "lambda:UpdateFunctionConfiguration", + "lambda:GetFunctionConfiguration", + "appconfig:ListTagsForResource", + "appconfig:StartDeployment", + "appconfig:DeleteApplication", + "appconfig:GetLatestConfiguration", + "ecr:PutImage", + ] + Effect = "Allow" + Resource = [ + "*", + ] + Sid = "Statement1" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } # aws_iam_policy.github_action_policy_2_test[0]: resource "aws_iam_policy" "github_action_policy_2_test" { - count = var.environment == "test" ? 1 : 0 - description = null - name = "github-action-policy-2" - name_prefix = null - path = "/" - policy = jsonencode( + count = var.environment == "test" ? 1 : 0 + description = null + name = "github-action-policy-2" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ { - Statement = [ - { - Action = [ - "acm:RequestCertificate", - "acm:AddTagsToCertificate", - "ecs:PutClusterCapacityProviders", - "backup:ListRecoveryPointsByBackupVault", - "appconfig:TagResource", - "appconfig:CreateConfigurationProfile", - "appconfig:CreateExtensionAssociation", - "appconfig:DeleteConfigurationProfile", - "appconfig:CreateDeploymentStrategy", - "appconfig:CreateApplication", - "appconfig:GetDeploymentStrategy", - "appconfig:GetHostedConfigurationVersion", - "appconfig:ListExtensionAssociations", - "appconfig:ListDeploymentStrategies", - "appconfig:CreateHostedConfigurationVersion", - "appconfig:DeleteEnvironment", - "appconfig:UntagResource", - "appconfig:ListHostedConfigurationVersions", - "appconfig:ListEnvironments", - "appconfig:UpdateDeploymentStrategy", - "appconfig:GetExtensionAssociation", - "appconfig:GetExtension", - "appconfig:ListDeployments", - "appconfig:GetDeployment", - "appconfig:ListExtensions", - "appconfig:DeleteHostedConfigurationVersion", - "appconfig:StopDeployment", - "appconfig:CreateEnvironment", - "appconfig:UpdateEnvironment", - "appconfig:GetEnvironment", - "appconfig:ListConfigurationProfiles", - "appconfig:DeleteDeploymentStrategy", - "appconfig:ListApplications", - "appconfig:UpdateApplication", - "appconfig:CreateExtension", - "appconfig:GetConfiguration", - "appconfig:GetApplication", - "appconfig:UpdateConfigurationProfile", - "appconfig:GetConfigurationProfile", - "dynamodb:DescribeTable", - "dynamodb:GetItem", - "dynamodb:PutItem", - "dynamodb:DeleteItem", - "dynamodb:UpdateTimeToLive", - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "lambda:DeleteLayerVersion", - "lambda:ListLayerVersions", - "lambda:ListLayers", - "lambda:AddLayerVersionPermission", - "lambda:GetLayerVersionPolicy", - "lambda:RemoveLayerVersionPermission", - "lambda:DeleteFunctionConcurrency", - "lambda:PublishVersion", - "iam:CreateServiceLinkedRole", - "iam:UpdateAssumeRolePolicy", - "elasticloadbalancing:ModifyListenerAttributes", - "apigateway:SetWebACL", - "backup:ListRecoveryPointsByBackupVault", - "iam:UpdateAssumeRolePolicy", - "iam:TagRole", - "iam:CreateInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:TagPolicy", - "ssm:CreateDocument", - "ssm:DeleteDocument", - "sns:TagResource", - "ec2:DeleteNetworkInterface", - "resource-groups:DeleteGroup", - "events:TagResource", - "kms:Encrypt", - "kms:CreateGrant", - ] - Effect = "Allow" - Resource = [ - "*", - ] - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} + Action = [ + "acm:RequestCertificate", + "acm:AddTagsToCertificate", + "ecs:PutClusterCapacityProviders", + "backup:ListRecoveryPointsByBackupVault", + "appconfig:TagResource", + "appconfig:CreateConfigurationProfile", + "appconfig:CreateExtensionAssociation", + "appconfig:DeleteConfigurationProfile", + "appconfig:CreateDeploymentStrategy", + "appconfig:CreateApplication", + "appconfig:GetDeploymentStrategy", + "appconfig:GetHostedConfigurationVersion", + "appconfig:ListExtensionAssociations", + "appconfig:ListDeploymentStrategies", + "appconfig:CreateHostedConfigurationVersion", + "appconfig:DeleteEnvironment", + "appconfig:UntagResource", + "appconfig:ListHostedConfigurationVersions", + "appconfig:ListEnvironments", + "appconfig:UpdateDeploymentStrategy", + "appconfig:GetExtensionAssociation", + "appconfig:GetExtension", + "appconfig:ListDeployments", + "appconfig:GetDeployment", + "appconfig:ListExtensions", + "appconfig:DeleteHostedConfigurationVersion", + "appconfig:StopDeployment", + "appconfig:CreateEnvironment", + "appconfig:UpdateEnvironment", + "appconfig:GetEnvironment", + "appconfig:ListConfigurationProfiles", + "appconfig:DeleteDeploymentStrategy", + "appconfig:ListApplications", + "appconfig:UpdateApplication", + "appconfig:CreateExtension", + "appconfig:GetConfiguration", + "appconfig:GetApplication", + "appconfig:UpdateConfigurationProfile", + "appconfig:GetConfigurationProfile", + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:DeleteItem", + "dynamodb:UpdateTimeToLive", + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "lambda:GetLayerVersion", + "lambda:PublishLayerVersion", + "lambda:DeleteLayerVersion", + "lambda:ListLayerVersions", + "lambda:ListLayers", + "lambda:AddLayerVersionPermission", + "lambda:GetLayerVersionPolicy", + "lambda:RemoveLayerVersionPermission", + "lambda:DeleteFunctionConcurrency", + "lambda:PublishVersion", + "iam:CreateServiceLinkedRole", + "iam:UpdateAssumeRolePolicy", + "elasticloadbalancing:ModifyListenerAttributes", + "apigateway:SetWebACL", + "backup:ListRecoveryPointsByBackupVault", + "iam:UpdateAssumeRolePolicy", + "iam:TagRole", + "iam:CreateInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:DeleteInstanceProfile", + "iam:TagPolicy", + "ssm:CreateDocument", + "ssm:DeleteDocument", + "sns:TagResource", + "ec2:DeleteNetworkInterface", + "resource-groups:DeleteGroup", + "events:TagResource", + "kms:Encrypt", + "kms:CreateGrant", + ] + Effect = "Allow" + Resource = [ + "*", + ] + Sid = "Statement1" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} } From 20acd57bdf2602b5fbef40eb596a4124a33879f7 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 10 Dec 2025 11:03:09 +0000 Subject: [PATCH 03/48] [ndr-297] improved temp file handling --- pre_core/Makefile | 2 +- pre_core/policy_tool.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/pre_core/Makefile b/pre_core/Makefile index f7571247e..a6f787d8a 100644 --- a/pre_core/Makefile +++ b/pre_core/Makefile @@ -32,7 +32,7 @@ plan: guard-aws_account_id guard-env import-github-policies: guard-aws_account_id guard-env guard-role python policy_tool.py import ${aws_account_id} ${env} ${role} - rm dummy_import_${env}.tf + rm -f dummy_import_${env}.tf generate-tf-file: guard-aws_account_id guard-env guard-role python policy_tool.py generate-tf-file ${aws_account_id} ${env} ${role} diff --git a/pre_core/policy_tool.py b/pre_core/policy_tool.py index d70f6abd4..7ac3c7b5e 100644 --- a/pre_core/policy_tool.py +++ b/pre_core/policy_tool.py @@ -88,7 +88,8 @@ def generate_tf_file(aws_account_id, env, role_name, policy_names): print("Importing policies...") policy_names = get_policy_names(env, role_name) print(policy_names) - create_dummy_resources(env, policy_names) + if not os.path.exists(f"dummy_import_{env}.tf") and not os.path.exists(f"iam_github_{env}.tf"): + create_dummy_resources(env, policy_names) import_resources(aws_account_id, env, role_name, policy_names) if command == "generate-tf-file": From 8d0a92f21db3af61e587b6c2d720df4842a8b21d Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 10 Dec 2025 11:32:16 +0000 Subject: [PATCH 04/48] [ndr-297] Added proper references to policy resources --- pre_core/iam_github_dev.tf | 20 +++++++++----------- pre_core/iam_github_pre-prod.tf | 6 ++---- pre_core/iam_github_test.tf | 6 ++---- 3 files changed, 13 insertions(+), 19 deletions(-) diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index 6cdd7d86b..d2e799026 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -36,15 +36,15 @@ resource "aws_iam_role" "github_role_dev" { description = "This role is to provide access for GitHub actions to the development environment. " force_detach_policies = false managed_policy_arns = [ - "arn:aws:iam::${var.aws_account_id}:policy/config-policy", - "arn:aws:iam::${var.aws_account_id}:policy/ecr-github-access-policy", - "arn:aws:iam::${var.aws_account_id}:policy/github_actions_terraform_full", - "arn:aws:iam::${var.aws_account_id}:policy/github_mtls_gateway", - "arn:aws:iam::${var.aws_account_id}:policy/github_terraform_tagging_policy", - "arn:aws:iam::${var.aws_account_id}:policy/lambda-github-access-policy", - "arn:aws:iam::${var.aws_account_id}:policy/repo_app_config", - "arn:aws:iam::${var.aws_account_id}:policy/terraform-github-dynamodb-access-policy", - "arn:aws:iam::${var.aws_account_id}:policy/terraform-github-s3-access-policy", + aws_iam_policy.config_policy_dev[0].arn, + aws_iam_policy.ecr_github_access_policy_dev[0].arn, + aws_iam_policy.github_actions_terraform_full_dev[0].arn, + aws_iam_policy.github_mtls_gateway_dev[0].arn, + aws_iam_policy.github_terraform_tagging_policy_dev[0].arn, + aws_iam_policy.lambda_github_access_policy_dev[0].arn, + aws_iam_policy.repo_app_config_dev[0].arn, + aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0].arn, + aws_iam_policy.terraform_github_s3_access_policy_dev[0].arn, "arn:aws:iam::aws:policy/ReadOnlyAccess", ] max_session_duration = 3600 @@ -953,5 +953,3 @@ resource "aws_iam_policy" "terraform_github_s3_access_policy_dev" { tags = {} tags_all = {} } - - diff --git a/pre_core/iam_github_pre-prod.tf b/pre_core/iam_github_pre-prod.tf index 9b701afd2..f8c863241 100644 --- a/pre_core/iam_github_pre-prod.tf +++ b/pre_core/iam_github_pre-prod.tf @@ -36,8 +36,8 @@ resource "aws_iam_role" "github_role_pre-prod" { description = "This role is to provide access for GitHub actions to the pre-prod environment. " force_detach_policies = false managed_policy_arns = [ - "arn:aws:iam::${var.aws_account_id}:policy/github-actions-policy", - "arn:aws:iam::${var.aws_account_id}:policy/github-extended-policy-1", + aws_iam_policy.github_actions_policy_pre-prod[0].arn, + aws_iam_policy.github_extended_policy_1_pre-prod[0].arn, "arn:aws:iam::aws:policy/ReadOnlyAccess", ] max_session_duration = 3600 @@ -914,5 +914,3 @@ resource "aws_iam_policy" "github_extended_policy_1_pre-prod" { tags = {} tags_all = {} } - - diff --git a/pre_core/iam_github_test.tf b/pre_core/iam_github_test.tf index 08468f23d..e332753be 100644 --- a/pre_core/iam_github_test.tf +++ b/pre_core/iam_github_test.tf @@ -29,8 +29,8 @@ resource "aws_iam_role" "github_role_test" { description = "This role is for the deployment of infrastructure and code from GitHub" force_detach_policies = false managed_policy_arns = [ - "arn:aws:iam::${var.aws_account_id}:policy/github-action-policy", - "arn:aws:iam::${var.aws_account_id}:policy/github-action-policy-2", + aws_iam_policy.github_action_policy_test[0].arn, + aws_iam_policy.github_action_policy_2_test[0].arn, "arn:aws:iam::aws:policy/ReadOnlyAccess", ] max_session_duration = 3600 @@ -715,5 +715,3 @@ resource "aws_iam_policy" "github_action_policy_2_test" { tags = {} tags_all = {} } - - From 0777c696ad59a281f1acdd845cbe6cb79312ee25 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 10 Dec 2025 14:12:17 +0000 Subject: [PATCH 05/48] [ndr-297] renaming tf ahead of refactor --- pre_core/iam_github_dev.tf | 20 +- pre_core/iam_github_dev.tf.org | 955 ++++++++++++++++++ ...pre-prod.tf => iam_github_pre-prod.tf.org} | 0 ..._github_test.tf => iam_github_test.tf.org} | 0 4 files changed, 965 insertions(+), 10 deletions(-) create mode 100644 pre_core/iam_github_dev.tf.org rename pre_core/{iam_github_pre-prod.tf => iam_github_pre-prod.tf.org} (100%) rename pre_core/{iam_github_test.tf => iam_github_test.tf.org} (100%) diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index d2e799026..5ccab52da 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -48,7 +48,7 @@ resource "aws_iam_role" "github_role_dev" { "arn:aws:iam::aws:policy/ReadOnlyAccess", ] max_session_duration = 3600 - name = "github-actions-dev-role" + name = "github-role-${var.environment}" name_prefix = null path = "/" permissions_boundary = null @@ -273,7 +273,7 @@ resource "aws_iam_role" "github_role_dev" { resource "aws_iam_policy" "config_policy_dev" { count = var.environment == "dev" ? 1 : 0 description = null - name = "config-policy" + name = "config-policy-${var.environment}" name_prefix = null path = "/" policy = jsonencode( @@ -306,7 +306,7 @@ resource "aws_iam_policy" "config_policy_dev" { resource "aws_iam_policy" "ecr_github_access_policy_dev" { count = var.environment == "dev" ? 1 : 0 description = null - name = "ecr-github-access-policy" + name = "ecr-github-access-policy-${var.environment}" name_prefix = null path = "/" policy = jsonencode( @@ -339,7 +339,7 @@ resource "aws_iam_policy" "ecr_github_access_policy_dev" { resource "aws_iam_policy" "github_actions_terraform_full_dev" { count = var.environment == "dev" ? 1 : 0 description = "All permissions required for Terraform to do its thing." - name = "github_actions_terraform_full" + name = "github_actions_terraform_full-${var.environment}" name_prefix = null path = "/" policy = jsonencode( @@ -595,7 +595,7 @@ resource "aws_iam_policy" "github_actions_terraform_full_dev" { resource "aws_iam_policy" "github_mtls_gateway_dev" { count = var.environment == "dev" ? 1 : 0 description = null - name = "github_mtls_gateway" + name = "github_mtls_gateway-${var.environment}" name_prefix = null path = "/" policy = jsonencode( @@ -669,7 +669,7 @@ resource "aws_iam_policy" "github_mtls_gateway_dev" { resource "aws_iam_policy" "github_terraform_tagging_policy_dev" { count = var.environment == "dev" ? 1 : 0 description = null - name = "github_terraform_tagging_policy" + name = "github_terraform_tagging_policy-${var.environment}" name_prefix = null path = "/" policy = jsonencode( @@ -781,7 +781,7 @@ resource "aws_iam_policy" "github_terraform_tagging_policy_dev" { resource "aws_iam_policy" "lambda_github_access_policy_dev" { count = var.environment == "dev" ? 1 : 0 description = "These permissions allow GitHub to push to a Lambda function." - name = "lambda-github-access-policy" + name = "lambda-github-access-policy-${var.environment}" name_prefix = null path = "/" policy = jsonencode( @@ -829,7 +829,7 @@ resource "aws_iam_policy" "lambda_github_access_policy_dev" { resource "aws_iam_policy" "repo_app_config_dev" { count = var.environment == "dev" ? 1 : 0 description = null - name = "repo_app_config" + name = "repo_app_config-${var.environment}" name_prefix = null path = "/" policy = jsonencode( @@ -894,7 +894,7 @@ resource "aws_iam_policy" "repo_app_config_dev" { resource "aws_iam_policy" "terraform_github_dynamodb_access_policy_dev" { count = var.environment == "dev" ? 1 : 0 description = "Dynamo DB specific access policies required by terraform via GitHub" - name = "terraform-github-dynamodb-access-policy" + name = "terraform-github-dynamodb-access-policy-${var.environment}" name_prefix = null path = "/" policy = jsonencode( @@ -924,7 +924,7 @@ resource "aws_iam_policy" "terraform_github_dynamodb_access_policy_dev" { resource "aws_iam_policy" "terraform_github_s3_access_policy_dev" { count = var.environment == "dev" ? 1 : 0 description = "S3 specific access policies required by terraform via GitHub" - name = "terraform-github-s3-access-policy" + name = "terraform-github-s3-access-policy-${var.environment}" name_prefix = null path = "/" policy = jsonencode( diff --git a/pre_core/iam_github_dev.tf.org b/pre_core/iam_github_dev.tf.org new file mode 100644 index 000000000..d2e799026 --- /dev/null +++ b/pre_core/iam_github_dev.tf.org @@ -0,0 +1,955 @@ +# aws_iam_role.github_role_dev[0]: +resource "aws_iam_role" "github_role_dev" { + count = var.environment == "dev" ? 1 : 0 + assume_role_policy = jsonencode( + { + Statement = [ + { + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:NHSDigital/national-document-repository-infrastructure:*", + "repo:NHSDigital/national-document-repository:*", + ] + } + } + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" + } + }, + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DomainCGpit-Administrators_e00623801cb4b59e" + } + }, + ] + Version = "2012-10-17" + } + ) + description = "This role is to provide access for GitHub actions to the development environment. " + force_detach_policies = false + managed_policy_arns = [ + aws_iam_policy.config_policy_dev[0].arn, + aws_iam_policy.ecr_github_access_policy_dev[0].arn, + aws_iam_policy.github_actions_terraform_full_dev[0].arn, + aws_iam_policy.github_mtls_gateway_dev[0].arn, + aws_iam_policy.github_terraform_tagging_policy_dev[0].arn, + aws_iam_policy.lambda_github_access_policy_dev[0].arn, + aws_iam_policy.repo_app_config_dev[0].arn, + aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0].arn, + aws_iam_policy.terraform_github_s3_access_policy_dev[0].arn, + "arn:aws:iam::aws:policy/ReadOnlyAccess", + ] + max_session_duration = 3600 + name = "github-actions-dev-role" + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} + tags_all = {} + + inline_policy { + name = "cloudtrail" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cloudtrail:AddTags", + "cloudtrail:CreateTrail", + "cloudtrail:StartLogging", + "cloudtrail:DeleteTrail", + ] + Effect = "Allow" + Resource = [ + "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:trail/*", + "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:eventdatastore/*", + "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:channel/*", + ] + Sid = "VisualEditor0" + }, + { + Action = "organizations:ListAWSServiceAccessForOrganization" + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor1" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "cloudwatch_logs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "logs:DescribeLogGroups", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutRetentionPolicy", + "logs:PutResourcePolicy", + "logs:DeleteResourcePolicy", + "logs:DeleteRetentionPolicy", + "logs:TagResource", + "logs:UntagResource", + "logs:AssociateKmsKey", + "logs:DisassociateKmsKey", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*" + Sid = "Statement1" + }, + { + Action = [ + "logs:PutDeliverySource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:logs:us-east-1:${var.aws_account_id}:delivery-source:*", + ] + Sid = "Statement2" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "ecs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecs:UpdateCluster", + "ecs:PutClusterCapacityProviders", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "github-actions-waf-override" + policy = jsonencode( + { + Statement = [ + { + Action = "apigateway:SetWebACL" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "lambda_layer_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "lambda:GetLayerVersion", + "lambda:PublishLayerVersion", + "lambda:DeleteLayerVersion", + "lambda:ListLayerVersions", + "lambda:ListLayers", + "lambda:AddLayerVersionPermission", + "lambda:GetLayerVersionPolicy", + "lambda:RemoveLayerVersionPermission", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "rum_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-identity:SetIdentityPoolRoles", + "cognito-identity:CreateIdentityPool", + "cognito-identity:DeleteIdentityPool", + "cognito-identity:UpdateIdentityPool", + ] + Effect = "Allow" + Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" + Sid = "VisualEditor0" + }, + { + Action = [ + "rum:TagResource", + "rum:UntagResource", + "rum:ListTagsForResource", + "iam:PassRole", + "rum:UpdateAppMonitor", + "rum:GetAppMonitor", + "rum:CreateAppMonitor", + "rum:DeleteAppMonitor", + ] + Effect = "Allow" + Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" + Sid = "VisualEditor1" + }, + { + Action = [ + "logs:DeleteLogGroup", + "logs:DeleteResourcePolicy", + "logs:DescribeLogGroups", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" + Sid = "VisualEditor2" + }, + { + Action = [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries", + "logs:DescribeResourcePolicies", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "step-functions" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "states:DescribeStateMachine", + "states:UpdateStateMachine", + "states:DeleteStateMachine", + "states:CreateStateMachine", + "states:TagResource", + "states:UntagResource", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } +} + + +# aws_iam_policy.config_policy_dev[0]: +resource "aws_iam_policy" "config_policy_dev" { + count = var.environment == "dev" ? 1 : 0 + description = null + name = "config-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "config:DeleteDeliveryChannel", + "config:PutConfigurationRecorder", + "config:StopConfigurationRecorder", + "config:StartConfigurationRecorder", + "config:PutDeliveryChannel", + "config:DeleteConfigurationRecorder", + "config:DescribeConfigurationRecorderStatus", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.ecr_github_access_policy_dev[0]: +resource "aws_iam_policy" "ecr_github_access_policy_dev" { + count = var.environment == "dev" ? 1 : 0 + description = null + name = "ecr-github-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + ] + Effect = "Allow" + Resource = "arn:aws:ecr:eu-west-2:*:repository/*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.github_actions_terraform_full_dev[0]: +resource "aws_iam_policy" "github_actions_terraform_full_dev" { + count = var.environment == "dev" ? 1 : 0 + description = "All permissions required for Terraform to do its thing." + name = "github_actions_terraform_full" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteVpcEndpoints", + "ec2:AttachInternetGateway", + "iam:PutRolePolicy", + "ecr:DeleteRepository", + "scheduler:DeleteSchedule", + "ec2:CreateRoute", + "cloudwatch:ListTagsForResource", + "ecr:TagResource", + "dynamodb:DescribeContinuousBackups", + "events:RemoveTargets", + "lambda:DeleteFunction", + "iam:ListRolePolicies", + "ecs:TagResource", + "ecr:GetLifecyclePolicy", + "iam:GetRole", + "dynamodb:BatchWriteItem", + "elasticloadbalancing:CreateTargetGroup", + "ecr:GetAuthorizationToken", + "application-autoscaling:DeleteScalingPolicy", + "kms:RetireGrant", + "elasticloadbalancing:AddTags", + "ec2:DeleteNatGateway", + "lambda:PublishVersion", + "apigateway:POST", + "lambda:DeleteEventSourceMapping", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "dynamodb:UpdateTable", + "ec2:ModifyVpcEndpoint", + "logs:ListTagsLogGroup", + "kms:PutKeyPolicy", + "events:PutRule", + "ec2:CreateVpc", + "dynamodb:ListTagsOfResource", + "iam:PassRole", + "logs:DeleteMetricFilter", + "sqs:createqueue", + "iam:DeleteRolePolicy", + "application-autoscaling:TagResource", + "ec2:ReleaseAddress", + "lambda:UpdateEventSourceMapping", + "elasticloadbalancing:CreateLoadBalancer", + "apigateway:PUT", + "route53:ListTagsForResource", + "ec2:DescribeSecurityGroups", + "iam:CreatePolicy", + "sqs:TagQueue", + "iam:CreateServiceLinkedRole", + "kms:CreateAlias", + "elasticloadbalancing:DescribeTargetGroups", + "route53:AssociateVPCWithHostedZone", + "elasticloadbalancing:DeleteListener", + "iam:UpdateAssumeRolePolicy", + "iam:GetPolicyVersion", + "wafv2:AssociateWebACL", + "ec2:DeleteSubnet", + "elasticloadbalancing:SetWebACL", + "ecs:UpdateService", + "elasticloadbalancing:DescribeLoadBalancers", + "ssm:DeleteParameter", + "cloudfront:*", + "kms:GetKeyRotationStatus", + "dynamodb:DescribeTable", + "ssm:AddTagsToResource", + "ecs:RegisterTaskDefinition", + "route53:ListResourceRecordSets", + "ecr:CreateRepository", + "ecs:DeleteService", + "application-autoscaling:UntagResource", + "ec2:DescribePrefixLists", + "backup:CreateBackupVault", + "backup:UpdateBackupPlan", + "sqs:DeleteQueue", + "ec2:DeleteVpc", + "kms:DeleteAlias", + "sns:DeleteTopic", + "wafv2:DeleteWebACL", + "dynamodb:DeleteItem", + "iam:DeletePolicy", + "sns:SetTopicAttributes", + "ses:VerifyDomainDkim", + "lambda:PutFunctionConcurrency", + "dynamodb:UpdateContinuousBackups", + "ecs:CreateService", + "elasticloadbalancing:CreateListener", + "kms:ScheduleKeyDeletion", + "ecr:DescribeRepositories", + "ecs:DescribeServices", + "iam:CreatePolicyVersion", + "ecs:UntagResource", + "sqs:ListQueues", + "wafv2:UpdateWebACL", + "dynamodb:DescribeTimeToLive", + "kms:UpdateAlias", + "backup:GetBackupSelection", + "kms:ListKeys", + "events:PutTargets", + "lambda:AddPermission", + "ecr:SetRepositoryPolicy", + "ec2:DeleteSecurityGroup", + "application-autoscaling:DeregisterScalableTarget", + "backup:DeleteBackupPlan", + "ses:SetIdentityMailFromDomain", + "lambda:CreateFunction", + "sqs:DeleteMessage", + "elasticloadbalancing:ModifyListener", + "cloudwatch:DeleteAlarms", + "secretsmanager:DeleteSecret", + "wafv2:CreateRegexPatternSet", + "wafv2:CreateWebACL", + "dynamodb:DeleteTable", + "ecs:DescribeTaskDefinition", + "ec2:DeleteRouteTable", + "ec2:CreateInternetGateway", + "ec2:RevokeSecurityGroupEgress", + "sns:Subscribe", + "ec2:DeleteInternetGateway", + "wafv2:TagResource", + "dynamodb:UpdateTimeToLive", + "iam:GetPolicy", + "ec2:CreateTags", + "sns:CreateTopic", + "ecs:DeleteCluster", + "iam:UpdateRoleDescription", + "iam:DeleteRole", + "ec2:DisassociateRouteTable", + "backup:GetBackupPlan", + "wafv2:DeleteRegexPatternSet", + "dynamodb:CreateTable", + "ec2:RevokeSecurityGroupIngress", + "lambda:UpdateFunctionCode", + "ec2:CreateDefaultVpc", + "ec2:CreateSubnet", + "ec2:DescribeSubnets", + "iam:GetRolePolicy", + "sqs:setqueueattributes", + "ec2:DisassociateAddress", + "kms:UntagResource", + "ec2:CreateNatGateway", + "kms:ListResourceTags", + "ecr:ListTagsForResource", + "ses:VerifyDomainIdentity", + "ecs:DeregisterTaskDefinition", + "apigateway:DELETE", + "apigateway:SetWebACL", + "backup:CreateBackupSelection", + "scheduler:UpdateSchedule", + "ec2:DescribeAvailabilityZones", + "kms:CreateKey", + "kms:EnableKeyRotation", + "ecr:PutLifecyclePolicy", + "s3:*", + "kms:GetKeyPolicy", + "route53:ListHostedZones", + "backup:DeleteBackupVault", + "lambda:UpdateFunctionConfiguration", + "elasticloadbalancing:DeleteTargetGroup", + "events:DeleteRule", + "backup:DescribeBackupVault", + "ec2:DescribeVpcs", + "kms:ListAliases", + "backup:CreateBackupPlan", + "ses:DeleteIdentity", + "lambda:RemovePermission", + "backup:ListTags", + "route53:GetHostedZone", + "sns:Unsubscribe", + "iam:CreateRole", + "iam:AttachRolePolicy", + "lambda:EnableReplication", + "ec2:AssociateRouteTable", + "elasticloadbalancing:DeleteLoadBalancer", + "ec2:DescribeInternetGateways", + "backup:DeleteBackupSelection", + "iam:DetachRolePolicy", + "cloudwatch:UntagResource", + "iam:ListAttachedRolePolicies", + "dynamodb:GetItem", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "ec2:DescribeRouteTables", + "application-autoscaling:RegisterScalableTarget", + "dynamodb:PutItem", + "ecs:CreateCluster", + "route53:ChangeResourceRecordSets", + "ec2:CreateRouteTable", + "ec2:DetachInternetGateway", + "ecr:DeleteLifecyclePolicy", + "logs:CreateLogGroup", + "backup-storage:MountCapsule", + "ecs:DescribeClusters", + "ssm:PutParameter", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "logs:CreateLogDelivery", + "logs:PutMetricFilter", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "ec2:DescribeSecurityGroupRules", + "application-autoscaling:PutScalingPolicy", + "ec2:DescribeVpcEndpoints", + "route53:GetChange", + "ec2:DeleteTags", + "lambda:GetLayerVersion", + "lambda:CreateEventSourceMapping", + "kms:TagResource", + "elasticloadbalancing:DescribeListeners", + "dynamodb:TagResource", + "ec2:CreateSecurityGroup", + "apigateway:PATCH", + "kms:DescribeKey", + "application-autoscaling:ListTagsForResource", + "ec2:ModifyVpcAttribute", + "ecr:DeleteRepositoryPolicy", + "ec2:AuthorizeSecurityGroupEgress", + "elasticloadbalancing:ModifyListenerAttributes", + "kms:UpdateKeyDescription", + "logs:DescribeLogGroups", + "logs:DeleteLogGroup", + "elasticloadbalancing:DescribeTags", + "ec2:DeleteRoute", + "backup:DeleteRecoveryPoint", + "ec2:AllocateAddress", + "cloudwatch:PutMetricAlarm", + "cloudwatch:TagResource", + "ec2:CreateVpcEndpoint", + "elasticloadbalancing:SetSecurityGroups", + "scheduler:CreateSchedule", + "logs:PutRetentionPolicy", + "lambda:GetPolicy", + "iam:DeletePolicyVersion", + "ecr:GetRepositoryPolicy", + "cognito-idp:*", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.github_mtls_gateway_dev[0]: +resource "aws_iam_policy" "github_mtls_gateway_dev" { + count = var.environment == "dev" ? 1 : 0 + description = null + name = "github_mtls_gateway" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "acm:RequestCertificate", + "route53:ListHostedZones", + "acm:ListCertificates", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor1" + }, + { + Action = [ + "acm:DeleteCertificate", + "acm:DescribeCertificate", + "acm:GetCertificate", + "route53:GetHostedZone", + "route53:ChangeResourceRecordSets", + "apigateway:AddCertificateToDomain", + "acm:AddTagsToCertificate", + "apigateway:RemoveCertificateFromDomain", + "acm:ListTagsForCertificate", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames", + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:route53:::hostedzone/*", + "arn:aws:acm:eu-west-2:${var.aws_account_id}:certificate/*", + ] + Sid = "VisualEditor2" + }, + { + Action = [ + "apigateway:AddCertificateToDomain", + "apigateway:RemoveCertificateFromDomain", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:apigateway:eu-west-2::/domainnames", + ] + Sid = "VisualEditor3" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor4" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.github_terraform_tagging_policy_dev[0]: +resource "aws_iam_policy" "github_terraform_tagging_policy_dev" { + count = var.environment == "dev" ? 1 : 0 + description = null + name = "github_terraform_tagging_policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "sns:TagResource", + "backup:TagResource", + "resource-groups:GetGroupQuery", + "lambda:TagResource", + "resource-groups:UpdateGroup", + "iam:UntagRole", + "iam:TagRole", + "resource-groups:GetTags", + "sns:UntagResource", + "resource-groups:Untag", + "lambda:UntagResource", + "elasticloadbalancing:RemoveTags", + "cognito-identity:UntagResource", + "resource-groups:GetGroup", + "resource-groups:GetGroupConfiguration", + "backup:UntagResource", + "cognito-identity:TagResource", + "resource-groups:Tag", + "resource-groups:UpdateGroupQuery", + "iam:TagPolicy", + "resource-groups:DeleteGroup", + "events:TagResource", + "elasticloadbalancing:AddTags", + "iam:UntagPolicy", + "resource-groups:ListGroupResources", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:lambda:*:${var.aws_account_id}:event-source-mapping:*", + "arn:aws:lambda:*:${var.aws_account_id}:function:*", + "arn:aws:lambda:*:${var.aws_account_id}:code-signing-config:*", + "arn:aws:iam::${var.aws_account_id}:role/*", + "arn:aws:iam::${var.aws_account_id}:policy/*", + "arn:aws:sns:*:${var.aws_account_id}:*", + "arn:aws:backup:*:${var.aws_account_id}:legal-hold:*", + "arn:aws:backup:*:${var.aws_account_id}:framework:*-*", + "arn:aws:backup:*:${var.aws_account_id}:backup-vault:*", + "arn:aws:backup:*:${var.aws_account_id}:report-plan:*-*", + "arn:aws:backup:*:${var.aws_account_id}:backup-plan:*", + "arn:aws:backup:*:${var.aws_account_id}:restore-testing-plan:*-*", + "arn:aws:cognito-identity:*:${var.aws_account_id}:identitypool/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", + "arn:aws:resource-groups:*:${var.aws_account_id}:group/*", + "arn:aws:events:*:${var.aws_account_id}:event-bus/*", + "arn:aws:events:*:${var.aws_account_id}:rule/*/*", + ] + Sid = "VisualEditor0" + }, + { + Action = [ + "events:TagResource", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + "arn:aws:events:*:${var.aws_account_id}:rule/*", + ] + Sid = "VisualEditor1" + }, + { + Action = [ + "resource-groups:SearchResources", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor2" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.lambda_github_access_policy_dev[0]: +resource "aws_iam_policy" "lambda_github_access_policy_dev" { + count = var.environment == "dev" ? 1 : 0 + description = "These permissions allow GitHub to push to a Lambda function." + name = "lambda-github-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "lambda:CreateFunction", + "s3:PutObject", + "lambda:UpdateFunctionCode", + "kms:TagResource", + "kms:UntagResource", + "kms:Encrypt", + "kms:Decrypt", + "lambda:InvokeFunction", + "lambda:GetFunction", + "lambda:UpdateFunctionConfiguration", + "lambda:GetFunctionConfiguration", + "lambda:DeleteFunctionConcurrency", + "kms:CreateGrant", + ] + Effect = "Allow" + Resource = [ + "arn:aws:kms:*:${var.aws_account_id}:key/*", + "arn:aws:lambda:eu-west-2:*:function:*", + ] + Sid = "VisualEditor0" + }, + { + Action = "iam:ListRoles" + Effect = "Allow" + Resource = "arn:aws:lambda:eu-west-2:*:function:*" + Sid = "VisualEditor1" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.repo_app_config_dev[0]: +resource "aws_iam_policy" "repo_app_config_dev" { + count = var.environment == "dev" ? 1 : 0 + description = null + name = "repo_app_config" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "appconfig:ListTagsForResource", + "appconfig:StartDeployment", + "appconfig:DeleteApplication", + "appconfig:GetLatestConfiguration", + "appconfig:TagResource", + "appconfig:CreateConfigurationProfile", + "appconfig:CreateExtensionAssociation", + "appconfig:DeleteConfigurationProfile", + "appconfig:CreateDeploymentStrategy", + "appconfig:CreateApplication", + "appconfig:GetDeploymentStrategy", + "appconfig:GetHostedConfigurationVersion", + "appconfig:ListExtensionAssociations", + "appconfig:ListDeploymentStrategies", + "appconfig:CreateHostedConfigurationVersion", + "appconfig:DeleteEnvironment", + "appconfig:UntagResource", + "appconfig:ListHostedConfigurationVersions", + "appconfig:ListEnvironments", + "appconfig:UpdateDeploymentStrategy", + "appconfig:GetExtensionAssociation", + "appconfig:GetExtension", + "appconfig:ListDeployments", + "appconfig:GetDeployment", + "appconfig:ListExtensions", + "appconfig:DeleteHostedConfigurationVersion", + "appconfig:StopDeployment", + "appconfig:CreateEnvironment", + "appconfig:UpdateEnvironment", + "appconfig:GetEnvironment", + "appconfig:ListConfigurationProfiles", + "appconfig:DeleteDeploymentStrategy", + "appconfig:ListApplications", + "appconfig:UpdateApplication", + "appconfig:CreateExtension", + "appconfig:GetConfiguration", + "appconfig:GetApplication", + "appconfig:UpdateConfigurationProfile", + "appconfig:GetConfigurationProfile", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0]: +resource "aws_iam_policy" "terraform_github_dynamodb_access_policy_dev" { + count = var.environment == "dev" ? 1 : 0 + description = "Dynamo DB specific access policies required by terraform via GitHub" + name = "terraform-github-dynamodb-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:DeleteItem", + "dynamodb:UpdateTimeToLive", + ] + Effect = "Allow" + Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} + + +# aws_iam_policy.terraform_github_s3_access_policy_dev[0]: +resource "aws_iam_policy" "terraform_github_s3_access_policy_dev" { + count = var.environment == "dev" ? 1 : 0 + description = "S3 specific access policies required by terraform via GitHub" + name = "terraform-github-s3-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = "s3:ListBucket" + Effect = "Allow" + Resource = "arn:aws:s3:::ndr-dev-terraform-state-${var.aws_account_id}" + }, + { + Action = [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:DeleteBucketPolicy", + "s3:PutBucketPolicy", + ] + Effect = "Allow" + Resource = "arn:aws:s3:::ndr-dev-terraform-state-${var.aws_account_id}/ndr/terraform.tfstate" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} diff --git a/pre_core/iam_github_pre-prod.tf b/pre_core/iam_github_pre-prod.tf.org similarity index 100% rename from pre_core/iam_github_pre-prod.tf rename to pre_core/iam_github_pre-prod.tf.org diff --git a/pre_core/iam_github_test.tf b/pre_core/iam_github_test.tf.org similarity index 100% rename from pre_core/iam_github_test.tf rename to pre_core/iam_github_test.tf.org From 2601afcb684f41aabf83b587916a3088d67fd433 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Thu, 11 Dec 2025 08:58:26 +0000 Subject: [PATCH 06/48] [ndr-297] added test workflow --- .github/workflows/test-deploy-sandbox.yml | 138 ++++++++++++++++++++++ 1 file changed, 138 insertions(+) create mode 100644 .github/workflows/test-deploy-sandbox.yml diff --git a/.github/workflows/test-deploy-sandbox.yml b/.github/workflows/test-deploy-sandbox.yml new file mode 100644 index 000000000..6f1c867fe --- /dev/null +++ b/.github/workflows/test-deploy-sandbox.yml @@ -0,0 +1,138 @@ +name: "TEST Deploy - Sandbox" + +run-name: "${{ github.event.inputs.git_ref }} | ${{ github.event.inputs.sandbox_name }}" + +on: + workflow_dispatch: + inputs: + git_ref: + description: "Branch, tag or SHA to deploy" + required: true + type: "string" + sandbox_name: + description: "Sandbox name [a-z0-9]{1,8}" + required: true + type: "string" + +permissions: + pull-requests: write + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + validate_inputs: + name: Validate Inputs + runs-on: ubuntu-latest + environment: development + steps: + - name: Validate sandbox name + run: | + if ! [[ "$SANDBOX_NAME" =~ ^[a-z0-9]{1,8}$ ]]; then + echo "Sandbox name must match [a-z0-9]{1,8} (lowercase letters and digits only, 1-8 chars)." + exit 1 + fi + env: + SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }} + + terraform_plan_apply_main: + name: Terraform Plan/Apply (main) + runs-on: ubuntu-latest + needs: validate_inputs + environment: development + steps: + - name: Checkout main + uses: actions/checkout@v5 + with: + ref: main + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-skip-session-tagging: true + aws-region: ${{ vars.AWS_REGION }} + mask-aws-account-id: true + + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.13.3 + terraform_wrapper: false + + - name: Initialise Terraform + id: main_init + run: terraform init -backend-config=backend.conf + working-directory: ./infrastructure + shell: bash + + - name: Select Terraform Workspace + id: main_workspace + run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}} + working-directory: ./infrastructure + shell: bash + + - name: Run Terraform Plan + id: main_plan + run: | + terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-main.plan + working-directory: ./infrastructure + shell: bash + + - name: Run Terraform Apply + run: terraform apply -auto-approve -input=false tf-main.plan + working-directory: ./infrastructure + + terraform_plan_apply_branch: + name: Terraform Plan/Apply (branch) + if: ${{ github.event.inputs.git_ref != 'main' }} + runs-on: ubuntu-latest + needs: terraform_plan_apply_main + environment: development + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-skip-session-tagging: true + aws-region: ${{ vars.AWS_REGION }} + mask-aws-account-id: true + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.13.3 + terraform_wrapper: false + + - name: Checkout Branch + uses: actions/checkout@v5 + with: + ref: ${{ github.event.inputs.git_ref}} + + # Checks that all Terraform configuration files adhere to a canonical format. + - name: Check Terraform Formatting + run: terraform fmt -check + working-directory: ./infrastructure + + - name: Initialise Terraform + id: init + run: terraform init -backend-config=backend.conf + working-directory: ./infrastructure + shell: bash + + - name: Select Terraform Workspace + id: workspace + run: terraform workspace select ${{ github.event.inputs.sandbox_name}} + working-directory: ./infrastructure + shell: bash + + - name: Run Terraform Plan + id: plan + run: | + terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan + working-directory: ./infrastructure + shell: bash + + - name: Run Terraform Apply (branch over main) + run: terraform apply -auto-approve -input=false tf.plan + working-directory: ./infrastructure From eca98de5608cc5849d2104c4aafa0871b126338c Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Thu, 11 Dec 2025 09:39:06 +0000 Subject: [PATCH 07/48] [ndr-297] added new stage to deploy-sandbox --- .github/workflows/deploy-sandbox.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 1afd9ad57..b5f93fcf0 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -34,6 +34,23 @@ jobs: env: SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }} + test_job: + name: Test Job + runs-on: ubuntu-latest + needs: validate_inputs + environment: development + steps: + - name: Checkout main + uses: actions/checkout@v5 + with: + ref: ${{ github.event.inputs.git_ref}} + + - name: TEST + id: test + run: echo "Hello" + working-directory: ./infrastructure + shell: bash + terraform_plan_apply_main: name: Terraform Plan/Apply (main) runs-on: ubuntu-latest From 00e910348d1ad34b5076ccde78fc54322e9fb34e Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Fri, 12 Dec 2025 11:12:32 +0000 Subject: [PATCH 08/48] [ndr-297] renamed var in script --- pre_core/policy_tool.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pre_core/policy_tool.py b/pre_core/policy_tool.py index 7ac3c7b5e..3283647e1 100644 --- a/pre_core/policy_tool.py +++ b/pre_core/policy_tool.py @@ -59,8 +59,7 @@ def tidy_resource_file(aws_account_id, env, source): output.append(f' count = var.environment == "{env}" ? 1 : 0') continue - # line = line.replace(aws_account_id, "${var.aws_account_id}") - output.append(line.replace(aws_account_id, "${var.aws_account_id}")) + output.append(line.replace(aws_account_id, "${data.aws_caller_identity.current.account_id}")) return "\n".join(output) From ba6512bb874fd4b5dec692e9a23276246e1d4550 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Fri, 12 Dec 2025 12:07:20 +0000 Subject: [PATCH 09/48] [ndr-297] updated to remote state. plan only. --- .github/workflows/deploy-sandbox.yml | 55 +- .github/workflows/test-deploy-sandbox.yml | 138 -- pre_core/Makefile | 17 +- pre_core/backend.conf | 1 + pre_core/dev.tfvars | 2 + pre_core/iam_github_dev.tf | 1814 ++++++++++----------- pre_core/providers.tf | 9 +- pre_core/terraform.tf | 14 +- pre_core/variables.tf | 21 +- 9 files changed, 1004 insertions(+), 1067 deletions(-) delete mode 100644 .github/workflows/test-deploy-sandbox.yml create mode 100644 pre_core/backend.conf create mode 100644 pre_core/dev.tfvars diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index b5f93fcf0..52565c774 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -34,27 +34,66 @@ jobs: env: SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }} - test_job: - name: Test Job + +############################################ +# NEW + + terraform_plan_apply_pre_core: + name: Terraform Plan/Apply (pre_core) runs-on: ubuntu-latest needs: validate_inputs environment: development steps: - - name: Checkout main + - name: Checkout branch uses: actions/checkout@v5 with: ref: ${{ github.event.inputs.git_ref}} - - name: TEST - id: test - run: echo "Hello" - working-directory: ./infrastructure + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-skip-session-tagging: true + aws-region: ${{ vars.AWS_REGION }} + mask-aws-account-id: true + + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.13.3 + terraform_wrapper: false + + - name: Initialise Terraform + id: pre_core_init + run: terraform init -backend-config=backend.conf + working-directory: ./pre_core + shell: bash + + - name: Select Terraform Workspace + id: pre_core_workspace + run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}} + working-directory: ./pre_core + shell: bash + + - name: Run Terraform Plan + id: pre_core_plan + run: | + # TODO: ADD CORRECT VAR-FILE HERE + terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-pre_core.plan + working-directory: ./pre_core shell: bash + # - name: Run Terraform Apply + # run: terraform apply -auto-approve -input=false tf-pre_core.plan + # working-directory: ./pre_core + +############################################ + terraform_plan_apply_main: name: Terraform Plan/Apply (main) runs-on: ubuntu-latest - needs: validate_inputs + needs: terraform_plan_apply_pre_core environment: development steps: - name: Checkout main diff --git a/.github/workflows/test-deploy-sandbox.yml b/.github/workflows/test-deploy-sandbox.yml deleted file mode 100644 index 6f1c867fe..000000000 --- a/.github/workflows/test-deploy-sandbox.yml +++ /dev/null @@ -1,138 +0,0 @@ -name: "TEST Deploy - Sandbox" - -run-name: "${{ github.event.inputs.git_ref }} | ${{ github.event.inputs.sandbox_name }}" - -on: - workflow_dispatch: - inputs: - git_ref: - description: "Branch, tag or SHA to deploy" - required: true - type: "string" - sandbox_name: - description: "Sandbox name [a-z0-9]{1,8}" - required: true - type: "string" - -permissions: - pull-requests: write - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - -jobs: - validate_inputs: - name: Validate Inputs - runs-on: ubuntu-latest - environment: development - steps: - - name: Validate sandbox name - run: | - if ! [[ "$SANDBOX_NAME" =~ ^[a-z0-9]{1,8}$ ]]; then - echo "Sandbox name must match [a-z0-9]{1,8} (lowercase letters and digits only, 1-8 chars)." - exit 1 - fi - env: - SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }} - - terraform_plan_apply_main: - name: Terraform Plan/Apply (main) - runs-on: ubuntu-latest - needs: validate_inputs - environment: development - steps: - - name: Checkout main - uses: actions/checkout@v5 - with: - ref: main - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} - role-skip-session-tagging: true - aws-region: ${{ vars.AWS_REGION }} - mask-aws-account-id: true - - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.13.3 - terraform_wrapper: false - - - name: Initialise Terraform - id: main_init - run: terraform init -backend-config=backend.conf - working-directory: ./infrastructure - shell: bash - - - name: Select Terraform Workspace - id: main_workspace - run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}} - working-directory: ./infrastructure - shell: bash - - - name: Run Terraform Plan - id: main_plan - run: | - terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-main.plan - working-directory: ./infrastructure - shell: bash - - - name: Run Terraform Apply - run: terraform apply -auto-approve -input=false tf-main.plan - working-directory: ./infrastructure - - terraform_plan_apply_branch: - name: Terraform Plan/Apply (branch) - if: ${{ github.event.inputs.git_ref != 'main' }} - runs-on: ubuntu-latest - needs: terraform_plan_apply_main - environment: development - steps: - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} - role-skip-session-tagging: true - aws-region: ${{ vars.AWS_REGION }} - mask-aws-account-id: true - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.13.3 - terraform_wrapper: false - - - name: Checkout Branch - uses: actions/checkout@v5 - with: - ref: ${{ github.event.inputs.git_ref}} - - # Checks that all Terraform configuration files adhere to a canonical format. - - name: Check Terraform Formatting - run: terraform fmt -check - working-directory: ./infrastructure - - - name: Initialise Terraform - id: init - run: terraform init -backend-config=backend.conf - working-directory: ./infrastructure - shell: bash - - - name: Select Terraform Workspace - id: workspace - run: terraform workspace select ${{ github.event.inputs.sandbox_name}} - working-directory: ./infrastructure - shell: bash - - - name: Run Terraform Plan - id: plan - run: | - terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan - working-directory: ./infrastructure - shell: bash - - - name: Run Terraform Apply (branch over main) - run: terraform apply -auto-approve -input=false tf.plan - working-directory: ./infrastructure diff --git a/pre_core/Makefile b/pre_core/Makefile index a6f787d8a..191acb85b 100644 --- a/pre_core/Makefile +++ b/pre_core/Makefile @@ -21,11 +21,20 @@ tf-format-check: tf-format: terraform fmt --recursive -init: guard-aws_account_id guard-env - terraform init -var environment=${env} -var aws_account_id=${aws_account_id} +# init: guard-aws_account_id guard-env +# terraform init -var environment=${env} -var aws_account_id=${aws_account_id} -plan: guard-aws_account_id guard-env - terraform plan -out=tfplan -var environment=${env} -var aws_account_id=${aws_account_id} +init: +# terraform init -var aws_account_id=${aws_account_id} + terraform init -backend-config=backend.conf + +plan: guard-env guard-workspace + terraform workspace select -or-create ${workspace} + terraform plan -out=tfplan -var environment=${env} + +apply: guard-workspace + terraform workspace select -or-create ${workspace} + terraform apply tfplan # TEMP FUNCTIONS diff --git a/pre_core/backend.conf b/pre_core/backend.conf new file mode 100644 index 000000000..5ade2f1b5 --- /dev/null +++ b/pre_core/backend.conf @@ -0,0 +1 @@ +bucket = "ndr-dev-terraform-state-533825906475" diff --git a/pre_core/dev.tfvars b/pre_core/dev.tfvars new file mode 100644 index 000000000..fafe1970e --- /dev/null +++ b/pre_core/dev.tfvars @@ -0,0 +1,2 @@ +environment = "dev" +owner = "nhse/ndr-team" \ No newline at end of file diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index 5ccab52da..67154195a 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -1,930 +1,930 @@ -# aws_iam_role.github_role_dev[0]: -resource "aws_iam_role" "github_role_dev" { - count = var.environment == "dev" ? 1 : 0 - assume_role_policy = jsonencode( - { - Statement = [ - { - Action = "sts:AssumeRoleWithWebIdentity" - Condition = { - StringEquals = { - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" - } - StringLike = { - "token.actions.githubusercontent.com:sub" = [ - "repo:NHSDigital/national-document-repository-infrastructure:*", - "repo:NHSDigital/national-document-repository:*", - ] - } - } - Effect = "Allow" - Principal = { - Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" - } - }, - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - AWS = "arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DomainCGpit-Administrators_e00623801cb4b59e" - } - }, - ] - Version = "2012-10-17" - } - ) - description = "This role is to provide access for GitHub actions to the development environment. " - force_detach_policies = false - managed_policy_arns = [ - aws_iam_policy.config_policy_dev[0].arn, - aws_iam_policy.ecr_github_access_policy_dev[0].arn, - aws_iam_policy.github_actions_terraform_full_dev[0].arn, - aws_iam_policy.github_mtls_gateway_dev[0].arn, - aws_iam_policy.github_terraform_tagging_policy_dev[0].arn, - aws_iam_policy.lambda_github_access_policy_dev[0].arn, - aws_iam_policy.repo_app_config_dev[0].arn, - aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0].arn, - aws_iam_policy.terraform_github_s3_access_policy_dev[0].arn, - "arn:aws:iam::aws:policy/ReadOnlyAccess", - ] - max_session_duration = 3600 - name = "github-role-${var.environment}" - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} - tags_all = {} +# # aws_iam_role.github_role_dev[0]: +# resource "aws_iam_role" "github_role_dev" { +# count = local.is_sandbox_or_dev ? 1 : 0 +# assume_role_policy = jsonencode( +# { +# Statement = [ +# { +# Action = "sts:AssumeRoleWithWebIdentity" +# Condition = { +# StringEquals = { +# "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" +# } +# StringLike = { +# "token.actions.githubusercontent.com:sub" = [ +# "repo:NHSDigital/national-document-repository-infrastructure:*", +# "repo:NHSDigital/national-document-repository:*", +# ] +# } +# } +# Effect = "Allow" +# Principal = { +# Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" +# } +# }, +# { +# Action = "sts:AssumeRole" +# Effect = "Allow" +# Principal = { +# AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DomainCGpit-Administrators_e00623801cb4b59e" +# } +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# description = "This role is to provide access for GitHub actions to the development environment. " +# force_detach_policies = false +# managed_policy_arns = [ +# aws_iam_policy.config_policy_dev[0].arn, +# aws_iam_policy.ecr_github_access_policy_dev[0].arn, +# aws_iam_policy.github_actions_terraform_full_dev[0].arn, +# aws_iam_policy.github_mtls_gateway_dev[0].arn, +# aws_iam_policy.github_terraform_tagging_policy_dev[0].arn, +# aws_iam_policy.lambda_github_access_policy_dev[0].arn, +# aws_iam_policy.repo_app_config_dev[0].arn, +# aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0].arn, +# aws_iam_policy.terraform_github_s3_access_policy_dev[0].arn, +# "arn:aws:iam::aws:policy/ReadOnlyAccess", +# ] +# max_session_duration = 3600 +# name = "${terraform.workspace}-github-role" +# name_prefix = null +# path = "/" +# permissions_boundary = null +# tags = {} +# tags_all = {} - inline_policy { - name = "cloudtrail" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cloudtrail:AddTags", - "cloudtrail:CreateTrail", - "cloudtrail:StartLogging", - "cloudtrail:DeleteTrail", - ] - Effect = "Allow" - Resource = [ - "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:trail/*", - "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:eventdatastore/*", - "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:channel/*", - ] - Sid = "VisualEditor0" - }, - { - Action = "organizations:ListAWSServiceAccessForOrganization" - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor1" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "cloudwatch_logs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "logs:DescribeLogGroups", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutRetentionPolicy", - "logs:PutResourcePolicy", - "logs:DeleteResourcePolicy", - "logs:DeleteRetentionPolicy", - "logs:TagResource", - "logs:UntagResource", - "logs:AssociateKmsKey", - "logs:DisassociateKmsKey", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*" - Sid = "Statement1" - }, - { - Action = [ - "logs:PutDeliverySource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:logs:us-east-1:${var.aws_account_id}:delivery-source:*", - ] - Sid = "Statement2" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "ecs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecs:UpdateCluster", - "ecs:PutClusterCapacityProviders", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "github-actions-waf-override" - policy = jsonencode( - { - Statement = [ - { - Action = "apigateway:SetWebACL" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "lambda_layer_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "lambda:DeleteLayerVersion", - "lambda:ListLayerVersions", - "lambda:ListLayers", - "lambda:AddLayerVersionPermission", - "lambda:GetLayerVersionPolicy", - "lambda:RemoveLayerVersionPermission", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "rum_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool", - ] - Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" - Sid = "VisualEditor0" - }, - { - Action = [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor", - ] - Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" - Sid = "VisualEditor1" - }, - { - Action = [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" - Sid = "VisualEditor2" - }, - { - Action = [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "step-functions" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "states:DescribeStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:CreateStateMachine", - "states:TagResource", - "states:UntagResource", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } -} +# inline_policy { +# name = "cloudtrail" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "cloudtrail:AddTags", +# "cloudtrail:CreateTrail", +# "cloudtrail:StartLogging", +# "cloudtrail:DeleteTrail", +# ] +# Effect = "Allow" +# Resource = [ +# "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:trail/*", +# "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:eventdatastore/*", +# "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:channel/*", +# ] +# Sid = "VisualEditor0" +# }, +# { +# Action = "organizations:ListAWSServiceAccessForOrganization" +# Effect = "Allow" +# Resource = "*" +# Sid = "VisualEditor1" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# } +# inline_policy { +# name = "cloudwatch_logs_policy" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "logs:DescribeLogGroups", +# "logs:CreateLogGroup", +# "logs:CreateLogStream", +# "logs:PutLogEvents", +# "logs:PutRetentionPolicy", +# "logs:PutResourcePolicy", +# "logs:DeleteResourcePolicy", +# "logs:DeleteRetentionPolicy", +# "logs:TagResource", +# "logs:UntagResource", +# "logs:AssociateKmsKey", +# "logs:DisassociateKmsKey", +# ] +# Effect = "Allow" +# Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*" +# Sid = "Statement1" +# }, +# { +# Action = [ +# "logs:PutDeliverySource", +# ] +# Effect = "Allow" +# Resource = [ +# "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:delivery-source:*", +# ] +# Sid = "Statement2" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# } +# inline_policy { +# name = "ecs_policy" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "ecs:UpdateCluster", +# "ecs:PutClusterCapacityProviders", +# ] +# Effect = "Allow" +# Resource = "*" +# Sid = "VisualEditor0" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# } +# inline_policy { +# name = "github-actions-waf-override" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = "apigateway:SetWebACL" +# Effect = "Allow" +# Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# } +# inline_policy { +# name = "lambda_layer_policy" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "lambda:GetLayerVersion", +# "lambda:PublishLayerVersion", +# "lambda:DeleteLayerVersion", +# "lambda:ListLayerVersions", +# "lambda:ListLayers", +# "lambda:AddLayerVersionPermission", +# "lambda:GetLayerVersionPolicy", +# "lambda:RemoveLayerVersionPermission", +# ] +# Effect = "Allow" +# Resource = "*" +# Sid = "VisualEditor0" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# } +# inline_policy { +# name = "rum_policy" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "cognito-identity:SetIdentityPoolRoles", +# "cognito-identity:CreateIdentityPool", +# "cognito-identity:DeleteIdentityPool", +# "cognito-identity:UpdateIdentityPool", +# ] +# Effect = "Allow" +# Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" +# Sid = "VisualEditor0" +# }, +# { +# Action = [ +# "rum:TagResource", +# "rum:UntagResource", +# "rum:ListTagsForResource", +# "iam:PassRole", +# "rum:UpdateAppMonitor", +# "rum:GetAppMonitor", +# "rum:CreateAppMonitor", +# "rum:DeleteAppMonitor", +# ] +# Effect = "Allow" +# Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" +# Sid = "VisualEditor1" +# }, +# { +# Action = [ +# "logs:DeleteLogGroup", +# "logs:DeleteResourcePolicy", +# "logs:DescribeLogGroups", +# ] +# Effect = "Allow" +# Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" +# Sid = "VisualEditor2" +# }, +# { +# Action = [ +# "logs:CreateLogDelivery", +# "logs:GetLogDelivery", +# "logs:UpdateLogDelivery", +# "logs:DeleteLogDelivery", +# "logs:ListLogDeliveries", +# "logs:DescribeResourcePolicies", +# ] +# Effect = "Allow" +# Resource = "*" +# Sid = "VisualEditor3" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# } +# inline_policy { +# name = "step-functions" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "states:DescribeStateMachine", +# "states:UpdateStateMachine", +# "states:DeleteStateMachine", +# "states:CreateStateMachine", +# "states:TagResource", +# "states:UntagResource", +# ] +# Effect = "Allow" +# Resource = "*" +# Sid = "VisualEditor0" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# } +# } -# aws_iam_policy.config_policy_dev[0]: -resource "aws_iam_policy" "config_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "config-policy-${var.environment}" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "config:DeleteDeliveryChannel", - "config:PutConfigurationRecorder", - "config:StopConfigurationRecorder", - "config:StartConfigurationRecorder", - "config:PutDeliveryChannel", - "config:DeleteConfigurationRecorder", - "config:DescribeConfigurationRecorderStatus", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} +# # aws_iam_policy.config_policy_dev[0]: +# resource "aws_iam_policy" "config_policy_dev" { +# count = local.is_sandbox_or_dev ? 1 : 0 +# description = null +# name = "${terraform.workspace}-config-policy" +# name_prefix = null +# path = "/" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "config:DeleteDeliveryChannel", +# "config:PutConfigurationRecorder", +# "config:StopConfigurationRecorder", +# "config:StartConfigurationRecorder", +# "config:PutDeliveryChannel", +# "config:DeleteConfigurationRecorder", +# "config:DescribeConfigurationRecorderStatus", +# ] +# Effect = "Allow" +# Resource = "*" +# Sid = "VisualEditor0" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# tags = {} +# tags_all = {} +# } -# aws_iam_policy.ecr_github_access_policy_dev[0]: -resource "aws_iam_policy" "ecr_github_access_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "ecr-github-access-policy-${var.environment}" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "ecr:PutImage", - ] - Effect = "Allow" - Resource = "arn:aws:ecr:eu-west-2:*:repository/*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} +# # aws_iam_policy.ecr_github_access_policy_dev[0]: +# resource "aws_iam_policy" "ecr_github_access_policy_dev" { +# count = local.is_sandbox_or_dev ? 1 : 0 +# description = null +# name = "${terraform.workspace}-ecr-github-access-policy" +# name_prefix = null +# path = "/" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "ecr:GetDownloadUrlForLayer", +# "ecr:BatchGetImage", +# "ecr:CompleteLayerUpload", +# "ecr:UploadLayerPart", +# "ecr:InitiateLayerUpload", +# "ecr:BatchCheckLayerAvailability", +# "ecr:PutImage", +# ] +# Effect = "Allow" +# Resource = "arn:aws:ecr:eu-west-2:*:repository/*" +# Sid = "VisualEditor0" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# tags = {} +# tags_all = {} +# } -# aws_iam_policy.github_actions_terraform_full_dev[0]: -resource "aws_iam_policy" "github_actions_terraform_full_dev" { - count = var.environment == "dev" ? 1 : 0 - description = "All permissions required for Terraform to do its thing." - name = "github_actions_terraform_full-${var.environment}" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteVpcEndpoints", - "ec2:AttachInternetGateway", - "iam:PutRolePolicy", - "ecr:DeleteRepository", - "scheduler:DeleteSchedule", - "ec2:CreateRoute", - "cloudwatch:ListTagsForResource", - "ecr:TagResource", - "dynamodb:DescribeContinuousBackups", - "events:RemoveTargets", - "lambda:DeleteFunction", - "iam:ListRolePolicies", - "ecs:TagResource", - "ecr:GetLifecyclePolicy", - "iam:GetRole", - "dynamodb:BatchWriteItem", - "elasticloadbalancing:CreateTargetGroup", - "ecr:GetAuthorizationToken", - "application-autoscaling:DeleteScalingPolicy", - "kms:RetireGrant", - "elasticloadbalancing:AddTags", - "ec2:DeleteNatGateway", - "lambda:PublishVersion", - "apigateway:POST", - "lambda:DeleteEventSourceMapping", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "dynamodb:UpdateTable", - "ec2:ModifyVpcEndpoint", - "logs:ListTagsLogGroup", - "kms:PutKeyPolicy", - "events:PutRule", - "ec2:CreateVpc", - "dynamodb:ListTagsOfResource", - "iam:PassRole", - "logs:DeleteMetricFilter", - "sqs:createqueue", - "iam:DeleteRolePolicy", - "application-autoscaling:TagResource", - "ec2:ReleaseAddress", - "lambda:UpdateEventSourceMapping", - "elasticloadbalancing:CreateLoadBalancer", - "apigateway:PUT", - "route53:ListTagsForResource", - "ec2:DescribeSecurityGroups", - "iam:CreatePolicy", - "sqs:TagQueue", - "iam:CreateServiceLinkedRole", - "kms:CreateAlias", - "elasticloadbalancing:DescribeTargetGroups", - "route53:AssociateVPCWithHostedZone", - "elasticloadbalancing:DeleteListener", - "iam:UpdateAssumeRolePolicy", - "iam:GetPolicyVersion", - "wafv2:AssociateWebACL", - "ec2:DeleteSubnet", - "elasticloadbalancing:SetWebACL", - "ecs:UpdateService", - "elasticloadbalancing:DescribeLoadBalancers", - "ssm:DeleteParameter", - "cloudfront:*", - "kms:GetKeyRotationStatus", - "dynamodb:DescribeTable", - "ssm:AddTagsToResource", - "ecs:RegisterTaskDefinition", - "route53:ListResourceRecordSets", - "ecr:CreateRepository", - "ecs:DeleteService", - "application-autoscaling:UntagResource", - "ec2:DescribePrefixLists", - "backup:CreateBackupVault", - "backup:UpdateBackupPlan", - "sqs:DeleteQueue", - "ec2:DeleteVpc", - "kms:DeleteAlias", - "sns:DeleteTopic", - "wafv2:DeleteWebACL", - "dynamodb:DeleteItem", - "iam:DeletePolicy", - "sns:SetTopicAttributes", - "ses:VerifyDomainDkim", - "lambda:PutFunctionConcurrency", - "dynamodb:UpdateContinuousBackups", - "ecs:CreateService", - "elasticloadbalancing:CreateListener", - "kms:ScheduleKeyDeletion", - "ecr:DescribeRepositories", - "ecs:DescribeServices", - "iam:CreatePolicyVersion", - "ecs:UntagResource", - "sqs:ListQueues", - "wafv2:UpdateWebACL", - "dynamodb:DescribeTimeToLive", - "kms:UpdateAlias", - "backup:GetBackupSelection", - "kms:ListKeys", - "events:PutTargets", - "lambda:AddPermission", - "ecr:SetRepositoryPolicy", - "ec2:DeleteSecurityGroup", - "application-autoscaling:DeregisterScalableTarget", - "backup:DeleteBackupPlan", - "ses:SetIdentityMailFromDomain", - "lambda:CreateFunction", - "sqs:DeleteMessage", - "elasticloadbalancing:ModifyListener", - "cloudwatch:DeleteAlarms", - "secretsmanager:DeleteSecret", - "wafv2:CreateRegexPatternSet", - "wafv2:CreateWebACL", - "dynamodb:DeleteTable", - "ecs:DescribeTaskDefinition", - "ec2:DeleteRouteTable", - "ec2:CreateInternetGateway", - "ec2:RevokeSecurityGroupEgress", - "sns:Subscribe", - "ec2:DeleteInternetGateway", - "wafv2:TagResource", - "dynamodb:UpdateTimeToLive", - "iam:GetPolicy", - "ec2:CreateTags", - "sns:CreateTopic", - "ecs:DeleteCluster", - "iam:UpdateRoleDescription", - "iam:DeleteRole", - "ec2:DisassociateRouteTable", - "backup:GetBackupPlan", - "wafv2:DeleteRegexPatternSet", - "dynamodb:CreateTable", - "ec2:RevokeSecurityGroupIngress", - "lambda:UpdateFunctionCode", - "ec2:CreateDefaultVpc", - "ec2:CreateSubnet", - "ec2:DescribeSubnets", - "iam:GetRolePolicy", - "sqs:setqueueattributes", - "ec2:DisassociateAddress", - "kms:UntagResource", - "ec2:CreateNatGateway", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "ses:VerifyDomainIdentity", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "apigateway:SetWebACL", - "backup:CreateBackupSelection", - "scheduler:UpdateSchedule", - "ec2:DescribeAvailabilityZones", - "kms:CreateKey", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "s3:*", - "kms:GetKeyPolicy", - "route53:ListHostedZones", - "backup:DeleteBackupVault", - "lambda:UpdateFunctionConfiguration", - "elasticloadbalancing:DeleteTargetGroup", - "events:DeleteRule", - "backup:DescribeBackupVault", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "ses:DeleteIdentity", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "sns:Unsubscribe", - "iam:CreateRole", - "iam:AttachRolePolicy", - "lambda:EnableReplication", - "ec2:AssociateRouteTable", - "elasticloadbalancing:DeleteLoadBalancer", - "ec2:DescribeInternetGateways", - "backup:DeleteBackupSelection", - "iam:DetachRolePolicy", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "ec2:DescribeRouteTables", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "route53:ChangeResourceRecordSets", - "ec2:CreateRouteTable", - "ec2:DetachInternetGateway", - "ecr:DeleteLifecyclePolicy", - "logs:CreateLogGroup", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "ssm:PutParameter", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "logs:CreateLogDelivery", - "logs:PutMetricFilter", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "ec2:DescribeSecurityGroupRules", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "route53:GetChange", - "ec2:DeleteTags", - "lambda:GetLayerVersion", - "lambda:CreateEventSourceMapping", - "kms:TagResource", - "elasticloadbalancing:DescribeListeners", - "dynamodb:TagResource", - "ec2:CreateSecurityGroup", - "apigateway:PATCH", - "kms:DescribeKey", - "application-autoscaling:ListTagsForResource", - "ec2:ModifyVpcAttribute", - "ecr:DeleteRepositoryPolicy", - "ec2:AuthorizeSecurityGroupEgress", - "elasticloadbalancing:ModifyListenerAttributes", - "kms:UpdateKeyDescription", - "logs:DescribeLogGroups", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "ec2:AllocateAddress", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "scheduler:CreateSchedule", - "logs:PutRetentionPolicy", - "lambda:GetPolicy", - "iam:DeletePolicyVersion", - "ecr:GetRepositoryPolicy", - "cognito-idp:*", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} +# # aws_iam_policy.github_actions_terraform_full_dev[0]: +# resource "aws_iam_policy" "github_actions_terraform_full_dev" { +# count = local.is_sandbox_or_dev ? 1 : 0 +# description = "All permissions required for Terraform to do its thing." +# name = "${terraform.workspace}-github_actions_terraform_full" +# name_prefix = null +# path = "/" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "ec2:AuthorizeSecurityGroupIngress", +# "ec2:DeleteVpcEndpoints", +# "ec2:AttachInternetGateway", +# "iam:PutRolePolicy", +# "ecr:DeleteRepository", +# "scheduler:DeleteSchedule", +# "ec2:CreateRoute", +# "cloudwatch:ListTagsForResource", +# "ecr:TagResource", +# "dynamodb:DescribeContinuousBackups", +# "events:RemoveTargets", +# "lambda:DeleteFunction", +# "iam:ListRolePolicies", +# "ecs:TagResource", +# "ecr:GetLifecyclePolicy", +# "iam:GetRole", +# "dynamodb:BatchWriteItem", +# "elasticloadbalancing:CreateTargetGroup", +# "ecr:GetAuthorizationToken", +# "application-autoscaling:DeleteScalingPolicy", +# "kms:RetireGrant", +# "elasticloadbalancing:AddTags", +# "ec2:DeleteNatGateway", +# "lambda:PublishVersion", +# "apigateway:POST", +# "lambda:DeleteEventSourceMapping", +# "elasticloadbalancing:ModifyLoadBalancerAttributes", +# "dynamodb:UpdateTable", +# "ec2:ModifyVpcEndpoint", +# "logs:ListTagsLogGroup", +# "kms:PutKeyPolicy", +# "events:PutRule", +# "ec2:CreateVpc", +# "dynamodb:ListTagsOfResource", +# "iam:PassRole", +# "logs:DeleteMetricFilter", +# "sqs:createqueue", +# "iam:DeleteRolePolicy", +# "application-autoscaling:TagResource", +# "ec2:ReleaseAddress", +# "lambda:UpdateEventSourceMapping", +# "elasticloadbalancing:CreateLoadBalancer", +# "apigateway:PUT", +# "route53:ListTagsForResource", +# "ec2:DescribeSecurityGroups", +# "iam:CreatePolicy", +# "sqs:TagQueue", +# "iam:CreateServiceLinkedRole", +# "kms:CreateAlias", +# "elasticloadbalancing:DescribeTargetGroups", +# "route53:AssociateVPCWithHostedZone", +# "elasticloadbalancing:DeleteListener", +# "iam:UpdateAssumeRolePolicy", +# "iam:GetPolicyVersion", +# "wafv2:AssociateWebACL", +# "ec2:DeleteSubnet", +# "elasticloadbalancing:SetWebACL", +# "ecs:UpdateService", +# "elasticloadbalancing:DescribeLoadBalancers", +# "ssm:DeleteParameter", +# "cloudfront:*", +# "kms:GetKeyRotationStatus", +# "dynamodb:DescribeTable", +# "ssm:AddTagsToResource", +# "ecs:RegisterTaskDefinition", +# "route53:ListResourceRecordSets", +# "ecr:CreateRepository", +# "ecs:DeleteService", +# "application-autoscaling:UntagResource", +# "ec2:DescribePrefixLists", +# "backup:CreateBackupVault", +# "backup:UpdateBackupPlan", +# "sqs:DeleteQueue", +# "ec2:DeleteVpc", +# "kms:DeleteAlias", +# "sns:DeleteTopic", +# "wafv2:DeleteWebACL", +# "dynamodb:DeleteItem", +# "iam:DeletePolicy", +# "sns:SetTopicAttributes", +# "ses:VerifyDomainDkim", +# "lambda:PutFunctionConcurrency", +# "dynamodb:UpdateContinuousBackups", +# "ecs:CreateService", +# "elasticloadbalancing:CreateListener", +# "kms:ScheduleKeyDeletion", +# "ecr:DescribeRepositories", +# "ecs:DescribeServices", +# "iam:CreatePolicyVersion", +# "ecs:UntagResource", +# "sqs:ListQueues", +# "wafv2:UpdateWebACL", +# "dynamodb:DescribeTimeToLive", +# "kms:UpdateAlias", +# "backup:GetBackupSelection", +# "kms:ListKeys", +# "events:PutTargets", +# "lambda:AddPermission", +# "ecr:SetRepositoryPolicy", +# "ec2:DeleteSecurityGroup", +# "application-autoscaling:DeregisterScalableTarget", +# "backup:DeleteBackupPlan", +# "ses:SetIdentityMailFromDomain", +# "lambda:CreateFunction", +# "sqs:DeleteMessage", +# "elasticloadbalancing:ModifyListener", +# "cloudwatch:DeleteAlarms", +# "secretsmanager:DeleteSecret", +# "wafv2:CreateRegexPatternSet", +# "wafv2:CreateWebACL", +# "dynamodb:DeleteTable", +# "ecs:DescribeTaskDefinition", +# "ec2:DeleteRouteTable", +# "ec2:CreateInternetGateway", +# "ec2:RevokeSecurityGroupEgress", +# "sns:Subscribe", +# "ec2:DeleteInternetGateway", +# "wafv2:TagResource", +# "dynamodb:UpdateTimeToLive", +# "iam:GetPolicy", +# "ec2:CreateTags", +# "sns:CreateTopic", +# "ecs:DeleteCluster", +# "iam:UpdateRoleDescription", +# "iam:DeleteRole", +# "ec2:DisassociateRouteTable", +# "backup:GetBackupPlan", +# "wafv2:DeleteRegexPatternSet", +# "dynamodb:CreateTable", +# "ec2:RevokeSecurityGroupIngress", +# "lambda:UpdateFunctionCode", +# "ec2:CreateDefaultVpc", +# "ec2:CreateSubnet", +# "ec2:DescribeSubnets", +# "iam:GetRolePolicy", +# "sqs:setqueueattributes", +# "ec2:DisassociateAddress", +# "kms:UntagResource", +# "ec2:CreateNatGateway", +# "kms:ListResourceTags", +# "ecr:ListTagsForResource", +# "ses:VerifyDomainIdentity", +# "ecs:DeregisterTaskDefinition", +# "apigateway:DELETE", +# "apigateway:SetWebACL", +# "backup:CreateBackupSelection", +# "scheduler:UpdateSchedule", +# "ec2:DescribeAvailabilityZones", +# "kms:CreateKey", +# "kms:EnableKeyRotation", +# "ecr:PutLifecyclePolicy", +# "s3:*", +# "kms:GetKeyPolicy", +# "route53:ListHostedZones", +# "backup:DeleteBackupVault", +# "lambda:UpdateFunctionConfiguration", +# "elasticloadbalancing:DeleteTargetGroup", +# "events:DeleteRule", +# "backup:DescribeBackupVault", +# "ec2:DescribeVpcs", +# "kms:ListAliases", +# "backup:CreateBackupPlan", +# "ses:DeleteIdentity", +# "lambda:RemovePermission", +# "backup:ListTags", +# "route53:GetHostedZone", +# "sns:Unsubscribe", +# "iam:CreateRole", +# "iam:AttachRolePolicy", +# "lambda:EnableReplication", +# "ec2:AssociateRouteTable", +# "elasticloadbalancing:DeleteLoadBalancer", +# "ec2:DescribeInternetGateways", +# "backup:DeleteBackupSelection", +# "iam:DetachRolePolicy", +# "cloudwatch:UntagResource", +# "iam:ListAttachedRolePolicies", +# "dynamodb:GetItem", +# "elasticloadbalancing:ModifyTargetGroupAttributes", +# "ec2:DescribeRouteTables", +# "application-autoscaling:RegisterScalableTarget", +# "dynamodb:PutItem", +# "ecs:CreateCluster", +# "route53:ChangeResourceRecordSets", +# "ec2:CreateRouteTable", +# "ec2:DetachInternetGateway", +# "ecr:DeleteLifecyclePolicy", +# "logs:CreateLogGroup", +# "backup-storage:MountCapsule", +# "ecs:DescribeClusters", +# "ssm:PutParameter", +# "elasticloadbalancing:DescribeLoadBalancerAttributes", +# "logs:CreateLogDelivery", +# "logs:PutMetricFilter", +# "elasticloadbalancing:DescribeTargetGroupAttributes", +# "ec2:DescribeSecurityGroupRules", +# "application-autoscaling:PutScalingPolicy", +# "ec2:DescribeVpcEndpoints", +# "route53:GetChange", +# "ec2:DeleteTags", +# "lambda:GetLayerVersion", +# "lambda:CreateEventSourceMapping", +# "kms:TagResource", +# "elasticloadbalancing:DescribeListeners", +# "dynamodb:TagResource", +# "ec2:CreateSecurityGroup", +# "apigateway:PATCH", +# "kms:DescribeKey", +# "application-autoscaling:ListTagsForResource", +# "ec2:ModifyVpcAttribute", +# "ecr:DeleteRepositoryPolicy", +# "ec2:AuthorizeSecurityGroupEgress", +# "elasticloadbalancing:ModifyListenerAttributes", +# "kms:UpdateKeyDescription", +# "logs:DescribeLogGroups", +# "logs:DeleteLogGroup", +# "elasticloadbalancing:DescribeTags", +# "ec2:DeleteRoute", +# "backup:DeleteRecoveryPoint", +# "ec2:AllocateAddress", +# "cloudwatch:PutMetricAlarm", +# "cloudwatch:TagResource", +# "ec2:CreateVpcEndpoint", +# "elasticloadbalancing:SetSecurityGroups", +# "scheduler:CreateSchedule", +# "logs:PutRetentionPolicy", +# "lambda:GetPolicy", +# "iam:DeletePolicyVersion", +# "ecr:GetRepositoryPolicy", +# "cognito-idp:*", +# ] +# Effect = "Allow" +# Resource = "*" +# Sid = "VisualEditor0" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# tags = {} +# tags_all = {} +# } -# aws_iam_policy.github_mtls_gateway_dev[0]: -resource "aws_iam_policy" "github_mtls_gateway_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "github_mtls_gateway-${var.environment}" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "acm:RequestCertificate", - "route53:ListHostedZones", - "acm:ListCertificates", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor1" - }, - { - Action = [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "route53:GetHostedZone", - "route53:ChangeResourceRecordSets", - "apigateway:AddCertificateToDomain", - "acm:AddTagsToCertificate", - "apigateway:RemoveCertificateFromDomain", - "acm:ListTagsForCertificate", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames", - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:route53:::hostedzone/*", - "arn:aws:acm:eu-west-2:${var.aws_account_id}:certificate/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "apigateway:AddCertificateToDomain", - "apigateway:RemoveCertificateFromDomain", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:apigateway:eu-west-2::/domainnames", - ] - Sid = "VisualEditor3" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor4" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} +# # aws_iam_policy.github_mtls_gateway_dev[0]: +# resource "aws_iam_policy" "github_mtls_gateway_dev" { +# count = local.is_sandbox_or_dev ? 1 : 0 +# description = null +# name = "${terraform.workspace}-github_mtls_gateway" +# name_prefix = null +# path = "/" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "acm:RequestCertificate", +# "route53:ListHostedZones", +# "acm:ListCertificates", +# ] +# Effect = "Allow" +# Resource = "*" +# Sid = "VisualEditor0" +# }, +# { +# Action = "apigateway:AddCertificateToDomain" +# Effect = "Allow" +# Resource = "arn:aws:apigateway:eu-west-2::/domainnames" +# Sid = "VisualEditor1" +# }, +# { +# Action = [ +# "acm:DeleteCertificate", +# "acm:DescribeCertificate", +# "acm:GetCertificate", +# "route53:GetHostedZone", +# "route53:ChangeResourceRecordSets", +# "apigateway:AddCertificateToDomain", +# "acm:AddTagsToCertificate", +# "apigateway:RemoveCertificateFromDomain", +# "acm:ListTagsForCertificate", +# ] +# Effect = "Allow" +# Resource = [ +# "arn:aws:apigateway:eu-west-2::/domainnames", +# "arn:aws:apigateway:eu-west-2::/domainnames/*", +# "arn:aws:route53:::hostedzone/*", +# "arn:aws:acm:eu-west-2:${data.aws_caller_identity.current.account_id}:certificate/*", +# ] +# Sid = "VisualEditor2" +# }, +# { +# Action = [ +# "apigateway:AddCertificateToDomain", +# "apigateway:RemoveCertificateFromDomain", +# ] +# Effect = "Allow" +# Resource = [ +# "arn:aws:apigateway:eu-west-2::/domainnames/*", +# "arn:aws:apigateway:eu-west-2::/domainnames", +# ] +# Sid = "VisualEditor3" +# }, +# { +# Action = "apigateway:AddCertificateToDomain" +# Effect = "Allow" +# Resource = "arn:aws:apigateway:eu-west-2::/domainnames" +# Sid = "VisualEditor4" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# tags = {} +# tags_all = {} +# } -# aws_iam_policy.github_terraform_tagging_policy_dev[0]: -resource "aws_iam_policy" "github_terraform_tagging_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "github_terraform_tagging_policy-${var.environment}" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "sns:TagResource", - "backup:TagResource", - "resource-groups:GetGroupQuery", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "resource-groups:DeleteGroup", - "events:TagResource", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:lambda:*:${var.aws_account_id}:event-source-mapping:*", - "arn:aws:lambda:*:${var.aws_account_id}:function:*", - "arn:aws:lambda:*:${var.aws_account_id}:code-signing-config:*", - "arn:aws:iam::${var.aws_account_id}:role/*", - "arn:aws:iam::${var.aws_account_id}:policy/*", - "arn:aws:sns:*:${var.aws_account_id}:*", - "arn:aws:backup:*:${var.aws_account_id}:legal-hold:*", - "arn:aws:backup:*:${var.aws_account_id}:framework:*-*", - "arn:aws:backup:*:${var.aws_account_id}:backup-vault:*", - "arn:aws:backup:*:${var.aws_account_id}:report-plan:*-*", - "arn:aws:backup:*:${var.aws_account_id}:backup-plan:*", - "arn:aws:backup:*:${var.aws_account_id}:restore-testing-plan:*-*", - "arn:aws:cognito-identity:*:${var.aws_account_id}:identitypool/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", - "arn:aws:resource-groups:*:${var.aws_account_id}:group/*", - "arn:aws:events:*:${var.aws_account_id}:event-bus/*", - "arn:aws:events:*:${var.aws_account_id}:rule/*/*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", - "arn:aws:events:*:${var.aws_account_id}:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor2" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} +# # aws_iam_policy.github_terraform_tagging_policy_dev[0]: +# resource "aws_iam_policy" "github_terraform_tagging_policy_dev" { +# count = local.is_sandbox_or_dev ? 1 : 0 +# description = null +# name = "${terraform.workspace}-github_terraform_tagging_policy" +# name_prefix = null +# path = "/" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "sns:TagResource", +# "backup:TagResource", +# "resource-groups:GetGroupQuery", +# "lambda:TagResource", +# "resource-groups:UpdateGroup", +# "iam:UntagRole", +# "iam:TagRole", +# "resource-groups:GetTags", +# "sns:UntagResource", +# "resource-groups:Untag", +# "lambda:UntagResource", +# "elasticloadbalancing:RemoveTags", +# "cognito-identity:UntagResource", +# "resource-groups:GetGroup", +# "resource-groups:GetGroupConfiguration", +# "backup:UntagResource", +# "cognito-identity:TagResource", +# "resource-groups:Tag", +# "resource-groups:UpdateGroupQuery", +# "iam:TagPolicy", +# "resource-groups:DeleteGroup", +# "events:TagResource", +# "elasticloadbalancing:AddTags", +# "iam:UntagPolicy", +# "resource-groups:ListGroupResources", +# "events:UntagResource", +# ] +# Effect = "Allow" +# Resource = [ +# "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", +# "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", +# "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", +# "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", +# "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", +# "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", +# "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", +# "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", +# "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", +# "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", +# "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", +# "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", +# "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", +# "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", +# "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", +# "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", +# ] +# Sid = "VisualEditor0" +# }, +# { +# Action = [ +# "events:TagResource", +# "elasticloadbalancing:RemoveTags", +# "elasticloadbalancing:AddTags", +# "events:UntagResource", +# ] +# Effect = "Allow" +# Resource = [ +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", +# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", +# "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", +# ] +# Sid = "VisualEditor1" +# }, +# { +# Action = [ +# "resource-groups:SearchResources", +# "resource-groups:CreateGroup", +# "resource-groups:ListGroups", +# ] +# Effect = "Allow" +# Resource = "*" +# Sid = "VisualEditor2" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# tags = {} +# tags_all = {} +# } -# aws_iam_policy.lambda_github_access_policy_dev[0]: -resource "aws_iam_policy" "lambda_github_access_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = "These permissions allow GitHub to push to a Lambda function." - name = "lambda-github-access-policy-${var.environment}" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "lambda:CreateFunction", - "s3:PutObject", - "lambda:UpdateFunctionCode", - "kms:TagResource", - "kms:UntagResource", - "kms:Encrypt", - "kms:Decrypt", - "lambda:InvokeFunction", - "lambda:GetFunction", - "lambda:UpdateFunctionConfiguration", - "lambda:GetFunctionConfiguration", - "lambda:DeleteFunctionConcurrency", - "kms:CreateGrant", - ] - Effect = "Allow" - Resource = [ - "arn:aws:kms:*:${var.aws_account_id}:key/*", - "arn:aws:lambda:eu-west-2:*:function:*", - ] - Sid = "VisualEditor0" - }, - { - Action = "iam:ListRoles" - Effect = "Allow" - Resource = "arn:aws:lambda:eu-west-2:*:function:*" - Sid = "VisualEditor1" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} +# # aws_iam_policy.lambda_github_access_policy_dev[0]: +# resource "aws_iam_policy" "lambda_github_access_policy_dev" { +# count = local.is_sandbox_or_dev ? 1 : 0 +# description = "These permissions allow GitHub to push to a Lambda function." +# name = "${terraform.workspace}-lambda-github-access-policy" +# name_prefix = null +# path = "/" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "lambda:CreateFunction", +# "s3:PutObject", +# "lambda:UpdateFunctionCode", +# "kms:TagResource", +# "kms:UntagResource", +# "kms:Encrypt", +# "kms:Decrypt", +# "lambda:InvokeFunction", +# "lambda:GetFunction", +# "lambda:UpdateFunctionConfiguration", +# "lambda:GetFunctionConfiguration", +# "lambda:DeleteFunctionConcurrency", +# "kms:CreateGrant", +# ] +# Effect = "Allow" +# Resource = [ +# "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*", +# "arn:aws:lambda:eu-west-2:*:function:*", +# ] +# Sid = "VisualEditor0" +# }, +# { +# Action = "iam:ListRoles" +# Effect = "Allow" +# Resource = "arn:aws:lambda:eu-west-2:*:function:*" +# Sid = "VisualEditor1" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# tags = {} +# tags_all = {} +# } -# aws_iam_policy.repo_app_config_dev[0]: -resource "aws_iam_policy" "repo_app_config_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "repo_app_config-${var.environment}" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "appconfig:ListTagsForResource", - "appconfig:StartDeployment", - "appconfig:DeleteApplication", - "appconfig:GetLatestConfiguration", - "appconfig:TagResource", - "appconfig:CreateConfigurationProfile", - "appconfig:CreateExtensionAssociation", - "appconfig:DeleteConfigurationProfile", - "appconfig:CreateDeploymentStrategy", - "appconfig:CreateApplication", - "appconfig:GetDeploymentStrategy", - "appconfig:GetHostedConfigurationVersion", - "appconfig:ListExtensionAssociations", - "appconfig:ListDeploymentStrategies", - "appconfig:CreateHostedConfigurationVersion", - "appconfig:DeleteEnvironment", - "appconfig:UntagResource", - "appconfig:ListHostedConfigurationVersions", - "appconfig:ListEnvironments", - "appconfig:UpdateDeploymentStrategy", - "appconfig:GetExtensionAssociation", - "appconfig:GetExtension", - "appconfig:ListDeployments", - "appconfig:GetDeployment", - "appconfig:ListExtensions", - "appconfig:DeleteHostedConfigurationVersion", - "appconfig:StopDeployment", - "appconfig:CreateEnvironment", - "appconfig:UpdateEnvironment", - "appconfig:GetEnvironment", - "appconfig:ListConfigurationProfiles", - "appconfig:DeleteDeploymentStrategy", - "appconfig:ListApplications", - "appconfig:UpdateApplication", - "appconfig:CreateExtension", - "appconfig:GetConfiguration", - "appconfig:GetApplication", - "appconfig:UpdateConfigurationProfile", - "appconfig:GetConfigurationProfile", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} +# # aws_iam_policy.repo_app_config_dev[0]: +# resource "aws_iam_policy" "repo_app_config_dev" { +# count = local.is_sandbox_or_dev ? 1 : 0 +# description = null +# name = "${terraform.workspace}-repo_app_config" +# name_prefix = null +# path = "/" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "appconfig:ListTagsForResource", +# "appconfig:StartDeployment", +# "appconfig:DeleteApplication", +# "appconfig:GetLatestConfiguration", +# "appconfig:TagResource", +# "appconfig:CreateConfigurationProfile", +# "appconfig:CreateExtensionAssociation", +# "appconfig:DeleteConfigurationProfile", +# "appconfig:CreateDeploymentStrategy", +# "appconfig:CreateApplication", +# "appconfig:GetDeploymentStrategy", +# "appconfig:GetHostedConfigurationVersion", +# "appconfig:ListExtensionAssociations", +# "appconfig:ListDeploymentStrategies", +# "appconfig:CreateHostedConfigurationVersion", +# "appconfig:DeleteEnvironment", +# "appconfig:UntagResource", +# "appconfig:ListHostedConfigurationVersions", +# "appconfig:ListEnvironments", +# "appconfig:UpdateDeploymentStrategy", +# "appconfig:GetExtensionAssociation", +# "appconfig:GetExtension", +# "appconfig:ListDeployments", +# "appconfig:GetDeployment", +# "appconfig:ListExtensions", +# "appconfig:DeleteHostedConfigurationVersion", +# "appconfig:StopDeployment", +# "appconfig:CreateEnvironment", +# "appconfig:UpdateEnvironment", +# "appconfig:GetEnvironment", +# "appconfig:ListConfigurationProfiles", +# "appconfig:DeleteDeploymentStrategy", +# "appconfig:ListApplications", +# "appconfig:UpdateApplication", +# "appconfig:CreateExtension", +# "appconfig:GetConfiguration", +# "appconfig:GetApplication", +# "appconfig:UpdateConfigurationProfile", +# "appconfig:GetConfigurationProfile", +# ] +# Effect = "Allow" +# Resource = "*" +# Sid = "VisualEditor0" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# tags = {} +# tags_all = {} +# } -# aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0]: -resource "aws_iam_policy" "terraform_github_dynamodb_access_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = "Dynamo DB specific access policies required by terraform via GitHub" - name = "terraform-github-dynamodb-access-policy-${var.environment}" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "dynamodb:DescribeTable", - "dynamodb:GetItem", - "dynamodb:PutItem", - "dynamodb:DeleteItem", - "dynamodb:UpdateTimeToLive", - ] - Effect = "Allow" - Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} +# # aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0]: +# resource "aws_iam_policy" "terraform_github_dynamodb_access_policy_dev" { +# count = local.is_sandbox_or_dev ? 1 : 0 +# description = "Dynamo DB specific access policies required by terraform via GitHub" +# name = "${terraform.workspace}-terraform-github-dynamodb-access-policy" +# name_prefix = null +# path = "/" +# policy = jsonencode( +# { +# Statement = [ +# { +# Action = [ +# "dynamodb:DescribeTable", +# "dynamodb:GetItem", +# "dynamodb:PutItem", +# "dynamodb:DeleteItem", +# "dynamodb:UpdateTimeToLive", +# ] +# Effect = "Allow" +# Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" +# }, +# ] +# Version = "2012-10-17" +# } +# ) +# tags = {} +# tags_all = {} +# } # aws_iam_policy.terraform_github_s3_access_policy_dev[0]: resource "aws_iam_policy" "terraform_github_s3_access_policy_dev" { - count = var.environment == "dev" ? 1 : 0 + count = local.is_sandbox_or_dev ? 1 : 0 description = "S3 specific access policies required by terraform via GitHub" - name = "terraform-github-s3-access-policy-${var.environment}" + name = "${terraform.workspace}-terraform-github-s3-access-policy" name_prefix = null path = "/" policy = jsonencode( @@ -933,7 +933,7 @@ resource "aws_iam_policy" "terraform_github_s3_access_policy_dev" { { Action = "s3:ListBucket" Effect = "Allow" - Resource = "arn:aws:s3:::ndr-dev-terraform-state-${var.aws_account_id}" + Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}" }, { Action = [ @@ -944,7 +944,7 @@ resource "aws_iam_policy" "terraform_github_s3_access_policy_dev" { "s3:PutBucketPolicy", ] Effect = "Allow" - Resource = "arn:aws:s3:::ndr-dev-terraform-state-${var.aws_account_id}/ndr/terraform.tfstate" + Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}/ndr/terraform.tfstate" }, ] Version = "2012-10-17" diff --git a/pre_core/providers.tf b/pre_core/providers.tf index cf2f7c229..008d9033c 100644 --- a/pre_core/providers.tf +++ b/pre_core/providers.tf @@ -1,6 +1,13 @@ provider "aws" { region = var.region allowed_account_ids = [ - var.aws_account_id, + data.aws_caller_identity.current.account_id, ] + default_tags { + tags = { + Owner = var.owner + Environment = var.environment + Workspace = terraform.workspace + } + } } \ No newline at end of file diff --git a/pre_core/terraform.tf b/pre_core/terraform.tf index 5aacc3663..dfb229474 100644 --- a/pre_core/terraform.tf +++ b/pre_core/terraform.tf @@ -12,11 +12,11 @@ terraform { } - # backend "s3" { - # use_lockfile = true - # region = "eu-west-2" - # # key = "ndr/terraform.tfstate" - # key = "ndr_pre_core/terraform.tfstate" - # encrypt = true - # } + backend "s3" { + use_lockfile = true + region = "eu-west-2" + # key = "ndr/terraform.tfstate" + key = "ndr_pre_core/terraform.tfstate" + encrypt = true + } } \ No newline at end of file diff --git a/pre_core/variables.tf b/pre_core/variables.tf index b238a9e7d..00bfa0ca8 100644 --- a/pre_core/variables.tf +++ b/pre_core/variables.tf @@ -9,7 +9,24 @@ variable "region" { description = "The region to be used for bootstrapping" } -variable "aws_account_id" { +# variable "aws_account_id" { +# type = string +# description = "The AWS Account ID (numeric)" +# } + +variable "owner" { + description = "Identifies the team or person responsible for the resource (used for tagging)." type = string - description = "The AWS Account ID (numeric)" + default = "nhse/ndr-team" } + +locals { + is_sandbox = !contains(["ndr-dev", "ndr-test", "pre-prod", "prod"], terraform.workspace) + is_production = contains(["pre-prod", "prod"], terraform.workspace) + + is_sandbox_or_dev = !contains(["ndr-test", "pre-prod", "prod"], terraform.workspace) + is_development = terraform.workspace == "ndr-dev" + is_testing = terraform.workspace == "ndr-test" + is_pre_production = terraform.workspace == "pre-prod" + is_prod = terraform.workspace == "prod" +} \ No newline at end of file From 0f6ae64ff639840509ce423c7968ba12ab2ecc26 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Fri, 12 Dec 2025 12:08:13 +0000 Subject: [PATCH 10/48] [ndr-297] linting --- .github/workflows/deploy-sandbox.yml | 5 ++--- pre_core/dev.tfvars | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 52565c774..c3cccb740 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -72,15 +72,14 @@ jobs: - name: Select Terraform Workspace id: pre_core_workspace - run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}} + run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name }} working-directory: ./pre_core shell: bash - name: Run Terraform Plan id: pre_core_plan run: | - # TODO: ADD CORRECT VAR-FILE HERE - terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-pre_core.plan + terraform plan -input=false -no-color -var-file="${{ vars.TF_VARS_FILE }}" -out tf-pre_core.plan working-directory: ./pre_core shell: bash diff --git a/pre_core/dev.tfvars b/pre_core/dev.tfvars index fafe1970e..c5090654d 100644 --- a/pre_core/dev.tfvars +++ b/pre_core/dev.tfvars @@ -1,2 +1,2 @@ -environment = "dev" -owner = "nhse/ndr-team" \ No newline at end of file +environment = "dev" +owner = "nhse/ndr-team" \ No newline at end of file From 56b1c0ddff3f9a9c8b470be7b121eed94473a5f8 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Fri, 12 Dec 2025 13:26:12 +0000 Subject: [PATCH 11/48] [ndr-297] refactoring of script --- pre_core/Makefile | 7 ++++--- pre_core/main.tf | 1 + pre_core/policy_tool.py | 6 +++--- pre_core/providers.tf | 6 +++--- 4 files changed, 11 insertions(+), 9 deletions(-) create mode 100644 pre_core/main.tf diff --git a/pre_core/Makefile b/pre_core/Makefile index 191acb85b..1021bdd4a 100644 --- a/pre_core/Makefile +++ b/pre_core/Makefile @@ -26,10 +26,11 @@ tf-format: init: # terraform init -var aws_account_id=${aws_account_id} - terraform init -backend-config=backend.conf +# terraform init -backend-config=backend.conf + terraform init -plan: guard-env guard-workspace - terraform workspace select -or-create ${workspace} +plan: guard-env +# terraform workspace select -or-create ${workspace} terraform plan -out=tfplan -var environment=${env} apply: guard-workspace diff --git a/pre_core/main.tf b/pre_core/main.tf new file mode 100644 index 000000000..8fc4b38cc --- /dev/null +++ b/pre_core/main.tf @@ -0,0 +1 @@ +data "aws_caller_identity" "current" {} diff --git a/pre_core/policy_tool.py b/pre_core/policy_tool.py index 3283647e1..6f65ab812 100644 --- a/pre_core/policy_tool.py +++ b/pre_core/policy_tool.py @@ -34,10 +34,10 @@ def run_command(command): def import_resources(aws_account_id, env, role_name, policy_names): - run_command(f'terraform import -var environment={env} -var aws_account_id={aws_account_id} aws_iam_role.github_role_{env}[0] {role_name}') + run_command(f'terraform import -var environment={env} aws_iam_role.github_role_{env}[0] {role_name} ') for policy_name in policy_names: resource_name = policy_name.replace("-", "_") - run_command(f'terraform import -var environment={env} -var aws_account_id={aws_account_id} aws_iam_policy.{resource_name}_{env}[0] arn:aws:iam::{aws_account_id}:policy/{policy_name}') + run_command(f'terraform import -var environment={env} aws_iam_policy.{resource_name}_{env}[0] arn:aws:iam::{aws_account_id}:policy/{policy_name}') def tidy_resource_file(aws_account_id, env, source): @@ -59,7 +59,7 @@ def tidy_resource_file(aws_account_id, env, source): output.append(f' count = var.environment == "{env}" ? 1 : 0') continue - output.append(line.replace(aws_account_id, "${data.aws_caller_identity.current.account_id}")) + output.append(line.replace(aws_account_id, "${var.aws_account_id}")) return "\n".join(output) diff --git a/pre_core/providers.tf b/pre_core/providers.tf index 008d9033c..632024e0d 100644 --- a/pre_core/providers.tf +++ b/pre_core/providers.tf @@ -1,8 +1,8 @@ provider "aws" { region = var.region - allowed_account_ids = [ - data.aws_caller_identity.current.account_id, - ] + # allowed_account_ids = [ + # data.aws_caller_identity.current.account_id, + # ] default_tags { tags = { Owner = var.owner From 38c12cb1605ceeaa03ff7165034149399d5b830d Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Fri, 12 Dec 2025 13:38:03 +0000 Subject: [PATCH 12/48] [ndr-297] added apply stage to workflow --- .github/workflows/deploy-sandbox.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index c3cccb740..2fa0852c5 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -83,9 +83,9 @@ jobs: working-directory: ./pre_core shell: bash - # - name: Run Terraform Apply - # run: terraform apply -auto-approve -input=false tf-pre_core.plan - # working-directory: ./pre_core + - name: Run Terraform Apply + run: terraform apply -auto-approve -input=false tf-pre_core.plan + working-directory: ./pre_core ############################################ From 6648311388bbc1752563cb204fea57a7f1b11899 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Mon, 15 Dec 2025 13:50:21 +0000 Subject: [PATCH 13/48] [ndr-297] updated teardown for sandboxes --- .github/workflows/tear-down-sandbox.yml | 89 ++++++++++++++++++++++--- 1 file changed, 81 insertions(+), 8 deletions(-) diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml index 70c7d44c7..36541ad14 100644 --- a/.github/workflows/tear-down-sandbox.yml +++ b/.github/workflows/tear-down-sandbox.yml @@ -77,15 +77,15 @@ jobs: with: ref: ${{ inputs.git_ref }} - - name: Setup Python 3.11 - uses: actions/setup-python@v6 - with: - python-version: 3.11 + # - name: Setup Python 3.11 + # uses: actions/setup-python@v6 + # with: + # python-version: 3.11 - - name: Install Python Dependencies - run: | - python3 -m venv ./venv - ./venv/bin/pip3 install --upgrade pip boto3 + # - name: Install Python Dependencies + # run: | + # python3 -m venv ./venv + # ./venv/bin/pip3 install --upgrade pip boto3 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v5 @@ -111,6 +111,79 @@ jobs: run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" working-directory: ./infrastructure + terraform_destroy_pre_core: + name: Terraform Destroy (Pre-Core) + runs-on: ubuntu-latest + needs: [terraform_destroy] + environment: ${{ inputs.environment }} + steps: + - name: Checkout + uses: actions/checkout@v5 + with: + ref: ${{ inputs.git_ref }} + + # - name: Setup Python 3.11 + # uses: actions/setup-python@v6 + # with: + # python-version: 3.11 + + # - name: Install Python Dependencies + # run: | + # python3 -m venv ./venv + # ./venv/bin/pip3 install --upgrade pip boto3 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + aws-region: ${{ vars.AWS_REGION }} + mask-aws-account-id: true + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.13.3 + + - name: Initialise Terraform + run: terraform init -backend-config=${{ vars.TF_BACKEND_FILE }} + working-directory: ./pre_core + + - name: Select Terraform Workspace + run: terraform workspace select ${{ inputs.sandbox_name }} + working-directory: ./pre_core + + - name: Run Terraform Destroy + run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" + working-directory: ./pre_core + + cleanup_resources: + name: Cleanup Resources + runs-on: ubuntu-latest + needs: [terraform_destroy_pre_core] + environment: ${{ inputs.environment }} + steps: + - name: Checkout + uses: actions/checkout@v5 + with: + ref: ${{ inputs.git_ref }} + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + aws-region: ${{ vars.AWS_REGION }} + mask-aws-account-id: true + + - name: Setup Python 3.11 + uses: actions/setup-python@v6 + with: + python-version: 3.11 + + - name: Install Python Dependencies + run: | + python3 -m venv ./venv + ./venv/bin/pip3 install --upgrade pip boto3 + - name: Run Cleanup Script (Terraform Workspace) run: ./venv/bin/python3 -u scripts/cleanup_terraform_states.py ${{ inputs.sandbox_name }} From 393f68a7de5ed2e3d607cfc7cd47cf47da13c218 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Mon, 15 Dec 2025 15:10:39 +0000 Subject: [PATCH 14/48] [ndr-297] testing full role --- .github/workflows/tear-down-sandbox.yml | 2 + pre_core/iam_github_dev.tf | 1806 +++++++++++------------ 2 files changed, 905 insertions(+), 903 deletions(-) diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml index 36541ad14..fecfd813b 100644 --- a/.github/workflows/tear-down-sandbox.yml +++ b/.github/workflows/tear-down-sandbox.yml @@ -113,6 +113,8 @@ jobs: terraform_destroy_pre_core: name: Terraform Destroy (Pre-Core) + # TODO: Should we allow 'test' to be destroyed? + # if: ${{ github.event.inputs.environment == 'development' }} runs-on: ubuntu-latest needs: [terraform_destroy] environment: ${{ inputs.environment }} diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index 67154195a..48f14ad6d 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -1,923 +1,923 @@ -# # aws_iam_role.github_role_dev[0]: -# resource "aws_iam_role" "github_role_dev" { -# count = local.is_sandbox_or_dev ? 1 : 0 -# assume_role_policy = jsonencode( -# { -# Statement = [ -# { -# Action = "sts:AssumeRoleWithWebIdentity" -# Condition = { -# StringEquals = { -# "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" -# } -# StringLike = { -# "token.actions.githubusercontent.com:sub" = [ -# "repo:NHSDigital/national-document-repository-infrastructure:*", -# "repo:NHSDigital/national-document-repository:*", -# ] -# } -# } -# Effect = "Allow" -# Principal = { -# Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" -# } -# }, -# { -# Action = "sts:AssumeRole" -# Effect = "Allow" -# Principal = { -# AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DomainCGpit-Administrators_e00623801cb4b59e" -# } -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# description = "This role is to provide access for GitHub actions to the development environment. " -# force_detach_policies = false -# managed_policy_arns = [ -# aws_iam_policy.config_policy_dev[0].arn, -# aws_iam_policy.ecr_github_access_policy_dev[0].arn, -# aws_iam_policy.github_actions_terraform_full_dev[0].arn, -# aws_iam_policy.github_mtls_gateway_dev[0].arn, -# aws_iam_policy.github_terraform_tagging_policy_dev[0].arn, -# aws_iam_policy.lambda_github_access_policy_dev[0].arn, -# aws_iam_policy.repo_app_config_dev[0].arn, -# aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0].arn, -# aws_iam_policy.terraform_github_s3_access_policy_dev[0].arn, -# "arn:aws:iam::aws:policy/ReadOnlyAccess", -# ] -# max_session_duration = 3600 -# name = "${terraform.workspace}-github-role" -# name_prefix = null -# path = "/" -# permissions_boundary = null -# tags = {} -# tags_all = {} +# aws_iam_role.github_role_dev[0]: +resource "aws_iam_role" "github_role_dev" { + count = local.is_sandbox_or_dev ? 1 : 0 + assume_role_policy = jsonencode( + { + Statement = [ + { + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:NHSDigital/national-document-repository-infrastructure:*", + "repo:NHSDigital/national-document-repository:*", + ] + } + } + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" + } + }, + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DomainCGpit-Administrators_e00623801cb4b59e" + } + }, + ] + Version = "2012-10-17" + } + ) + description = "This role is to provide access for GitHub actions to the development environment. " + force_detach_policies = false + managed_policy_arns = [ + aws_iam_policy.config_policy_dev[0].arn, + aws_iam_policy.ecr_github_access_policy_dev[0].arn, + aws_iam_policy.github_actions_terraform_full_dev[0].arn, + aws_iam_policy.github_mtls_gateway_dev[0].arn, + aws_iam_policy.github_terraform_tagging_policy_dev[0].arn, + aws_iam_policy.lambda_github_access_policy_dev[0].arn, + aws_iam_policy.repo_app_config_dev[0].arn, + aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0].arn, + aws_iam_policy.terraform_github_s3_access_policy_dev[0].arn, + "arn:aws:iam::aws:policy/ReadOnlyAccess", + ] + max_session_duration = 3600 + name = "${terraform.workspace}-github-role" + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} + tags_all = {} -# inline_policy { -# name = "cloudtrail" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "cloudtrail:AddTags", -# "cloudtrail:CreateTrail", -# "cloudtrail:StartLogging", -# "cloudtrail:DeleteTrail", -# ] -# Effect = "Allow" -# Resource = [ -# "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:trail/*", -# "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:eventdatastore/*", -# "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:channel/*", -# ] -# Sid = "VisualEditor0" -# }, -# { -# Action = "organizations:ListAWSServiceAccessForOrganization" -# Effect = "Allow" -# Resource = "*" -# Sid = "VisualEditor1" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# } -# inline_policy { -# name = "cloudwatch_logs_policy" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "logs:DescribeLogGroups", -# "logs:CreateLogGroup", -# "logs:CreateLogStream", -# "logs:PutLogEvents", -# "logs:PutRetentionPolicy", -# "logs:PutResourcePolicy", -# "logs:DeleteResourcePolicy", -# "logs:DeleteRetentionPolicy", -# "logs:TagResource", -# "logs:UntagResource", -# "logs:AssociateKmsKey", -# "logs:DisassociateKmsKey", -# ] -# Effect = "Allow" -# Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*" -# Sid = "Statement1" -# }, -# { -# Action = [ -# "logs:PutDeliverySource", -# ] -# Effect = "Allow" -# Resource = [ -# "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:delivery-source:*", -# ] -# Sid = "Statement2" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# } -# inline_policy { -# name = "ecs_policy" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "ecs:UpdateCluster", -# "ecs:PutClusterCapacityProviders", -# ] -# Effect = "Allow" -# Resource = "*" -# Sid = "VisualEditor0" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# } -# inline_policy { -# name = "github-actions-waf-override" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = "apigateway:SetWebACL" -# Effect = "Allow" -# Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# } -# inline_policy { -# name = "lambda_layer_policy" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "lambda:GetLayerVersion", -# "lambda:PublishLayerVersion", -# "lambda:DeleteLayerVersion", -# "lambda:ListLayerVersions", -# "lambda:ListLayers", -# "lambda:AddLayerVersionPermission", -# "lambda:GetLayerVersionPolicy", -# "lambda:RemoveLayerVersionPermission", -# ] -# Effect = "Allow" -# Resource = "*" -# Sid = "VisualEditor0" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# } -# inline_policy { -# name = "rum_policy" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "cognito-identity:SetIdentityPoolRoles", -# "cognito-identity:CreateIdentityPool", -# "cognito-identity:DeleteIdentityPool", -# "cognito-identity:UpdateIdentityPool", -# ] -# Effect = "Allow" -# Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" -# Sid = "VisualEditor0" -# }, -# { -# Action = [ -# "rum:TagResource", -# "rum:UntagResource", -# "rum:ListTagsForResource", -# "iam:PassRole", -# "rum:UpdateAppMonitor", -# "rum:GetAppMonitor", -# "rum:CreateAppMonitor", -# "rum:DeleteAppMonitor", -# ] -# Effect = "Allow" -# Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" -# Sid = "VisualEditor1" -# }, -# { -# Action = [ -# "logs:DeleteLogGroup", -# "logs:DeleteResourcePolicy", -# "logs:DescribeLogGroups", -# ] -# Effect = "Allow" -# Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" -# Sid = "VisualEditor2" -# }, -# { -# Action = [ -# "logs:CreateLogDelivery", -# "logs:GetLogDelivery", -# "logs:UpdateLogDelivery", -# "logs:DeleteLogDelivery", -# "logs:ListLogDeliveries", -# "logs:DescribeResourcePolicies", -# ] -# Effect = "Allow" -# Resource = "*" -# Sid = "VisualEditor3" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# } -# inline_policy { -# name = "step-functions" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "states:DescribeStateMachine", -# "states:UpdateStateMachine", -# "states:DeleteStateMachine", -# "states:CreateStateMachine", -# "states:TagResource", -# "states:UntagResource", -# ] -# Effect = "Allow" -# Resource = "*" -# Sid = "VisualEditor0" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# } -# } + inline_policy { + name = "cloudtrail" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cloudtrail:AddTags", + "cloudtrail:CreateTrail", + "cloudtrail:StartLogging", + "cloudtrail:DeleteTrail", + ] + Effect = "Allow" + Resource = [ + "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:trail/*", + "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:eventdatastore/*", + "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:channel/*", + ] + Sid = "VisualEditor0" + }, + { + Action = "organizations:ListAWSServiceAccessForOrganization" + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor1" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "cloudwatch_logs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "logs:DescribeLogGroups", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutRetentionPolicy", + "logs:PutResourcePolicy", + "logs:DeleteResourcePolicy", + "logs:DeleteRetentionPolicy", + "logs:TagResource", + "logs:UntagResource", + "logs:AssociateKmsKey", + "logs:DisassociateKmsKey", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*" + Sid = "Statement1" + }, + { + Action = [ + "logs:PutDeliverySource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:delivery-source:*", + ] + Sid = "Statement2" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "ecs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecs:UpdateCluster", + "ecs:PutClusterCapacityProviders", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "github-actions-waf-override" + policy = jsonencode( + { + Statement = [ + { + Action = "apigateway:SetWebACL" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "lambda_layer_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "lambda:GetLayerVersion", + "lambda:PublishLayerVersion", + "lambda:DeleteLayerVersion", + "lambda:ListLayerVersions", + "lambda:ListLayers", + "lambda:AddLayerVersionPermission", + "lambda:GetLayerVersionPolicy", + "lambda:RemoveLayerVersionPermission", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "rum_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-identity:SetIdentityPoolRoles", + "cognito-identity:CreateIdentityPool", + "cognito-identity:DeleteIdentityPool", + "cognito-identity:UpdateIdentityPool", + ] + Effect = "Allow" + Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" + Sid = "VisualEditor0" + }, + { + Action = [ + "rum:TagResource", + "rum:UntagResource", + "rum:ListTagsForResource", + "iam:PassRole", + "rum:UpdateAppMonitor", + "rum:GetAppMonitor", + "rum:CreateAppMonitor", + "rum:DeleteAppMonitor", + ] + Effect = "Allow" + Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" + Sid = "VisualEditor1" + }, + { + Action = [ + "logs:DeleteLogGroup", + "logs:DeleteResourcePolicy", + "logs:DescribeLogGroups", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" + Sid = "VisualEditor2" + }, + { + Action = [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries", + "logs:DescribeResourcePolicies", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) + } + inline_policy { + name = "step-functions" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "states:DescribeStateMachine", + "states:UpdateStateMachine", + "states:DeleteStateMachine", + "states:CreateStateMachine", + "states:TagResource", + "states:UntagResource", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + } +} -# # aws_iam_policy.config_policy_dev[0]: -# resource "aws_iam_policy" "config_policy_dev" { -# count = local.is_sandbox_or_dev ? 1 : 0 -# description = null -# name = "${terraform.workspace}-config-policy" -# name_prefix = null -# path = "/" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "config:DeleteDeliveryChannel", -# "config:PutConfigurationRecorder", -# "config:StopConfigurationRecorder", -# "config:StartConfigurationRecorder", -# "config:PutDeliveryChannel", -# "config:DeleteConfigurationRecorder", -# "config:DescribeConfigurationRecorderStatus", -# ] -# Effect = "Allow" -# Resource = "*" -# Sid = "VisualEditor0" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# tags = {} -# tags_all = {} -# } +# aws_iam_policy.config_policy_dev[0]: +resource "aws_iam_policy" "config_policy_dev" { + count = local.is_sandbox_or_dev ? 1 : 0 + description = null + name = "${terraform.workspace}-config-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "config:DeleteDeliveryChannel", + "config:PutConfigurationRecorder", + "config:StopConfigurationRecorder", + "config:StartConfigurationRecorder", + "config:PutDeliveryChannel", + "config:DeleteConfigurationRecorder", + "config:DescribeConfigurationRecorderStatus", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} -# # aws_iam_policy.ecr_github_access_policy_dev[0]: -# resource "aws_iam_policy" "ecr_github_access_policy_dev" { -# count = local.is_sandbox_or_dev ? 1 : 0 -# description = null -# name = "${terraform.workspace}-ecr-github-access-policy" -# name_prefix = null -# path = "/" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "ecr:GetDownloadUrlForLayer", -# "ecr:BatchGetImage", -# "ecr:CompleteLayerUpload", -# "ecr:UploadLayerPart", -# "ecr:InitiateLayerUpload", -# "ecr:BatchCheckLayerAvailability", -# "ecr:PutImage", -# ] -# Effect = "Allow" -# Resource = "arn:aws:ecr:eu-west-2:*:repository/*" -# Sid = "VisualEditor0" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# tags = {} -# tags_all = {} -# } +# aws_iam_policy.ecr_github_access_policy_dev[0]: +resource "aws_iam_policy" "ecr_github_access_policy_dev" { + count = local.is_sandbox_or_dev ? 1 : 0 + description = null + name = "${terraform.workspace}-ecr-github-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + ] + Effect = "Allow" + Resource = "arn:aws:ecr:eu-west-2:*:repository/*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} -# # aws_iam_policy.github_actions_terraform_full_dev[0]: -# resource "aws_iam_policy" "github_actions_terraform_full_dev" { -# count = local.is_sandbox_or_dev ? 1 : 0 -# description = "All permissions required for Terraform to do its thing." -# name = "${terraform.workspace}-github_actions_terraform_full" -# name_prefix = null -# path = "/" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "ec2:AuthorizeSecurityGroupIngress", -# "ec2:DeleteVpcEndpoints", -# "ec2:AttachInternetGateway", -# "iam:PutRolePolicy", -# "ecr:DeleteRepository", -# "scheduler:DeleteSchedule", -# "ec2:CreateRoute", -# "cloudwatch:ListTagsForResource", -# "ecr:TagResource", -# "dynamodb:DescribeContinuousBackups", -# "events:RemoveTargets", -# "lambda:DeleteFunction", -# "iam:ListRolePolicies", -# "ecs:TagResource", -# "ecr:GetLifecyclePolicy", -# "iam:GetRole", -# "dynamodb:BatchWriteItem", -# "elasticloadbalancing:CreateTargetGroup", -# "ecr:GetAuthorizationToken", -# "application-autoscaling:DeleteScalingPolicy", -# "kms:RetireGrant", -# "elasticloadbalancing:AddTags", -# "ec2:DeleteNatGateway", -# "lambda:PublishVersion", -# "apigateway:POST", -# "lambda:DeleteEventSourceMapping", -# "elasticloadbalancing:ModifyLoadBalancerAttributes", -# "dynamodb:UpdateTable", -# "ec2:ModifyVpcEndpoint", -# "logs:ListTagsLogGroup", -# "kms:PutKeyPolicy", -# "events:PutRule", -# "ec2:CreateVpc", -# "dynamodb:ListTagsOfResource", -# "iam:PassRole", -# "logs:DeleteMetricFilter", -# "sqs:createqueue", -# "iam:DeleteRolePolicy", -# "application-autoscaling:TagResource", -# "ec2:ReleaseAddress", -# "lambda:UpdateEventSourceMapping", -# "elasticloadbalancing:CreateLoadBalancer", -# "apigateway:PUT", -# "route53:ListTagsForResource", -# "ec2:DescribeSecurityGroups", -# "iam:CreatePolicy", -# "sqs:TagQueue", -# "iam:CreateServiceLinkedRole", -# "kms:CreateAlias", -# "elasticloadbalancing:DescribeTargetGroups", -# "route53:AssociateVPCWithHostedZone", -# "elasticloadbalancing:DeleteListener", -# "iam:UpdateAssumeRolePolicy", -# "iam:GetPolicyVersion", -# "wafv2:AssociateWebACL", -# "ec2:DeleteSubnet", -# "elasticloadbalancing:SetWebACL", -# "ecs:UpdateService", -# "elasticloadbalancing:DescribeLoadBalancers", -# "ssm:DeleteParameter", -# "cloudfront:*", -# "kms:GetKeyRotationStatus", -# "dynamodb:DescribeTable", -# "ssm:AddTagsToResource", -# "ecs:RegisterTaskDefinition", -# "route53:ListResourceRecordSets", -# "ecr:CreateRepository", -# "ecs:DeleteService", -# "application-autoscaling:UntagResource", -# "ec2:DescribePrefixLists", -# "backup:CreateBackupVault", -# "backup:UpdateBackupPlan", -# "sqs:DeleteQueue", -# "ec2:DeleteVpc", -# "kms:DeleteAlias", -# "sns:DeleteTopic", -# "wafv2:DeleteWebACL", -# "dynamodb:DeleteItem", -# "iam:DeletePolicy", -# "sns:SetTopicAttributes", -# "ses:VerifyDomainDkim", -# "lambda:PutFunctionConcurrency", -# "dynamodb:UpdateContinuousBackups", -# "ecs:CreateService", -# "elasticloadbalancing:CreateListener", -# "kms:ScheduleKeyDeletion", -# "ecr:DescribeRepositories", -# "ecs:DescribeServices", -# "iam:CreatePolicyVersion", -# "ecs:UntagResource", -# "sqs:ListQueues", -# "wafv2:UpdateWebACL", -# "dynamodb:DescribeTimeToLive", -# "kms:UpdateAlias", -# "backup:GetBackupSelection", -# "kms:ListKeys", -# "events:PutTargets", -# "lambda:AddPermission", -# "ecr:SetRepositoryPolicy", -# "ec2:DeleteSecurityGroup", -# "application-autoscaling:DeregisterScalableTarget", -# "backup:DeleteBackupPlan", -# "ses:SetIdentityMailFromDomain", -# "lambda:CreateFunction", -# "sqs:DeleteMessage", -# "elasticloadbalancing:ModifyListener", -# "cloudwatch:DeleteAlarms", -# "secretsmanager:DeleteSecret", -# "wafv2:CreateRegexPatternSet", -# "wafv2:CreateWebACL", -# "dynamodb:DeleteTable", -# "ecs:DescribeTaskDefinition", -# "ec2:DeleteRouteTable", -# "ec2:CreateInternetGateway", -# "ec2:RevokeSecurityGroupEgress", -# "sns:Subscribe", -# "ec2:DeleteInternetGateway", -# "wafv2:TagResource", -# "dynamodb:UpdateTimeToLive", -# "iam:GetPolicy", -# "ec2:CreateTags", -# "sns:CreateTopic", -# "ecs:DeleteCluster", -# "iam:UpdateRoleDescription", -# "iam:DeleteRole", -# "ec2:DisassociateRouteTable", -# "backup:GetBackupPlan", -# "wafv2:DeleteRegexPatternSet", -# "dynamodb:CreateTable", -# "ec2:RevokeSecurityGroupIngress", -# "lambda:UpdateFunctionCode", -# "ec2:CreateDefaultVpc", -# "ec2:CreateSubnet", -# "ec2:DescribeSubnets", -# "iam:GetRolePolicy", -# "sqs:setqueueattributes", -# "ec2:DisassociateAddress", -# "kms:UntagResource", -# "ec2:CreateNatGateway", -# "kms:ListResourceTags", -# "ecr:ListTagsForResource", -# "ses:VerifyDomainIdentity", -# "ecs:DeregisterTaskDefinition", -# "apigateway:DELETE", -# "apigateway:SetWebACL", -# "backup:CreateBackupSelection", -# "scheduler:UpdateSchedule", -# "ec2:DescribeAvailabilityZones", -# "kms:CreateKey", -# "kms:EnableKeyRotation", -# "ecr:PutLifecyclePolicy", -# "s3:*", -# "kms:GetKeyPolicy", -# "route53:ListHostedZones", -# "backup:DeleteBackupVault", -# "lambda:UpdateFunctionConfiguration", -# "elasticloadbalancing:DeleteTargetGroup", -# "events:DeleteRule", -# "backup:DescribeBackupVault", -# "ec2:DescribeVpcs", -# "kms:ListAliases", -# "backup:CreateBackupPlan", -# "ses:DeleteIdentity", -# "lambda:RemovePermission", -# "backup:ListTags", -# "route53:GetHostedZone", -# "sns:Unsubscribe", -# "iam:CreateRole", -# "iam:AttachRolePolicy", -# "lambda:EnableReplication", -# "ec2:AssociateRouteTable", -# "elasticloadbalancing:DeleteLoadBalancer", -# "ec2:DescribeInternetGateways", -# "backup:DeleteBackupSelection", -# "iam:DetachRolePolicy", -# "cloudwatch:UntagResource", -# "iam:ListAttachedRolePolicies", -# "dynamodb:GetItem", -# "elasticloadbalancing:ModifyTargetGroupAttributes", -# "ec2:DescribeRouteTables", -# "application-autoscaling:RegisterScalableTarget", -# "dynamodb:PutItem", -# "ecs:CreateCluster", -# "route53:ChangeResourceRecordSets", -# "ec2:CreateRouteTable", -# "ec2:DetachInternetGateway", -# "ecr:DeleteLifecyclePolicy", -# "logs:CreateLogGroup", -# "backup-storage:MountCapsule", -# "ecs:DescribeClusters", -# "ssm:PutParameter", -# "elasticloadbalancing:DescribeLoadBalancerAttributes", -# "logs:CreateLogDelivery", -# "logs:PutMetricFilter", -# "elasticloadbalancing:DescribeTargetGroupAttributes", -# "ec2:DescribeSecurityGroupRules", -# "application-autoscaling:PutScalingPolicy", -# "ec2:DescribeVpcEndpoints", -# "route53:GetChange", -# "ec2:DeleteTags", -# "lambda:GetLayerVersion", -# "lambda:CreateEventSourceMapping", -# "kms:TagResource", -# "elasticloadbalancing:DescribeListeners", -# "dynamodb:TagResource", -# "ec2:CreateSecurityGroup", -# "apigateway:PATCH", -# "kms:DescribeKey", -# "application-autoscaling:ListTagsForResource", -# "ec2:ModifyVpcAttribute", -# "ecr:DeleteRepositoryPolicy", -# "ec2:AuthorizeSecurityGroupEgress", -# "elasticloadbalancing:ModifyListenerAttributes", -# "kms:UpdateKeyDescription", -# "logs:DescribeLogGroups", -# "logs:DeleteLogGroup", -# "elasticloadbalancing:DescribeTags", -# "ec2:DeleteRoute", -# "backup:DeleteRecoveryPoint", -# "ec2:AllocateAddress", -# "cloudwatch:PutMetricAlarm", -# "cloudwatch:TagResource", -# "ec2:CreateVpcEndpoint", -# "elasticloadbalancing:SetSecurityGroups", -# "scheduler:CreateSchedule", -# "logs:PutRetentionPolicy", -# "lambda:GetPolicy", -# "iam:DeletePolicyVersion", -# "ecr:GetRepositoryPolicy", -# "cognito-idp:*", -# ] -# Effect = "Allow" -# Resource = "*" -# Sid = "VisualEditor0" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# tags = {} -# tags_all = {} -# } +# aws_iam_policy.github_actions_terraform_full_dev[0]: +resource "aws_iam_policy" "github_actions_terraform_full_dev" { + count = local.is_sandbox_or_dev ? 1 : 0 + description = "All permissions required for Terraform to do its thing." + name = "${terraform.workspace}-github_actions_terraform_full" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteVpcEndpoints", + "ec2:AttachInternetGateway", + "iam:PutRolePolicy", + "ecr:DeleteRepository", + "scheduler:DeleteSchedule", + "ec2:CreateRoute", + "cloudwatch:ListTagsForResource", + "ecr:TagResource", + "dynamodb:DescribeContinuousBackups", + "events:RemoveTargets", + "lambda:DeleteFunction", + "iam:ListRolePolicies", + "ecs:TagResource", + "ecr:GetLifecyclePolicy", + "iam:GetRole", + "dynamodb:BatchWriteItem", + "elasticloadbalancing:CreateTargetGroup", + "ecr:GetAuthorizationToken", + "application-autoscaling:DeleteScalingPolicy", + "kms:RetireGrant", + "elasticloadbalancing:AddTags", + "ec2:DeleteNatGateway", + "lambda:PublishVersion", + "apigateway:POST", + "lambda:DeleteEventSourceMapping", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "dynamodb:UpdateTable", + "ec2:ModifyVpcEndpoint", + "logs:ListTagsLogGroup", + "kms:PutKeyPolicy", + "events:PutRule", + "ec2:CreateVpc", + "dynamodb:ListTagsOfResource", + "iam:PassRole", + "logs:DeleteMetricFilter", + "sqs:createqueue", + "iam:DeleteRolePolicy", + "application-autoscaling:TagResource", + "ec2:ReleaseAddress", + "lambda:UpdateEventSourceMapping", + "elasticloadbalancing:CreateLoadBalancer", + "apigateway:PUT", + "route53:ListTagsForResource", + "ec2:DescribeSecurityGroups", + "iam:CreatePolicy", + "sqs:TagQueue", + "iam:CreateServiceLinkedRole", + "kms:CreateAlias", + "elasticloadbalancing:DescribeTargetGroups", + "route53:AssociateVPCWithHostedZone", + "elasticloadbalancing:DeleteListener", + "iam:UpdateAssumeRolePolicy", + "iam:GetPolicyVersion", + "wafv2:AssociateWebACL", + "ec2:DeleteSubnet", + "elasticloadbalancing:SetWebACL", + "ecs:UpdateService", + "elasticloadbalancing:DescribeLoadBalancers", + "ssm:DeleteParameter", + "cloudfront:*", + "kms:GetKeyRotationStatus", + "dynamodb:DescribeTable", + "ssm:AddTagsToResource", + "ecs:RegisterTaskDefinition", + "route53:ListResourceRecordSets", + "ecr:CreateRepository", + "ecs:DeleteService", + "application-autoscaling:UntagResource", + "ec2:DescribePrefixLists", + "backup:CreateBackupVault", + "backup:UpdateBackupPlan", + "sqs:DeleteQueue", + "ec2:DeleteVpc", + "kms:DeleteAlias", + "sns:DeleteTopic", + "wafv2:DeleteWebACL", + "dynamodb:DeleteItem", + "iam:DeletePolicy", + "sns:SetTopicAttributes", + "ses:VerifyDomainDkim", + "lambda:PutFunctionConcurrency", + "dynamodb:UpdateContinuousBackups", + "ecs:CreateService", + "elasticloadbalancing:CreateListener", + "kms:ScheduleKeyDeletion", + "ecr:DescribeRepositories", + "ecs:DescribeServices", + "iam:CreatePolicyVersion", + "ecs:UntagResource", + "sqs:ListQueues", + "wafv2:UpdateWebACL", + "dynamodb:DescribeTimeToLive", + "kms:UpdateAlias", + "backup:GetBackupSelection", + "kms:ListKeys", + "events:PutTargets", + "lambda:AddPermission", + "ecr:SetRepositoryPolicy", + "ec2:DeleteSecurityGroup", + "application-autoscaling:DeregisterScalableTarget", + "backup:DeleteBackupPlan", + "ses:SetIdentityMailFromDomain", + "lambda:CreateFunction", + "sqs:DeleteMessage", + "elasticloadbalancing:ModifyListener", + "cloudwatch:DeleteAlarms", + "secretsmanager:DeleteSecret", + "wafv2:CreateRegexPatternSet", + "wafv2:CreateWebACL", + "dynamodb:DeleteTable", + "ecs:DescribeTaskDefinition", + "ec2:DeleteRouteTable", + "ec2:CreateInternetGateway", + "ec2:RevokeSecurityGroupEgress", + "sns:Subscribe", + "ec2:DeleteInternetGateway", + "wafv2:TagResource", + "dynamodb:UpdateTimeToLive", + "iam:GetPolicy", + "ec2:CreateTags", + "sns:CreateTopic", + "ecs:DeleteCluster", + "iam:UpdateRoleDescription", + "iam:DeleteRole", + "ec2:DisassociateRouteTable", + "backup:GetBackupPlan", + "wafv2:DeleteRegexPatternSet", + "dynamodb:CreateTable", + "ec2:RevokeSecurityGroupIngress", + "lambda:UpdateFunctionCode", + "ec2:CreateDefaultVpc", + "ec2:CreateSubnet", + "ec2:DescribeSubnets", + "iam:GetRolePolicy", + "sqs:setqueueattributes", + "ec2:DisassociateAddress", + "kms:UntagResource", + "ec2:CreateNatGateway", + "kms:ListResourceTags", + "ecr:ListTagsForResource", + "ses:VerifyDomainIdentity", + "ecs:DeregisterTaskDefinition", + "apigateway:DELETE", + "apigateway:SetWebACL", + "backup:CreateBackupSelection", + "scheduler:UpdateSchedule", + "ec2:DescribeAvailabilityZones", + "kms:CreateKey", + "kms:EnableKeyRotation", + "ecr:PutLifecyclePolicy", + "s3:*", + "kms:GetKeyPolicy", + "route53:ListHostedZones", + "backup:DeleteBackupVault", + "lambda:UpdateFunctionConfiguration", + "elasticloadbalancing:DeleteTargetGroup", + "events:DeleteRule", + "backup:DescribeBackupVault", + "ec2:DescribeVpcs", + "kms:ListAliases", + "backup:CreateBackupPlan", + "ses:DeleteIdentity", + "lambda:RemovePermission", + "backup:ListTags", + "route53:GetHostedZone", + "sns:Unsubscribe", + "iam:CreateRole", + "iam:AttachRolePolicy", + "lambda:EnableReplication", + "ec2:AssociateRouteTable", + "elasticloadbalancing:DeleteLoadBalancer", + "ec2:DescribeInternetGateways", + "backup:DeleteBackupSelection", + "iam:DetachRolePolicy", + "cloudwatch:UntagResource", + "iam:ListAttachedRolePolicies", + "dynamodb:GetItem", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "ec2:DescribeRouteTables", + "application-autoscaling:RegisterScalableTarget", + "dynamodb:PutItem", + "ecs:CreateCluster", + "route53:ChangeResourceRecordSets", + "ec2:CreateRouteTable", + "ec2:DetachInternetGateway", + "ecr:DeleteLifecyclePolicy", + "logs:CreateLogGroup", + "backup-storage:MountCapsule", + "ecs:DescribeClusters", + "ssm:PutParameter", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "logs:CreateLogDelivery", + "logs:PutMetricFilter", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "ec2:DescribeSecurityGroupRules", + "application-autoscaling:PutScalingPolicy", + "ec2:DescribeVpcEndpoints", + "route53:GetChange", + "ec2:DeleteTags", + "lambda:GetLayerVersion", + "lambda:CreateEventSourceMapping", + "kms:TagResource", + "elasticloadbalancing:DescribeListeners", + "dynamodb:TagResource", + "ec2:CreateSecurityGroup", + "apigateway:PATCH", + "kms:DescribeKey", + "application-autoscaling:ListTagsForResource", + "ec2:ModifyVpcAttribute", + "ecr:DeleteRepositoryPolicy", + "ec2:AuthorizeSecurityGroupEgress", + "elasticloadbalancing:ModifyListenerAttributes", + "kms:UpdateKeyDescription", + "logs:DescribeLogGroups", + "logs:DeleteLogGroup", + "elasticloadbalancing:DescribeTags", + "ec2:DeleteRoute", + "backup:DeleteRecoveryPoint", + "ec2:AllocateAddress", + "cloudwatch:PutMetricAlarm", + "cloudwatch:TagResource", + "ec2:CreateVpcEndpoint", + "elasticloadbalancing:SetSecurityGroups", + "scheduler:CreateSchedule", + "logs:PutRetentionPolicy", + "lambda:GetPolicy", + "iam:DeletePolicyVersion", + "ecr:GetRepositoryPolicy", + "cognito-idp:*", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} -# # aws_iam_policy.github_mtls_gateway_dev[0]: -# resource "aws_iam_policy" "github_mtls_gateway_dev" { -# count = local.is_sandbox_or_dev ? 1 : 0 -# description = null -# name = "${terraform.workspace}-github_mtls_gateway" -# name_prefix = null -# path = "/" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "acm:RequestCertificate", -# "route53:ListHostedZones", -# "acm:ListCertificates", -# ] -# Effect = "Allow" -# Resource = "*" -# Sid = "VisualEditor0" -# }, -# { -# Action = "apigateway:AddCertificateToDomain" -# Effect = "Allow" -# Resource = "arn:aws:apigateway:eu-west-2::/domainnames" -# Sid = "VisualEditor1" -# }, -# { -# Action = [ -# "acm:DeleteCertificate", -# "acm:DescribeCertificate", -# "acm:GetCertificate", -# "route53:GetHostedZone", -# "route53:ChangeResourceRecordSets", -# "apigateway:AddCertificateToDomain", -# "acm:AddTagsToCertificate", -# "apigateway:RemoveCertificateFromDomain", -# "acm:ListTagsForCertificate", -# ] -# Effect = "Allow" -# Resource = [ -# "arn:aws:apigateway:eu-west-2::/domainnames", -# "arn:aws:apigateway:eu-west-2::/domainnames/*", -# "arn:aws:route53:::hostedzone/*", -# "arn:aws:acm:eu-west-2:${data.aws_caller_identity.current.account_id}:certificate/*", -# ] -# Sid = "VisualEditor2" -# }, -# { -# Action = [ -# "apigateway:AddCertificateToDomain", -# "apigateway:RemoveCertificateFromDomain", -# ] -# Effect = "Allow" -# Resource = [ -# "arn:aws:apigateway:eu-west-2::/domainnames/*", -# "arn:aws:apigateway:eu-west-2::/domainnames", -# ] -# Sid = "VisualEditor3" -# }, -# { -# Action = "apigateway:AddCertificateToDomain" -# Effect = "Allow" -# Resource = "arn:aws:apigateway:eu-west-2::/domainnames" -# Sid = "VisualEditor4" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# tags = {} -# tags_all = {} -# } +# aws_iam_policy.github_mtls_gateway_dev[0]: +resource "aws_iam_policy" "github_mtls_gateway_dev" { + count = local.is_sandbox_or_dev ? 1 : 0 + description = null + name = "${terraform.workspace}-github_mtls_gateway" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "acm:RequestCertificate", + "route53:ListHostedZones", + "acm:ListCertificates", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor1" + }, + { + Action = [ + "acm:DeleteCertificate", + "acm:DescribeCertificate", + "acm:GetCertificate", + "route53:GetHostedZone", + "route53:ChangeResourceRecordSets", + "apigateway:AddCertificateToDomain", + "acm:AddTagsToCertificate", + "apigateway:RemoveCertificateFromDomain", + "acm:ListTagsForCertificate", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames", + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:route53:::hostedzone/*", + "arn:aws:acm:eu-west-2:${data.aws_caller_identity.current.account_id}:certificate/*", + ] + Sid = "VisualEditor2" + }, + { + Action = [ + "apigateway:AddCertificateToDomain", + "apigateway:RemoveCertificateFromDomain", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:apigateway:eu-west-2::/domainnames", + ] + Sid = "VisualEditor3" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor4" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} -# # aws_iam_policy.github_terraform_tagging_policy_dev[0]: -# resource "aws_iam_policy" "github_terraform_tagging_policy_dev" { -# count = local.is_sandbox_or_dev ? 1 : 0 -# description = null -# name = "${terraform.workspace}-github_terraform_tagging_policy" -# name_prefix = null -# path = "/" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "sns:TagResource", -# "backup:TagResource", -# "resource-groups:GetGroupQuery", -# "lambda:TagResource", -# "resource-groups:UpdateGroup", -# "iam:UntagRole", -# "iam:TagRole", -# "resource-groups:GetTags", -# "sns:UntagResource", -# "resource-groups:Untag", -# "lambda:UntagResource", -# "elasticloadbalancing:RemoveTags", -# "cognito-identity:UntagResource", -# "resource-groups:GetGroup", -# "resource-groups:GetGroupConfiguration", -# "backup:UntagResource", -# "cognito-identity:TagResource", -# "resource-groups:Tag", -# "resource-groups:UpdateGroupQuery", -# "iam:TagPolicy", -# "resource-groups:DeleteGroup", -# "events:TagResource", -# "elasticloadbalancing:AddTags", -# "iam:UntagPolicy", -# "resource-groups:ListGroupResources", -# "events:UntagResource", -# ] -# Effect = "Allow" -# Resource = [ -# "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", -# "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", -# "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", -# "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", -# "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", -# "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", -# "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", -# "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", -# "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", -# "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", -# "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", -# "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", -# "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", -# "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", -# "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", -# "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", -# ] -# Sid = "VisualEditor0" -# }, -# { -# Action = [ -# "events:TagResource", -# "elasticloadbalancing:RemoveTags", -# "elasticloadbalancing:AddTags", -# "events:UntagResource", -# ] -# Effect = "Allow" -# Resource = [ -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", -# "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", -# "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", -# ] -# Sid = "VisualEditor1" -# }, -# { -# Action = [ -# "resource-groups:SearchResources", -# "resource-groups:CreateGroup", -# "resource-groups:ListGroups", -# ] -# Effect = "Allow" -# Resource = "*" -# Sid = "VisualEditor2" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# tags = {} -# tags_all = {} -# } +# aws_iam_policy.github_terraform_tagging_policy_dev[0]: +resource "aws_iam_policy" "github_terraform_tagging_policy_dev" { + count = local.is_sandbox_or_dev ? 1 : 0 + description = null + name = "${terraform.workspace}-github_terraform_tagging_policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "sns:TagResource", + "backup:TagResource", + "resource-groups:GetGroupQuery", + "lambda:TagResource", + "resource-groups:UpdateGroup", + "iam:UntagRole", + "iam:TagRole", + "resource-groups:GetTags", + "sns:UntagResource", + "resource-groups:Untag", + "lambda:UntagResource", + "elasticloadbalancing:RemoveTags", + "cognito-identity:UntagResource", + "resource-groups:GetGroup", + "resource-groups:GetGroupConfiguration", + "backup:UntagResource", + "cognito-identity:TagResource", + "resource-groups:Tag", + "resource-groups:UpdateGroupQuery", + "iam:TagPolicy", + "resource-groups:DeleteGroup", + "events:TagResource", + "elasticloadbalancing:AddTags", + "iam:UntagPolicy", + "resource-groups:ListGroupResources", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", + "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", + "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", + ] + Sid = "VisualEditor0" + }, + { + Action = [ + "events:TagResource", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", + ] + Sid = "VisualEditor1" + }, + { + Action = [ + "resource-groups:SearchResources", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor2" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} -# # aws_iam_policy.lambda_github_access_policy_dev[0]: -# resource "aws_iam_policy" "lambda_github_access_policy_dev" { -# count = local.is_sandbox_or_dev ? 1 : 0 -# description = "These permissions allow GitHub to push to a Lambda function." -# name = "${terraform.workspace}-lambda-github-access-policy" -# name_prefix = null -# path = "/" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "lambda:CreateFunction", -# "s3:PutObject", -# "lambda:UpdateFunctionCode", -# "kms:TagResource", -# "kms:UntagResource", -# "kms:Encrypt", -# "kms:Decrypt", -# "lambda:InvokeFunction", -# "lambda:GetFunction", -# "lambda:UpdateFunctionConfiguration", -# "lambda:GetFunctionConfiguration", -# "lambda:DeleteFunctionConcurrency", -# "kms:CreateGrant", -# ] -# Effect = "Allow" -# Resource = [ -# "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*", -# "arn:aws:lambda:eu-west-2:*:function:*", -# ] -# Sid = "VisualEditor0" -# }, -# { -# Action = "iam:ListRoles" -# Effect = "Allow" -# Resource = "arn:aws:lambda:eu-west-2:*:function:*" -# Sid = "VisualEditor1" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# tags = {} -# tags_all = {} -# } +# aws_iam_policy.lambda_github_access_policy_dev[0]: +resource "aws_iam_policy" "lambda_github_access_policy_dev" { + count = local.is_sandbox_or_dev ? 1 : 0 + description = "These permissions allow GitHub to push to a Lambda function." + name = "${terraform.workspace}-lambda-github-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "lambda:CreateFunction", + "s3:PutObject", + "lambda:UpdateFunctionCode", + "kms:TagResource", + "kms:UntagResource", + "kms:Encrypt", + "kms:Decrypt", + "lambda:InvokeFunction", + "lambda:GetFunction", + "lambda:UpdateFunctionConfiguration", + "lambda:GetFunctionConfiguration", + "lambda:DeleteFunctionConcurrency", + "kms:CreateGrant", + ] + Effect = "Allow" + Resource = [ + "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*", + "arn:aws:lambda:eu-west-2:*:function:*", + ] + Sid = "VisualEditor0" + }, + { + Action = "iam:ListRoles" + Effect = "Allow" + Resource = "arn:aws:lambda:eu-west-2:*:function:*" + Sid = "VisualEditor1" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} -# # aws_iam_policy.repo_app_config_dev[0]: -# resource "aws_iam_policy" "repo_app_config_dev" { -# count = local.is_sandbox_or_dev ? 1 : 0 -# description = null -# name = "${terraform.workspace}-repo_app_config" -# name_prefix = null -# path = "/" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "appconfig:ListTagsForResource", -# "appconfig:StartDeployment", -# "appconfig:DeleteApplication", -# "appconfig:GetLatestConfiguration", -# "appconfig:TagResource", -# "appconfig:CreateConfigurationProfile", -# "appconfig:CreateExtensionAssociation", -# "appconfig:DeleteConfigurationProfile", -# "appconfig:CreateDeploymentStrategy", -# "appconfig:CreateApplication", -# "appconfig:GetDeploymentStrategy", -# "appconfig:GetHostedConfigurationVersion", -# "appconfig:ListExtensionAssociations", -# "appconfig:ListDeploymentStrategies", -# "appconfig:CreateHostedConfigurationVersion", -# "appconfig:DeleteEnvironment", -# "appconfig:UntagResource", -# "appconfig:ListHostedConfigurationVersions", -# "appconfig:ListEnvironments", -# "appconfig:UpdateDeploymentStrategy", -# "appconfig:GetExtensionAssociation", -# "appconfig:GetExtension", -# "appconfig:ListDeployments", -# "appconfig:GetDeployment", -# "appconfig:ListExtensions", -# "appconfig:DeleteHostedConfigurationVersion", -# "appconfig:StopDeployment", -# "appconfig:CreateEnvironment", -# "appconfig:UpdateEnvironment", -# "appconfig:GetEnvironment", -# "appconfig:ListConfigurationProfiles", -# "appconfig:DeleteDeploymentStrategy", -# "appconfig:ListApplications", -# "appconfig:UpdateApplication", -# "appconfig:CreateExtension", -# "appconfig:GetConfiguration", -# "appconfig:GetApplication", -# "appconfig:UpdateConfigurationProfile", -# "appconfig:GetConfigurationProfile", -# ] -# Effect = "Allow" -# Resource = "*" -# Sid = "VisualEditor0" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# tags = {} -# tags_all = {} -# } +# aws_iam_policy.repo_app_config_dev[0]: +resource "aws_iam_policy" "repo_app_config_dev" { + count = local.is_sandbox_or_dev ? 1 : 0 + description = null + name = "${terraform.workspace}-repo_app_config" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "appconfig:ListTagsForResource", + "appconfig:StartDeployment", + "appconfig:DeleteApplication", + "appconfig:GetLatestConfiguration", + "appconfig:TagResource", + "appconfig:CreateConfigurationProfile", + "appconfig:CreateExtensionAssociation", + "appconfig:DeleteConfigurationProfile", + "appconfig:CreateDeploymentStrategy", + "appconfig:CreateApplication", + "appconfig:GetDeploymentStrategy", + "appconfig:GetHostedConfigurationVersion", + "appconfig:ListExtensionAssociations", + "appconfig:ListDeploymentStrategies", + "appconfig:CreateHostedConfigurationVersion", + "appconfig:DeleteEnvironment", + "appconfig:UntagResource", + "appconfig:ListHostedConfigurationVersions", + "appconfig:ListEnvironments", + "appconfig:UpdateDeploymentStrategy", + "appconfig:GetExtensionAssociation", + "appconfig:GetExtension", + "appconfig:ListDeployments", + "appconfig:GetDeployment", + "appconfig:ListExtensions", + "appconfig:DeleteHostedConfigurationVersion", + "appconfig:StopDeployment", + "appconfig:CreateEnvironment", + "appconfig:UpdateEnvironment", + "appconfig:GetEnvironment", + "appconfig:ListConfigurationProfiles", + "appconfig:DeleteDeploymentStrategy", + "appconfig:ListApplications", + "appconfig:UpdateApplication", + "appconfig:CreateExtension", + "appconfig:GetConfiguration", + "appconfig:GetApplication", + "appconfig:UpdateConfigurationProfile", + "appconfig:GetConfigurationProfile", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} -# # aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0]: -# resource "aws_iam_policy" "terraform_github_dynamodb_access_policy_dev" { -# count = local.is_sandbox_or_dev ? 1 : 0 -# description = "Dynamo DB specific access policies required by terraform via GitHub" -# name = "${terraform.workspace}-terraform-github-dynamodb-access-policy" -# name_prefix = null -# path = "/" -# policy = jsonencode( -# { -# Statement = [ -# { -# Action = [ -# "dynamodb:DescribeTable", -# "dynamodb:GetItem", -# "dynamodb:PutItem", -# "dynamodb:DeleteItem", -# "dynamodb:UpdateTimeToLive", -# ] -# Effect = "Allow" -# Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" -# }, -# ] -# Version = "2012-10-17" -# } -# ) -# tags = {} -# tags_all = {} -# } +# aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0]: +resource "aws_iam_policy" "terraform_github_dynamodb_access_policy_dev" { + count = local.is_sandbox_or_dev ? 1 : 0 + description = "Dynamo DB specific access policies required by terraform via GitHub" + name = "${terraform.workspace}-terraform-github-dynamodb-access-policy" + name_prefix = null + path = "/" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:DeleteItem", + "dynamodb:UpdateTimeToLive", + ] + Effect = "Allow" + Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" + }, + ] + Version = "2012-10-17" + } + ) + tags = {} + tags_all = {} +} # aws_iam_policy.terraform_github_s3_access_policy_dev[0]: From 4fce7881c5622d055535b14a4c39e2b7b78602bc Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Tue, 16 Dec 2025 14:50:05 +0000 Subject: [PATCH 15/48] [odin-297] condensing to fewer policies --- .github/workflows/deploy-sandbox.yml | 3 +- .github/workflows/tear-down-sandbox.yml | 2 +- pre_core/iam_github_dev.tf | 224 +++++++----------------- 3 files changed, 61 insertions(+), 168 deletions(-) diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 2fa0852c5..8782c2946 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -57,7 +57,6 @@ jobs: aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: @@ -148,7 +147,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v5 with: - role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} # TODO: Needs to be new rule role-skip-session-tagging: true aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml index fecfd813b..a3e9a5c6a 100644 --- a/.github/workflows/tear-down-sandbox.yml +++ b/.github/workflows/tear-down-sandbox.yml @@ -90,7 +90,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v5 with: - role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} # TODO: Needs to be new rule aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index 48f14ad6d..278df963e 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -36,19 +36,20 @@ resource "aws_iam_role" "github_role_dev" { description = "This role is to provide access for GitHub actions to the development environment. " force_detach_policies = false managed_policy_arns = [ - aws_iam_policy.config_policy_dev[0].arn, - aws_iam_policy.ecr_github_access_policy_dev[0].arn, - aws_iam_policy.github_actions_terraform_full_dev[0].arn, - aws_iam_policy.github_mtls_gateway_dev[0].arn, - aws_iam_policy.github_terraform_tagging_policy_dev[0].arn, - aws_iam_policy.lambda_github_access_policy_dev[0].arn, - aws_iam_policy.repo_app_config_dev[0].arn, - aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0].arn, - aws_iam_policy.terraform_github_s3_access_policy_dev[0].arn, + # aws_iam_policy.config_policy_dev[0].arn, + # aws_iam_policy.ecr_github_access_policy_dev[0].arn, + # aws_iam_policy.github_actions_terraform_full_dev[0].arn, + # aws_iam_policy.github_mtls_gateway_dev[0].arn, + # aws_iam_policy.github_terraform_tagging_policy_dev[0].arn, + # aws_iam_policy.lambda_github_access_policy_dev[0].arn, + # aws_iam_policy.repo_app_config_dev[0].arn, + # aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0].arn, + # aws_iam_policy.terraform_github_s3_access_policy_dev[0].arn, + aws_iam_policy.github_actions_extended[0].arn, "arn:aws:iam::aws:policy/ReadOnlyAccess", ] max_session_duration = 3600 - name = "${terraform.workspace}-github-role" + name = "${terraform.workspace}-github-actions-role" name_prefix = null path = "/" permissions_boundary = null @@ -269,72 +270,6 @@ resource "aws_iam_role" "github_role_dev" { } -# aws_iam_policy.config_policy_dev[0]: -resource "aws_iam_policy" "config_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - description = null - name = "${terraform.workspace}-config-policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "config:DeleteDeliveryChannel", - "config:PutConfigurationRecorder", - "config:StopConfigurationRecorder", - "config:StartConfigurationRecorder", - "config:PutDeliveryChannel", - "config:DeleteConfigurationRecorder", - "config:DescribeConfigurationRecorderStatus", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} - - -# aws_iam_policy.ecr_github_access_policy_dev[0]: -resource "aws_iam_policy" "ecr_github_access_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - description = null - name = "${terraform.workspace}-ecr-github-access-policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "ecr:PutImage", - ] - Effect = "Allow" - Resource = "arn:aws:ecr:eu-west-2:*:repository/*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} - - # aws_iam_policy.github_actions_terraform_full_dev[0]: resource "aws_iam_policy" "github_actions_terraform_full_dev" { count = local.is_sandbox_or_dev ? 1 : 0 @@ -591,16 +526,58 @@ resource "aws_iam_policy" "github_actions_terraform_full_dev" { } -# aws_iam_policy.github_mtls_gateway_dev[0]: -resource "aws_iam_policy" "github_mtls_gateway_dev" { + +# aws_iam_policy. +# Incorporates permissions from: +# config_policy +# ecr_github_access_policy +# github_mtls_gateway +# github_terraform_tagging_policy +# lambda_github_access_policy +# repo_app_config +# terraform_github_dynamodb_access_policy +# terraform_github_s3_access_policy +resource "aws_iam_policy" "github_actions_extended" { count = local.is_sandbox_or_dev ? 1 : 0 description = null - name = "${terraform.workspace}-github_mtls_gateway" + name = "${terraform.workspace}-github_actions_extended" name_prefix = null path = "/" policy = jsonencode( { Statement = [ + { + Action = [ + "config:DeleteDeliveryChannel", + "config:PutConfigurationRecorder", + "config:StopConfigurationRecorder", + "config:StartConfigurationRecorder", + "config:PutDeliveryChannel", + "config:DeleteConfigurationRecorder", + "config:DescribeConfigurationRecorderStatus", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + + + { + Action = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + ] + Effect = "Allow" + Resource = "arn:aws:ecr:eu-west-2:*:repository/*" + Sid = "VisualEditor0" + }, + + { Action = [ "acm:RequestCertificate", @@ -656,25 +633,8 @@ resource "aws_iam_policy" "github_mtls_gateway_dev" { Resource = "arn:aws:apigateway:eu-west-2::/domainnames" Sid = "VisualEditor4" }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} -# aws_iam_policy.github_terraform_tagging_policy_dev[0]: -resource "aws_iam_policy" "github_terraform_tagging_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - description = null - name = "${terraform.workspace}-github_terraform_tagging_policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ { Action = [ "sns:TagResource", @@ -768,25 +728,8 @@ resource "aws_iam_policy" "github_terraform_tagging_policy_dev" { Resource = "*" Sid = "VisualEditor2" }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} -# aws_iam_policy.lambda_github_access_policy_dev[0]: -resource "aws_iam_policy" "lambda_github_access_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - description = "These permissions allow GitHub to push to a Lambda function." - name = "${terraform.workspace}-lambda-github-access-policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ { Action = [ "lambda:CreateFunction", @@ -816,25 +759,8 @@ resource "aws_iam_policy" "lambda_github_access_policy_dev" { Resource = "arn:aws:lambda:eu-west-2:*:function:*" Sid = "VisualEditor1" }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} -# aws_iam_policy.repo_app_config_dev[0]: -resource "aws_iam_policy" "repo_app_config_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - description = null - name = "${terraform.workspace}-repo_app_config" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ { Action = [ "appconfig:ListTagsForResource", @@ -881,25 +807,8 @@ resource "aws_iam_policy" "repo_app_config_dev" { Resource = "*" Sid = "VisualEditor0" }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} -# aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0]: -resource "aws_iam_policy" "terraform_github_dynamodb_access_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - description = "Dynamo DB specific access policies required by terraform via GitHub" - name = "${terraform.workspace}-terraform-github-dynamodb-access-policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ { Action = [ "dynamodb:DescribeTable", @@ -911,26 +820,9 @@ resource "aws_iam_policy" "terraform_github_dynamodb_access_policy_dev" { Effect = "Allow" Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} -# aws_iam_policy.terraform_github_s3_access_policy_dev[0]: -resource "aws_iam_policy" "terraform_github_s3_access_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - description = "S3 specific access policies required by terraform via GitHub" - name = "${terraform.workspace}-terraform-github-s3-access-policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { + { Action = "s3:ListBucket" Effect = "Allow" Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}" @@ -946,6 +838,8 @@ resource "aws_iam_policy" "terraform_github_s3_access_policy_dev" { Effect = "Allow" Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}/ndr/terraform.tfstate" }, + + ] Version = "2012-10-17" } From 9197668a8c88fcd0831a7afeef51b79414b31645 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Tue, 16 Dec 2025 15:06:13 +0000 Subject: [PATCH 16/48] [ndr-297] relocated policy to avoid size limit --- pre_core/iam_github_dev.tf | 210 ++++++++++++++++++++----------------- 1 file changed, 114 insertions(+), 96 deletions(-) diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index 278df963e..dd9450c10 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -38,7 +38,7 @@ resource "aws_iam_role" "github_role_dev" { managed_policy_arns = [ # aws_iam_policy.config_policy_dev[0].arn, # aws_iam_policy.ecr_github_access_policy_dev[0].arn, - # aws_iam_policy.github_actions_terraform_full_dev[0].arn, + aws_iam_policy.github_actions_terraform_full_dev[0].arn, # aws_iam_policy.github_mtls_gateway_dev[0].arn, # aws_iam_policy.github_terraform_tagging_policy_dev[0].arn, # aws_iam_policy.lambda_github_access_policy_dev[0].arn, @@ -267,6 +267,117 @@ resource "aws_iam_role" "github_role_dev" { } ) } + + + + + + inline_policy { + name = "github_terraform_tagging_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "sns:TagResource", + "backup:TagResource", + "resource-groups:GetGroupQuery", + "lambda:TagResource", + "resource-groups:UpdateGroup", + "iam:UntagRole", + "iam:TagRole", + "resource-groups:GetTags", + "sns:UntagResource", + "resource-groups:Untag", + "lambda:UntagResource", + "elasticloadbalancing:RemoveTags", + "cognito-identity:UntagResource", + "resource-groups:GetGroup", + "resource-groups:GetGroupConfiguration", + "backup:UntagResource", + "cognito-identity:TagResource", + "resource-groups:Tag", + "resource-groups:UpdateGroupQuery", + "iam:TagPolicy", + "resource-groups:DeleteGroup", + "events:TagResource", + "elasticloadbalancing:AddTags", + "iam:UntagPolicy", + "resource-groups:ListGroupResources", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", + "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", + "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", + ] + Sid = "VisualEditor0" + }, + { + Action = [ + "events:TagResource", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", + ] + Sid = "VisualEditor1" + }, + { + Action = [ + "resource-groups:SearchResources", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor2" + }, + ] + Version = "2012-10-17" + } + ) + } + + + } @@ -532,7 +643,7 @@ resource "aws_iam_policy" "github_actions_terraform_full_dev" { # config_policy # ecr_github_access_policy # github_mtls_gateway -# github_terraform_tagging_policy +# github_terraform_tagging_policy - Moved to inline # lambda_github_access_policy # repo_app_config # terraform_github_dynamodb_access_policy @@ -635,99 +746,6 @@ resource "aws_iam_policy" "github_actions_extended" { }, - { - Action = [ - "sns:TagResource", - "backup:TagResource", - "resource-groups:GetGroupQuery", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "resource-groups:DeleteGroup", - "events:TagResource", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", - "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", - "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor2" - }, { @@ -822,7 +840,7 @@ resource "aws_iam_policy" "github_actions_extended" { }, - { + { Action = "s3:ListBucket" Effect = "Allow" Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}" From 85e8813a9e628bb7c799e413040d03b5a9f9626a Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Tue, 16 Dec 2025 15:19:54 +0000 Subject: [PATCH 17/48] [ndr-297] updated Sids --- pre_core/iam_github_dev.tf | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index dd9450c10..6133b2ed3 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -669,7 +669,7 @@ resource "aws_iam_policy" "github_actions_extended" { ] Effect = "Allow" Resource = "*" - Sid = "VisualEditor0" + Sid = "config_policy_1" }, @@ -685,7 +685,7 @@ resource "aws_iam_policy" "github_actions_extended" { ] Effect = "Allow" Resource = "arn:aws:ecr:eu-west-2:*:repository/*" - Sid = "VisualEditor0" + Sid = "ecr_github_access_policy_1" }, @@ -697,13 +697,13 @@ resource "aws_iam_policy" "github_actions_extended" { ] Effect = "Allow" Resource = "*" - Sid = "VisualEditor0" + Sid = "github_mtls_gateway_1" }, { Action = "apigateway:AddCertificateToDomain" Effect = "Allow" Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor1" + Sid = "github_mtls_gateway_2" }, { Action = [ @@ -724,7 +724,7 @@ resource "aws_iam_policy" "github_actions_extended" { "arn:aws:route53:::hostedzone/*", "arn:aws:acm:eu-west-2:${data.aws_caller_identity.current.account_id}:certificate/*", ] - Sid = "VisualEditor2" + Sid = "github_mtls_gateway_3" }, { Action = [ @@ -736,13 +736,13 @@ resource "aws_iam_policy" "github_actions_extended" { "arn:aws:apigateway:eu-west-2::/domainnames/*", "arn:aws:apigateway:eu-west-2::/domainnames", ] - Sid = "VisualEditor3" + Sid = "github_mtls_gateway_4" }, { Action = "apigateway:AddCertificateToDomain" Effect = "Allow" Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor4" + Sid = "github_mtls_gateway_5" }, @@ -769,13 +769,13 @@ resource "aws_iam_policy" "github_actions_extended" { "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*", "arn:aws:lambda:eu-west-2:*:function:*", ] - Sid = "VisualEditor0" + Sid = "lambda_github_access_policy_1" }, { Action = "iam:ListRoles" Effect = "Allow" Resource = "arn:aws:lambda:eu-west-2:*:function:*" - Sid = "VisualEditor1" + Sid = "lambda_github_access_policy_2" }, @@ -823,7 +823,7 @@ resource "aws_iam_policy" "github_actions_extended" { ] Effect = "Allow" Resource = "*" - Sid = "VisualEditor0" + Sid = "repo_app_config_1" }, @@ -837,6 +837,7 @@ resource "aws_iam_policy" "github_actions_extended" { ] Effect = "Allow" Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" + Sid = "terraform_github_dynamodb_access_policy_1" }, @@ -844,6 +845,7 @@ resource "aws_iam_policy" "github_actions_extended" { Action = "s3:ListBucket" Effect = "Allow" Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}" + Sid = "terraform_github_s3_access_policy_1" }, { Action = [ @@ -855,6 +857,7 @@ resource "aws_iam_policy" "github_actions_extended" { ] Effect = "Allow" Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}/ndr/terraform.tfstate" + Sid = "terraform_github_s3_access_policy_2" }, From 9e53f78b4bbece1123758bf88144708b419508fb Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Tue, 16 Dec 2025 15:28:23 +0000 Subject: [PATCH 18/48] [ndr-297] fixed Sids --- pre_core/iam_github_dev.tf | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index 6133b2ed3..8021169f9 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -669,7 +669,7 @@ resource "aws_iam_policy" "github_actions_extended" { ] Effect = "Allow" Resource = "*" - Sid = "config_policy_1" + Sid = "ConfigPolicy1" }, @@ -685,7 +685,7 @@ resource "aws_iam_policy" "github_actions_extended" { ] Effect = "Allow" Resource = "arn:aws:ecr:eu-west-2:*:repository/*" - Sid = "ecr_github_access_policy_1" + Sid = "EcrGithubAccessPolicy1" }, @@ -697,13 +697,13 @@ resource "aws_iam_policy" "github_actions_extended" { ] Effect = "Allow" Resource = "*" - Sid = "github_mtls_gateway_1" + Sid = "GithubMtlsGateway1" }, { Action = "apigateway:AddCertificateToDomain" Effect = "Allow" Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "github_mtls_gateway_2" + Sid = "GithubMtlsGateway2" }, { Action = [ @@ -724,7 +724,7 @@ resource "aws_iam_policy" "github_actions_extended" { "arn:aws:route53:::hostedzone/*", "arn:aws:acm:eu-west-2:${data.aws_caller_identity.current.account_id}:certificate/*", ] - Sid = "github_mtls_gateway_3" + Sid = "GithubMtlsGateway3" }, { Action = [ @@ -736,13 +736,13 @@ resource "aws_iam_policy" "github_actions_extended" { "arn:aws:apigateway:eu-west-2::/domainnames/*", "arn:aws:apigateway:eu-west-2::/domainnames", ] - Sid = "github_mtls_gateway_4" + Sid = "GithubMtlsGateway4" }, { Action = "apigateway:AddCertificateToDomain" Effect = "Allow" Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "github_mtls_gateway_5" + Sid = "GithubMtlsGateway5" }, @@ -769,13 +769,13 @@ resource "aws_iam_policy" "github_actions_extended" { "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*", "arn:aws:lambda:eu-west-2:*:function:*", ] - Sid = "lambda_github_access_policy_1" + Sid = "LambdaGithubAccessPolicy1" }, { Action = "iam:ListRoles" Effect = "Allow" Resource = "arn:aws:lambda:eu-west-2:*:function:*" - Sid = "lambda_github_access_policy_2" + Sid = "LambdaGithubAccessPolicy2" }, @@ -823,7 +823,7 @@ resource "aws_iam_policy" "github_actions_extended" { ] Effect = "Allow" Resource = "*" - Sid = "repo_app_config_1" + Sid = "RepoAppConfig1" }, @@ -837,7 +837,7 @@ resource "aws_iam_policy" "github_actions_extended" { ] Effect = "Allow" Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" - Sid = "terraform_github_dynamodb_access_policy_1" + Sid = "TerraformGithubDynamodbAccessPolicy1" }, @@ -845,7 +845,7 @@ resource "aws_iam_policy" "github_actions_extended" { Action = "s3:ListBucket" Effect = "Allow" Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}" - Sid = "terraform_github_s3_access_policy_1" + Sid = "TerraformGithubS3AccessPolicy1" }, { Action = [ @@ -857,7 +857,7 @@ resource "aws_iam_policy" "github_actions_extended" { ] Effect = "Allow" Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}/ndr/terraform.tfstate" - Sid = "terraform_github_s3_access_policy_2" + Sid = "TerraformGithubS3AccessPolicy2" }, From d2ff8205bb0bc394eb6e2d08d9a594d862b88b39 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Tue, 16 Dec 2025 16:32:38 +0000 Subject: [PATCH 19/48] [ndr-297] run last stage of workflow wuth new role --- .github/workflows/deploy-sandbox.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 8782c2946..3552ec401 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -147,7 +147,8 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v5 with: - role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} # TODO: Needs to be new rule + # role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} # TODO: Needs to be new rule + role-to-assume: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role role-skip-session-tagging: true aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true From de4d06cea50280b0d1c63954951b2394c8b970eb Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Tue, 16 Dec 2025 16:55:46 +0000 Subject: [PATCH 20/48] [ndr-297] teardown using new role. --- .github/workflows/tear-down-sandbox.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml index a3e9a5c6a..444b7f4af 100644 --- a/.github/workflows/tear-down-sandbox.yml +++ b/.github/workflows/tear-down-sandbox.yml @@ -90,7 +90,8 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v5 with: - role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} # TODO: Needs to be new rule + # role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} # TODO: Needs to be new rule + role-to-assume: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true From 6daed32de3b1e2f6d6f22135f57753bbb6a21b9b Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 17 Dec 2025 12:20:26 +0000 Subject: [PATCH 21/48] [ndr-297] configuring tf for pre-prod and test --- .github/workflows/deploy-sandbox.yml | 2 +- .github/workflows/deploy-test.yml | 4 + .github/workflows/tear-down-sandbox.yml | 24 +- pre_core/iam_github_dev.tf | 5 +- pre_core/iam_github_dev.tf.org | 955 ------------------ ...pre-prod.tf.org => iam_github_pre-prod.tf} | 134 +-- ..._github_test.tf.org => iam_github_test.tf} | 124 +-- pre_core/variables.tf | 9 +- 8 files changed, 144 insertions(+), 1113 deletions(-) delete mode 100644 pre_core/iam_github_dev.tf.org rename pre_core/{iam_github_pre-prod.tf.org => iam_github_pre-prod.tf} (79%) rename pre_core/{iam_github_test.tf.org => iam_github_test.tf} (80%) diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 3552ec401..862cc9069 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -147,7 +147,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v5 with: - # role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} # TODO: Needs to be new rule + # Use role that we've just created in pre_core role-to-assume: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role role-skip-session-tagging: true aws-region: ${{ vars.AWS_REGION }} diff --git a/.github/workflows/deploy-test.yml b/.github/workflows/deploy-test.yml index 3c701f8c2..57db6674e 100644 --- a/.github/workflows/deploy-test.yml +++ b/.github/workflows/deploy-test.yml @@ -16,6 +16,10 @@ permissions: contents: read # This is required for actions/checkout jobs: + # TODO: Add pre-core plan/apply + # TODO: Remember to pass in:-var=pre_prod_account_id=${{ secrets.PRE_PROD_AWS_ACCOUNT_ID }} + # TODO: Change existing apply to use new pre_core role + terraform_plan_apply: name: Terraform Plan/Apply (ndr-test) runs-on: ubuntu-latest diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml index 444b7f4af..dac8963d0 100644 --- a/.github/workflows/tear-down-sandbox.yml +++ b/.github/workflows/tear-down-sandbox.yml @@ -77,20 +77,10 @@ jobs: with: ref: ${{ inputs.git_ref }} - # - name: Setup Python 3.11 - # uses: actions/setup-python@v6 - # with: - # python-version: 3.11 - - # - name: Install Python Dependencies - # run: | - # python3 -m venv ./venv - # ./venv/bin/pip3 install --upgrade pip boto3 - - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v5 with: - # role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} # TODO: Needs to be new rule + # Use role created in pre_core role-to-assume: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true @@ -115,7 +105,7 @@ jobs: terraform_destroy_pre_core: name: Terraform Destroy (Pre-Core) # TODO: Should we allow 'test' to be destroyed? - # if: ${{ github.event.inputs.environment == 'development' }} + if: ${{ github.event.inputs.environment == 'development' }} runs-on: ubuntu-latest needs: [terraform_destroy] environment: ${{ inputs.environment }} @@ -125,16 +115,6 @@ jobs: with: ref: ${{ inputs.git_ref }} - # - name: Setup Python 3.11 - # uses: actions/setup-python@v6 - # with: - # python-version: 3.11 - - # - name: Install Python Dependencies - # run: | - # python3 -m venv ./venv - # ./venv/bin/pip3 install --upgrade pip boto3 - - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v5 with: diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index 8021169f9..d671f6507 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -1,5 +1,6 @@ # aws_iam_role.github_role_dev[0]: resource "aws_iam_role" "github_role_dev" { + # TODO: Remove empty tags and null entries? count = local.is_sandbox_or_dev ? 1 : 0 assume_role_policy = jsonencode( { @@ -638,12 +639,12 @@ resource "aws_iam_policy" "github_actions_terraform_full_dev" { -# aws_iam_policy. +# aws_iam_policy github_actions_extended # Incorporates permissions from: # config_policy # ecr_github_access_policy # github_mtls_gateway -# github_terraform_tagging_policy - Moved to inline +# (github_terraform_tagging_policy - Moved to inline) # lambda_github_access_policy # repo_app_config # terraform_github_dynamodb_access_policy diff --git a/pre_core/iam_github_dev.tf.org b/pre_core/iam_github_dev.tf.org deleted file mode 100644 index d2e799026..000000000 --- a/pre_core/iam_github_dev.tf.org +++ /dev/null @@ -1,955 +0,0 @@ -# aws_iam_role.github_role_dev[0]: -resource "aws_iam_role" "github_role_dev" { - count = var.environment == "dev" ? 1 : 0 - assume_role_policy = jsonencode( - { - Statement = [ - { - Action = "sts:AssumeRoleWithWebIdentity" - Condition = { - StringEquals = { - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" - } - StringLike = { - "token.actions.githubusercontent.com:sub" = [ - "repo:NHSDigital/national-document-repository-infrastructure:*", - "repo:NHSDigital/national-document-repository:*", - ] - } - } - Effect = "Allow" - Principal = { - Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" - } - }, - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - AWS = "arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DomainCGpit-Administrators_e00623801cb4b59e" - } - }, - ] - Version = "2012-10-17" - } - ) - description = "This role is to provide access for GitHub actions to the development environment. " - force_detach_policies = false - managed_policy_arns = [ - aws_iam_policy.config_policy_dev[0].arn, - aws_iam_policy.ecr_github_access_policy_dev[0].arn, - aws_iam_policy.github_actions_terraform_full_dev[0].arn, - aws_iam_policy.github_mtls_gateway_dev[0].arn, - aws_iam_policy.github_terraform_tagging_policy_dev[0].arn, - aws_iam_policy.lambda_github_access_policy_dev[0].arn, - aws_iam_policy.repo_app_config_dev[0].arn, - aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0].arn, - aws_iam_policy.terraform_github_s3_access_policy_dev[0].arn, - "arn:aws:iam::aws:policy/ReadOnlyAccess", - ] - max_session_duration = 3600 - name = "github-actions-dev-role" - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} - tags_all = {} - - inline_policy { - name = "cloudtrail" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cloudtrail:AddTags", - "cloudtrail:CreateTrail", - "cloudtrail:StartLogging", - "cloudtrail:DeleteTrail", - ] - Effect = "Allow" - Resource = [ - "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:trail/*", - "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:eventdatastore/*", - "arn:aws:cloudtrail:eu-west-2:${var.aws_account_id}:channel/*", - ] - Sid = "VisualEditor0" - }, - { - Action = "organizations:ListAWSServiceAccessForOrganization" - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor1" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "cloudwatch_logs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "logs:DescribeLogGroups", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutRetentionPolicy", - "logs:PutResourcePolicy", - "logs:DeleteResourcePolicy", - "logs:DeleteRetentionPolicy", - "logs:TagResource", - "logs:UntagResource", - "logs:AssociateKmsKey", - "logs:DisassociateKmsKey", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*" - Sid = "Statement1" - }, - { - Action = [ - "logs:PutDeliverySource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:logs:us-east-1:${var.aws_account_id}:delivery-source:*", - ] - Sid = "Statement2" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "ecs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecs:UpdateCluster", - "ecs:PutClusterCapacityProviders", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "github-actions-waf-override" - policy = jsonencode( - { - Statement = [ - { - Action = "apigateway:SetWebACL" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "lambda_layer_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "lambda:DeleteLayerVersion", - "lambda:ListLayerVersions", - "lambda:ListLayers", - "lambda:AddLayerVersionPermission", - "lambda:GetLayerVersionPolicy", - "lambda:RemoveLayerVersionPermission", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "rum_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool", - ] - Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" - Sid = "VisualEditor0" - }, - { - Action = [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor", - ] - Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" - Sid = "VisualEditor1" - }, - { - Action = [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" - Sid = "VisualEditor2" - }, - { - Action = [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "step-functions" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "states:DescribeStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:CreateStateMachine", - "states:TagResource", - "states:UntagResource", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } -} - - -# aws_iam_policy.config_policy_dev[0]: -resource "aws_iam_policy" "config_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "config-policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "config:DeleteDeliveryChannel", - "config:PutConfigurationRecorder", - "config:StopConfigurationRecorder", - "config:StartConfigurationRecorder", - "config:PutDeliveryChannel", - "config:DeleteConfigurationRecorder", - "config:DescribeConfigurationRecorderStatus", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} - - -# aws_iam_policy.ecr_github_access_policy_dev[0]: -resource "aws_iam_policy" "ecr_github_access_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "ecr-github-access-policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "ecr:PutImage", - ] - Effect = "Allow" - Resource = "arn:aws:ecr:eu-west-2:*:repository/*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} - - -# aws_iam_policy.github_actions_terraform_full_dev[0]: -resource "aws_iam_policy" "github_actions_terraform_full_dev" { - count = var.environment == "dev" ? 1 : 0 - description = "All permissions required for Terraform to do its thing." - name = "github_actions_terraform_full" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteVpcEndpoints", - "ec2:AttachInternetGateway", - "iam:PutRolePolicy", - "ecr:DeleteRepository", - "scheduler:DeleteSchedule", - "ec2:CreateRoute", - "cloudwatch:ListTagsForResource", - "ecr:TagResource", - "dynamodb:DescribeContinuousBackups", - "events:RemoveTargets", - "lambda:DeleteFunction", - "iam:ListRolePolicies", - "ecs:TagResource", - "ecr:GetLifecyclePolicy", - "iam:GetRole", - "dynamodb:BatchWriteItem", - "elasticloadbalancing:CreateTargetGroup", - "ecr:GetAuthorizationToken", - "application-autoscaling:DeleteScalingPolicy", - "kms:RetireGrant", - "elasticloadbalancing:AddTags", - "ec2:DeleteNatGateway", - "lambda:PublishVersion", - "apigateway:POST", - "lambda:DeleteEventSourceMapping", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "dynamodb:UpdateTable", - "ec2:ModifyVpcEndpoint", - "logs:ListTagsLogGroup", - "kms:PutKeyPolicy", - "events:PutRule", - "ec2:CreateVpc", - "dynamodb:ListTagsOfResource", - "iam:PassRole", - "logs:DeleteMetricFilter", - "sqs:createqueue", - "iam:DeleteRolePolicy", - "application-autoscaling:TagResource", - "ec2:ReleaseAddress", - "lambda:UpdateEventSourceMapping", - "elasticloadbalancing:CreateLoadBalancer", - "apigateway:PUT", - "route53:ListTagsForResource", - "ec2:DescribeSecurityGroups", - "iam:CreatePolicy", - "sqs:TagQueue", - "iam:CreateServiceLinkedRole", - "kms:CreateAlias", - "elasticloadbalancing:DescribeTargetGroups", - "route53:AssociateVPCWithHostedZone", - "elasticloadbalancing:DeleteListener", - "iam:UpdateAssumeRolePolicy", - "iam:GetPolicyVersion", - "wafv2:AssociateWebACL", - "ec2:DeleteSubnet", - "elasticloadbalancing:SetWebACL", - "ecs:UpdateService", - "elasticloadbalancing:DescribeLoadBalancers", - "ssm:DeleteParameter", - "cloudfront:*", - "kms:GetKeyRotationStatus", - "dynamodb:DescribeTable", - "ssm:AddTagsToResource", - "ecs:RegisterTaskDefinition", - "route53:ListResourceRecordSets", - "ecr:CreateRepository", - "ecs:DeleteService", - "application-autoscaling:UntagResource", - "ec2:DescribePrefixLists", - "backup:CreateBackupVault", - "backup:UpdateBackupPlan", - "sqs:DeleteQueue", - "ec2:DeleteVpc", - "kms:DeleteAlias", - "sns:DeleteTopic", - "wafv2:DeleteWebACL", - "dynamodb:DeleteItem", - "iam:DeletePolicy", - "sns:SetTopicAttributes", - "ses:VerifyDomainDkim", - "lambda:PutFunctionConcurrency", - "dynamodb:UpdateContinuousBackups", - "ecs:CreateService", - "elasticloadbalancing:CreateListener", - "kms:ScheduleKeyDeletion", - "ecr:DescribeRepositories", - "ecs:DescribeServices", - "iam:CreatePolicyVersion", - "ecs:UntagResource", - "sqs:ListQueues", - "wafv2:UpdateWebACL", - "dynamodb:DescribeTimeToLive", - "kms:UpdateAlias", - "backup:GetBackupSelection", - "kms:ListKeys", - "events:PutTargets", - "lambda:AddPermission", - "ecr:SetRepositoryPolicy", - "ec2:DeleteSecurityGroup", - "application-autoscaling:DeregisterScalableTarget", - "backup:DeleteBackupPlan", - "ses:SetIdentityMailFromDomain", - "lambda:CreateFunction", - "sqs:DeleteMessage", - "elasticloadbalancing:ModifyListener", - "cloudwatch:DeleteAlarms", - "secretsmanager:DeleteSecret", - "wafv2:CreateRegexPatternSet", - "wafv2:CreateWebACL", - "dynamodb:DeleteTable", - "ecs:DescribeTaskDefinition", - "ec2:DeleteRouteTable", - "ec2:CreateInternetGateway", - "ec2:RevokeSecurityGroupEgress", - "sns:Subscribe", - "ec2:DeleteInternetGateway", - "wafv2:TagResource", - "dynamodb:UpdateTimeToLive", - "iam:GetPolicy", - "ec2:CreateTags", - "sns:CreateTopic", - "ecs:DeleteCluster", - "iam:UpdateRoleDescription", - "iam:DeleteRole", - "ec2:DisassociateRouteTable", - "backup:GetBackupPlan", - "wafv2:DeleteRegexPatternSet", - "dynamodb:CreateTable", - "ec2:RevokeSecurityGroupIngress", - "lambda:UpdateFunctionCode", - "ec2:CreateDefaultVpc", - "ec2:CreateSubnet", - "ec2:DescribeSubnets", - "iam:GetRolePolicy", - "sqs:setqueueattributes", - "ec2:DisassociateAddress", - "kms:UntagResource", - "ec2:CreateNatGateway", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "ses:VerifyDomainIdentity", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "apigateway:SetWebACL", - "backup:CreateBackupSelection", - "scheduler:UpdateSchedule", - "ec2:DescribeAvailabilityZones", - "kms:CreateKey", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "s3:*", - "kms:GetKeyPolicy", - "route53:ListHostedZones", - "backup:DeleteBackupVault", - "lambda:UpdateFunctionConfiguration", - "elasticloadbalancing:DeleteTargetGroup", - "events:DeleteRule", - "backup:DescribeBackupVault", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "ses:DeleteIdentity", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "sns:Unsubscribe", - "iam:CreateRole", - "iam:AttachRolePolicy", - "lambda:EnableReplication", - "ec2:AssociateRouteTable", - "elasticloadbalancing:DeleteLoadBalancer", - "ec2:DescribeInternetGateways", - "backup:DeleteBackupSelection", - "iam:DetachRolePolicy", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "ec2:DescribeRouteTables", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "route53:ChangeResourceRecordSets", - "ec2:CreateRouteTable", - "ec2:DetachInternetGateway", - "ecr:DeleteLifecyclePolicy", - "logs:CreateLogGroup", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "ssm:PutParameter", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "logs:CreateLogDelivery", - "logs:PutMetricFilter", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "ec2:DescribeSecurityGroupRules", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "route53:GetChange", - "ec2:DeleteTags", - "lambda:GetLayerVersion", - "lambda:CreateEventSourceMapping", - "kms:TagResource", - "elasticloadbalancing:DescribeListeners", - "dynamodb:TagResource", - "ec2:CreateSecurityGroup", - "apigateway:PATCH", - "kms:DescribeKey", - "application-autoscaling:ListTagsForResource", - "ec2:ModifyVpcAttribute", - "ecr:DeleteRepositoryPolicy", - "ec2:AuthorizeSecurityGroupEgress", - "elasticloadbalancing:ModifyListenerAttributes", - "kms:UpdateKeyDescription", - "logs:DescribeLogGroups", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "ec2:AllocateAddress", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "scheduler:CreateSchedule", - "logs:PutRetentionPolicy", - "lambda:GetPolicy", - "iam:DeletePolicyVersion", - "ecr:GetRepositoryPolicy", - "cognito-idp:*", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} - - -# aws_iam_policy.github_mtls_gateway_dev[0]: -resource "aws_iam_policy" "github_mtls_gateway_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "github_mtls_gateway" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "acm:RequestCertificate", - "route53:ListHostedZones", - "acm:ListCertificates", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor1" - }, - { - Action = [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "route53:GetHostedZone", - "route53:ChangeResourceRecordSets", - "apigateway:AddCertificateToDomain", - "acm:AddTagsToCertificate", - "apigateway:RemoveCertificateFromDomain", - "acm:ListTagsForCertificate", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames", - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:route53:::hostedzone/*", - "arn:aws:acm:eu-west-2:${var.aws_account_id}:certificate/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "apigateway:AddCertificateToDomain", - "apigateway:RemoveCertificateFromDomain", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:apigateway:eu-west-2::/domainnames", - ] - Sid = "VisualEditor3" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor4" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} - - -# aws_iam_policy.github_terraform_tagging_policy_dev[0]: -resource "aws_iam_policy" "github_terraform_tagging_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "github_terraform_tagging_policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "sns:TagResource", - "backup:TagResource", - "resource-groups:GetGroupQuery", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "resource-groups:DeleteGroup", - "events:TagResource", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:lambda:*:${var.aws_account_id}:event-source-mapping:*", - "arn:aws:lambda:*:${var.aws_account_id}:function:*", - "arn:aws:lambda:*:${var.aws_account_id}:code-signing-config:*", - "arn:aws:iam::${var.aws_account_id}:role/*", - "arn:aws:iam::${var.aws_account_id}:policy/*", - "arn:aws:sns:*:${var.aws_account_id}:*", - "arn:aws:backup:*:${var.aws_account_id}:legal-hold:*", - "arn:aws:backup:*:${var.aws_account_id}:framework:*-*", - "arn:aws:backup:*:${var.aws_account_id}:backup-vault:*", - "arn:aws:backup:*:${var.aws_account_id}:report-plan:*-*", - "arn:aws:backup:*:${var.aws_account_id}:backup-plan:*", - "arn:aws:backup:*:${var.aws_account_id}:restore-testing-plan:*-*", - "arn:aws:cognito-identity:*:${var.aws_account_id}:identitypool/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", - "arn:aws:resource-groups:*:${var.aws_account_id}:group/*", - "arn:aws:events:*:${var.aws_account_id}:event-bus/*", - "arn:aws:events:*:${var.aws_account_id}:rule/*/*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", - "arn:aws:events:*:${var.aws_account_id}:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor2" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} - - -# aws_iam_policy.lambda_github_access_policy_dev[0]: -resource "aws_iam_policy" "lambda_github_access_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = "These permissions allow GitHub to push to a Lambda function." - name = "lambda-github-access-policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "lambda:CreateFunction", - "s3:PutObject", - "lambda:UpdateFunctionCode", - "kms:TagResource", - "kms:UntagResource", - "kms:Encrypt", - "kms:Decrypt", - "lambda:InvokeFunction", - "lambda:GetFunction", - "lambda:UpdateFunctionConfiguration", - "lambda:GetFunctionConfiguration", - "lambda:DeleteFunctionConcurrency", - "kms:CreateGrant", - ] - Effect = "Allow" - Resource = [ - "arn:aws:kms:*:${var.aws_account_id}:key/*", - "arn:aws:lambda:eu-west-2:*:function:*", - ] - Sid = "VisualEditor0" - }, - { - Action = "iam:ListRoles" - Effect = "Allow" - Resource = "arn:aws:lambda:eu-west-2:*:function:*" - Sid = "VisualEditor1" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} - - -# aws_iam_policy.repo_app_config_dev[0]: -resource "aws_iam_policy" "repo_app_config_dev" { - count = var.environment == "dev" ? 1 : 0 - description = null - name = "repo_app_config" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "appconfig:ListTagsForResource", - "appconfig:StartDeployment", - "appconfig:DeleteApplication", - "appconfig:GetLatestConfiguration", - "appconfig:TagResource", - "appconfig:CreateConfigurationProfile", - "appconfig:CreateExtensionAssociation", - "appconfig:DeleteConfigurationProfile", - "appconfig:CreateDeploymentStrategy", - "appconfig:CreateApplication", - "appconfig:GetDeploymentStrategy", - "appconfig:GetHostedConfigurationVersion", - "appconfig:ListExtensionAssociations", - "appconfig:ListDeploymentStrategies", - "appconfig:CreateHostedConfigurationVersion", - "appconfig:DeleteEnvironment", - "appconfig:UntagResource", - "appconfig:ListHostedConfigurationVersions", - "appconfig:ListEnvironments", - "appconfig:UpdateDeploymentStrategy", - "appconfig:GetExtensionAssociation", - "appconfig:GetExtension", - "appconfig:ListDeployments", - "appconfig:GetDeployment", - "appconfig:ListExtensions", - "appconfig:DeleteHostedConfigurationVersion", - "appconfig:StopDeployment", - "appconfig:CreateEnvironment", - "appconfig:UpdateEnvironment", - "appconfig:GetEnvironment", - "appconfig:ListConfigurationProfiles", - "appconfig:DeleteDeploymentStrategy", - "appconfig:ListApplications", - "appconfig:UpdateApplication", - "appconfig:CreateExtension", - "appconfig:GetConfiguration", - "appconfig:GetApplication", - "appconfig:UpdateConfigurationProfile", - "appconfig:GetConfigurationProfile", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} - - -# aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0]: -resource "aws_iam_policy" "terraform_github_dynamodb_access_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = "Dynamo DB specific access policies required by terraform via GitHub" - name = "terraform-github-dynamodb-access-policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "dynamodb:DescribeTable", - "dynamodb:GetItem", - "dynamodb:PutItem", - "dynamodb:DeleteItem", - "dynamodb:UpdateTimeToLive", - ] - Effect = "Allow" - Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} - - -# aws_iam_policy.terraform_github_s3_access_policy_dev[0]: -resource "aws_iam_policy" "terraform_github_s3_access_policy_dev" { - count = var.environment == "dev" ? 1 : 0 - description = "S3 specific access policies required by terraform via GitHub" - name = "terraform-github-s3-access-policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = "s3:ListBucket" - Effect = "Allow" - Resource = "arn:aws:s3:::ndr-dev-terraform-state-${var.aws_account_id}" - }, - { - Action = [ - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:DeleteBucketPolicy", - "s3:PutBucketPolicy", - ] - Effect = "Allow" - Resource = "arn:aws:s3:::ndr-dev-terraform-state-${var.aws_account_id}/ndr/terraform.tfstate" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} - tags_all = {} -} diff --git a/pre_core/iam_github_pre-prod.tf.org b/pre_core/iam_github_pre-prod.tf similarity index 79% rename from pre_core/iam_github_pre-prod.tf.org rename to pre_core/iam_github_pre-prod.tf index f8c863241..ccf39a2d6 100644 --- a/pre_core/iam_github_pre-prod.tf.org +++ b/pre_core/iam_github_pre-prod.tf @@ -1,6 +1,6 @@ # aws_iam_role.github_role_pre-prod[0]: resource "aws_iam_role" "github_role_pre-prod" { - count = var.environment == "pre-prod" ? 1 : 0 + count = local.is_pre_production ? 1 : 0 assume_role_policy = jsonencode( { Statement = [ @@ -19,14 +19,14 @@ resource "aws_iam_role" "github_role_pre-prod" { } Effect = "Allow" Principal = { - Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" + Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" } }, { Action = "sts:AssumeRole" Effect = "Allow" Principal = { - AWS = "arn:aws:sts::${var.aws_account_id}:assumed-role/AWSReservedSSO_DomainCGpit-Administrators_3f00be4c22ce78e5/ABKH2@hscic.gov.uk" + AWS = "arn:aws:sts::${data.aws_caller_identity.current.account_id}:assumed-role/AWSReservedSSO_DomainCGpit-Administrators_3f00be4c22ce78e5/ABKH2@hscic.gov.uk" } }, ] @@ -121,8 +121,8 @@ resource "aws_iam_role" "github_role_pre-prod" { ] Effect = "Allow" Resource = [ - "arn:aws:ecr:eu-west-2:${var.aws_account_id}:repository/ndr-pre-prod-app", - "arn:aws:ecr:eu-west-2:${var.aws_account_id}:repository/pre-prod-data-collection", + "arn:aws:ecr:eu-west-2:${data.aws_caller_identity.current.account_id}:repository/ndr-pre-prod-app", + "arn:aws:ecr:eu-west-2:${data.aws_caller_identity.current.account_id}:repository/pre-prod-data-collection", ] Sid = "AllowAppAndOdsUpdate" }, @@ -205,7 +205,7 @@ resource "aws_iam_role" "github_role_pre-prod" { ] Effect = "Allow" Resource = [ - "arn:aws:kms:*:${var.aws_account_id}:key/*", + "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*", "arn:aws:lambda:eu-west-2:*:function:*", ] Sid = "VisualEditor0" @@ -253,7 +253,7 @@ resource "aws_iam_role" "github_role_pre-prod" { "arn:aws:apigateway:eu-west-2::/domainnames", "arn:aws:apigateway:eu-west-2::/domainnames/*", "arn:aws:route53:::hostedzone/*", - "arn:aws:acm:eu-west-2:${var.aws_account_id}:certificate/*", + "arn:aws:acm:eu-west-2:${data.aws_caller_identity.current.account_id}:certificate/*", ] Sid = "VisualEditor2" }, @@ -320,39 +320,39 @@ resource "aws_iam_role" "github_role_pre-prod" { ] Effect = "Allow" Resource = [ - "arn:aws:events:*:${var.aws_account_id}:event-bus/*", - "arn:aws:events:*:${var.aws_account_id}:rule/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", - "arn:aws:lambda:*:${var.aws_account_id}:event-source-mapping:*", - "arn:aws:lambda:*:${var.aws_account_id}:code-signing-config:*", - "arn:aws:lambda:*:${var.aws_account_id}:function:*", - "arn:aws:cognito-identity:*:${var.aws_account_id}:identitypool/*", - "arn:aws:resource-groups:*:${var.aws_account_id}:group/*", - "arn:aws:backup:*:${var.aws_account_id}:backup-plan:*", - "arn:aws:backup:*:${var.aws_account_id}:report-plan:*-*", - "arn:aws:backup:*:${var.aws_account_id}:restore-testing-plan:*-*", - "arn:aws:backup:*:${var.aws_account_id}:backup-vault:*", - "arn:aws:backup:*:${var.aws_account_id}:legal-hold:*", - "arn:aws:backup:*:${var.aws_account_id}:framework:*-*", - "arn:aws:iam::${var.aws_account_id}:policy/*", - "arn:aws:iam::${var.aws_account_id}:instance-profile/*", - "arn:aws:iam::${var.aws_account_id}:role/*", - "arn:aws:sns:*:${var.aws_account_id}:*", - "arn:aws:logs:*:${var.aws_account_id}:log-group:*", - "arn:aws:logs:*:${var.aws_account_id}:delivery-source:*", - "arn:aws:logs:*:${var.aws_account_id}:delivery:*", - "arn:aws:logs:*:${var.aws_account_id}:destination:*", - "arn:aws:logs:*:${var.aws_account_id}:delivery-destination:*", - "arn:aws:logs:*:${var.aws_account_id}:anomaly-detector:*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", + "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", + "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", + "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery-source:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:destination:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery-destination:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:anomaly-detector:*", ] Sid = "VisualEditor0" }, @@ -365,17 +365,17 @@ resource "aws_iam_role" "github_role_pre-prod" { ] Effect = "Allow" Resource = [ - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:events:*:${var.aws_account_id}:rule/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", ] Sid = "VisualEditor1" }, @@ -386,16 +386,16 @@ resource "aws_iam_role" "github_role_pre-prod" { ] Effect = "Allow" Resource = [ - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.aws_account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", ] Sid = "VisualEditor2" }, @@ -427,7 +427,7 @@ resource "aws_iam_role" "github_role_pre-prod" { "cognito-identity:UpdateIdentityPool", ] Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" + Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" Sid = "AllowIdentityPool" }, { @@ -442,7 +442,7 @@ resource "aws_iam_role" "github_role_pre-prod" { "rum:DeleteAppMonitor", ] Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" + Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" Sid = "AllowAppMonitor" }, { @@ -452,7 +452,7 @@ resource "aws_iam_role" "github_role_pre-prod" { "logs:DescribeLogGroups", ] Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" + Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" Sid = "AllowRumServiceLogs" }, { @@ -504,7 +504,7 @@ resource "aws_iam_role" "github_role_pre-prod" { "states:UntagResource", ] Effect = "Allow" - Resource = "arn:aws:states:eu-west-2:${var.aws_account_id}:stateMachine:*" + Resource = "arn:aws:states:eu-west-2:${data.aws_caller_identity.current.account_id}:stateMachine:*" Sid = "VisualEditor0" }, ] @@ -517,7 +517,7 @@ resource "aws_iam_role" "github_role_pre-prod" { # aws_iam_policy.github_actions_policy_pre-prod[0]: resource "aws_iam_policy" "github_actions_policy_pre-prod" { - count = var.environment == "pre-prod" ? 1 : 0 + count = local.is_pre_production ? 1 : 0 description = null name = "github-actions-policy" name_prefix = null @@ -775,7 +775,7 @@ resource "aws_iam_policy" "github_actions_policy_pre-prod" { # aws_iam_policy.github_extended_policy_1_pre-prod[0]: resource "aws_iam_policy" "github_extended_policy_1_pre-prod" { - count = var.environment == "pre-prod" ? 1 : 0 + count = local.is_pre_production ? 1 : 0 description = "more required items for GitHub access" name = "github-extended-policy-1" name_prefix = null diff --git a/pre_core/iam_github_test.tf.org b/pre_core/iam_github_test.tf similarity index 80% rename from pre_core/iam_github_test.tf.org rename to pre_core/iam_github_test.tf index e332753be..28a05a8f3 100644 --- a/pre_core/iam_github_test.tf.org +++ b/pre_core/iam_github_test.tf @@ -1,6 +1,6 @@ # aws_iam_role.github_role_test[0]: resource "aws_iam_role" "github_role_test" { - count = var.environment == "test" ? 1 : 0 + count = local.is_testing ? 1 : 0 assume_role_policy = jsonencode( { Statement = [ @@ -19,7 +19,7 @@ resource "aws_iam_role" "github_role_test" { } Effect = "Allow" Principal = { - Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com" + Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" } }, ] @@ -93,7 +93,7 @@ resource "aws_iam_role" "github_role_test" { "logs:DisassociateKmsKey", ] Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*" + Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*" Sid = "Statement1" }, ] @@ -141,39 +141,39 @@ resource "aws_iam_role" "github_role_test" { ] Effect = "Allow" Resource = [ - "arn:aws:events:*:694282683086:event-bus/*", - "arn:aws:events:*:694282683086:rule/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", - "arn:aws:lambda:*:694282683086:event-source-mapping:*", - "arn:aws:lambda:*:694282683086:code-signing-config:*", - "arn:aws:lambda:*:694282683086:function:*", - "arn:aws:cognito-identity:*:694282683086:identitypool/*", - "arn:aws:resource-groups:*:694282683086:group/*", - "arn:aws:backup:*:694282683086:backup-plan:*", - "arn:aws:backup:*:694282683086:report-plan:*-*", - "arn:aws:backup:*:694282683086:restore-testing-plan:*-*", - "arn:aws:backup:*:694282683086:backup-vault:*", - "arn:aws:backup:*:694282683086:legal-hold:*", - "arn:aws:backup:*:694282683086:framework:*-*", - "arn:aws:iam::694282683086:policy/*", - "arn:aws:iam::694282683086:instance-profile/*", - "arn:aws:iam::694282683086:role/*", - "arn:aws:sns:*:694282683086:*", - "arn:aws:logs:*:694282683086:log-group:*", - "arn:aws:logs:*:694282683086:delivery-source:*", - "arn:aws:logs:*:694282683086:delivery:*", - "arn:aws:logs:*:694282683086:destination:*", - "arn:aws:logs:*:694282683086:delivery-destination:*", - "arn:aws:logs:*:694282683086:anomaly-detector:*", + "arn:aws:events:*:${var.pre_prod_account_id}:event-bus/*", + "arn:aws:events:*:${var.pre_prod_account_id}:rule/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:targetgroup/*/*", + "arn:aws:lambda:*:${var.pre_prod_account_id}:event-source-mapping:*", + "arn:aws:lambda:*:${var.pre_prod_account_id}:code-signing-config:*", + "arn:aws:lambda:*:${var.pre_prod_account_id}:function:*", + "arn:aws:cognito-identity:*:${var.pre_prod_account_id}:identitypool/*", + "arn:aws:resource-groups:*:${var.pre_prod_account_id}:group/*", + "arn:aws:backup:*:${var.pre_prod_account_id}:backup-plan:*", + "arn:aws:backup:*:${var.pre_prod_account_id}:report-plan:*-*", + "arn:aws:backup:*:${var.pre_prod_account_id}:restore-testing-plan:*-*", + "arn:aws:backup:*:${var.pre_prod_account_id}:backup-vault:*", + "arn:aws:backup:*:${var.pre_prod_account_id}:legal-hold:*", + "arn:aws:backup:*:${var.pre_prod_account_id}:framework:*-*", + "arn:aws:iam::${var.pre_prod_account_id}:policy/*", + "arn:aws:iam::${var.pre_prod_account_id}:instance-profile/*", + "arn:aws:iam::${var.pre_prod_account_id}:role/*", + "arn:aws:sns:*:${var.pre_prod_account_id}:*", + "arn:aws:logs:*:${var.pre_prod_account_id}:log-group:*", + "arn:aws:logs:*:${var.pre_prod_account_id}:delivery-source:*", + "arn:aws:logs:*:${var.pre_prod_account_id}:delivery:*", + "arn:aws:logs:*:${var.pre_prod_account_id}:destination:*", + "arn:aws:logs:*:${var.pre_prod_account_id}:delivery-destination:*", + "arn:aws:logs:*:${var.pre_prod_account_id}:anomaly-detector:*", "*", ] Sid = "VisualEditor0" @@ -187,17 +187,17 @@ resource "aws_iam_role" "github_role_test" { ] Effect = "Allow" Resource = [ - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", - "arn:aws:events:*:694282683086:rule/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:events:*:${var.pre_prod_account_id}:rule/*", ] Sid = "VisualEditor1" }, @@ -208,16 +208,16 @@ resource "aws_iam_role" "github_role_test" { ] Effect = "Allow" Resource = [ - "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/app/*/*", ] Sid = "VisualEditor2" }, @@ -249,7 +249,7 @@ resource "aws_iam_role" "github_role_test" { "cognito-identity:UpdateIdentityPool", ] Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${var.aws_account_id}:identitypool/*" + Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" Sid = "VisualEditor0" }, { @@ -264,7 +264,7 @@ resource "aws_iam_role" "github_role_test" { "rum:DeleteAppMonitor", ] Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${var.aws_account_id}:appmonitor/*" + Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" Sid = "VisualEditor1" }, { @@ -274,7 +274,7 @@ resource "aws_iam_role" "github_role_test" { "logs:DescribeLogGroups", ] Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${var.aws_account_id}:log-group:*RUMService*" + Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" Sid = "VisualEditor2" }, { @@ -356,7 +356,7 @@ resource "aws_iam_role" "github_role_test" { # aws_iam_policy.github_action_policy_test[0]: resource "aws_iam_policy" "github_action_policy_test" { - count = var.environment == "test" ? 1 : 0 + count = local.is_testing ? 1 : 0 description = null name = "github-action-policy" name_prefix = null @@ -615,7 +615,7 @@ resource "aws_iam_policy" "github_action_policy_test" { # aws_iam_policy.github_action_policy_2_test[0]: resource "aws_iam_policy" "github_action_policy_2_test" { - count = var.environment == "test" ? 1 : 0 + count = local.is_testing ? 1 : 0 description = null name = "github-action-policy-2" name_prefix = null diff --git a/pre_core/variables.tf b/pre_core/variables.tf index 00bfa0ca8..0342b54be 100644 --- a/pre_core/variables.tf +++ b/pre_core/variables.tf @@ -9,10 +9,11 @@ variable "region" { description = "The region to be used for bootstrapping" } -# variable "aws_account_id" { -# type = string -# description = "The AWS Account ID (numeric)" -# } +variable "pre_prod_account_id" { + type = string + description = "The Pre-Prod AWS Account ID (required by Test environment GitHub IAM Role)" + default = "" +} variable "owner" { description = "Identifies the team or person responsible for the resource (used for tagging)." From e2c5a272d6bda0b5e37ae5c2d7dbfa61b30007f7 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 17 Dec 2025 12:20:49 +0000 Subject: [PATCH 22/48] [ndr-297] linting --- pre_core/iam_github_pre-prod.tf | 4 ++-- pre_core/iam_github_test.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pre_core/iam_github_pre-prod.tf b/pre_core/iam_github_pre-prod.tf index ccf39a2d6..490e76c8a 100644 --- a/pre_core/iam_github_pre-prod.tf +++ b/pre_core/iam_github_pre-prod.tf @@ -517,7 +517,7 @@ resource "aws_iam_role" "github_role_pre-prod" { # aws_iam_policy.github_actions_policy_pre-prod[0]: resource "aws_iam_policy" "github_actions_policy_pre-prod" { - count = local.is_pre_production ? 1 : 0 + count = local.is_pre_production ? 1 : 0 description = null name = "github-actions-policy" name_prefix = null @@ -775,7 +775,7 @@ resource "aws_iam_policy" "github_actions_policy_pre-prod" { # aws_iam_policy.github_extended_policy_1_pre-prod[0]: resource "aws_iam_policy" "github_extended_policy_1_pre-prod" { - count = local.is_pre_production ? 1 : 0 + count = local.is_pre_production ? 1 : 0 description = "more required items for GitHub access" name = "github-extended-policy-1" name_prefix = null diff --git a/pre_core/iam_github_test.tf b/pre_core/iam_github_test.tf index 28a05a8f3..a18a1c218 100644 --- a/pre_core/iam_github_test.tf +++ b/pre_core/iam_github_test.tf @@ -356,7 +356,7 @@ resource "aws_iam_role" "github_role_test" { # aws_iam_policy.github_action_policy_test[0]: resource "aws_iam_policy" "github_action_policy_test" { - count = local.is_testing ? 1 : 0 + count = local.is_testing ? 1 : 0 description = null name = "github-action-policy" name_prefix = null @@ -615,7 +615,7 @@ resource "aws_iam_policy" "github_action_policy_test" { # aws_iam_policy.github_action_policy_2_test[0]: resource "aws_iam_policy" "github_action_policy_2_test" { - count = local.is_testing ? 1 : 0 + count = local.is_testing ? 1 : 0 description = null name = "github-action-policy-2" name_prefix = null From 013542b8b7bef2f9a3b8cd5bea2862a3b7fa0199 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 17 Dec 2025 14:47:19 +0000 Subject: [PATCH 23/48] [ndr-297] created re-usable tf-plan-apply github action --- .github/actions/tf-plan-apply/action.yml | 84 +++++++++++++++++++++ .github/workflows/deploy-sandbox.yml | 95 +++++++++++++++--------- 2 files changed, 142 insertions(+), 37 deletions(-) create mode 100644 .github/actions/tf-plan-apply/action.yml diff --git a/.github/actions/tf-plan-apply/action.yml b/.github/actions/tf-plan-apply/action.yml new file mode 100644 index 000000000..0065f4a51 --- /dev/null +++ b/.github/actions/tf-plan-apply/action.yml @@ -0,0 +1,84 @@ +name: "Terraform Plan & Apply" + +description: "Run Terraform plan & Apply for a given component" + +inputs: + git_ref: + description: "Branch, tag or SHA to deploy" + required: true + + aws_assume_role: + description: "AWS IAM Role to assume" + required: true + + aws_region: + description: "AWS Region to use" + required: true + + terraform_version: + description: "Terraform version to use" + required: false + default: "1.13.3" + + backend_conf: + description: "Terraform backend config file" + required: true + + working_directory: + description: "Terraform working directory" + required: false + default: "./infrastructure" + + env_or_sandbox_name: + description: "Environment or Sandbox name [a-z0-9]{1,8}" + required: true + + tf_vars_file: + description: "Terraform variables file" + required: true + + +runs: + using: "composite" + steps: + # - name: Checkout Branch + # uses: actions/checkout@v5 + # with: + # ref: ${{ inputs.git_ref }} + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ inputs.aws_assume_role }} + role-skip-session-tagging: true + aws-region: ${{ inputs.aws_region }} + mask-aws-account-id: true + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ inputs.terraform_version }} + terraform_wrapper: false + + - name: Initialise Terraform + # id: init + run: terraform init -backend-config=${{ inputs.backend_conf }} + working-directory: ${{ inputs.working_directory }} + shell: bash + + - name: Select Terraform Workspace + # id: workspace + run: terraform workspace select -or-create ${{ inputs.env_or_sandbox_name }} + working-directory: ${{ inputs.working_directory }} + shell: bash + + - name: Run Terraform Plan + # id: plan + run: | + terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" -out tf.plan + working-directory: ${{ inputs.working_directory }} + shell: bash + + - name: Run Terraform Apply + run: terraform apply -auto-approve -input=false tf.plan + working-directory: ${{ inputs.working_directory }} \ No newline at end of file diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 862cc9069..d143ba454 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -37,7 +37,6 @@ jobs: ############################################ # NEW - terraform_plan_apply_pre_core: name: Terraform Plan/Apply (pre_core) runs-on: ubuntu-latest @@ -49,42 +48,65 @@ jobs: with: ref: ${{ github.event.inputs.git_ref}} - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v5 + - name: Apply pre_core + uses: ./.github/actions/tf-plan-apply with: - role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} - role-skip-session-tagging: true - aws-region: ${{ vars.AWS_REGION }} - mask-aws-account-id: true - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.13.3 - terraform_wrapper: false - - - name: Initialise Terraform - id: pre_core_init - run: terraform init -backend-config=backend.conf - working-directory: ./pre_core - shell: bash - - - name: Select Terraform Workspace - id: pre_core_workspace - run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name }} - working-directory: ./pre_core - shell: bash - - - name: Run Terraform Plan - id: pre_core_plan - run: | - terraform plan -input=false -no-color -var-file="${{ vars.TF_VARS_FILE }}" -out tf-pre_core.plan - working-directory: ./pre_core - shell: bash - - - name: Run Terraform Apply - run: terraform apply -auto-approve -input=false tf-pre_core.plan - working-directory: ./pre_core + git_ref: ${{ github.event.inputs.git_ref}} + aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} + aws_region: ${{ vars.AWS_REGION }} + backend_conf: "backend.conf" + working_directory: "./pre_core" + env_or_sandbox_name: ${{ github.event.inputs.sandbox_name }} + tf_vars_file: ${{ vars.TF_VARS_FILE }} + + + # terraform_plan_apply_pre_core: + # name: Terraform Plan/Apply (pre_core) + # runs-on: ubuntu-latest + # needs: validate_inputs + # environment: development + # steps: + # - name: Checkout branch + # uses: actions/checkout@v5 + # with: + # ref: ${{ github.event.inputs.git_ref}} + + # - name: Configure AWS Credentials + # uses: aws-actions/configure-aws-credentials@v5 + # with: + # role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + # role-skip-session-tagging: true + # aws-region: ${{ vars.AWS_REGION }} + # mask-aws-account-id: true + + # - name: Setup Terraform + # uses: hashicorp/setup-terraform@v3 + # with: + # terraform_version: 1.13.3 + # terraform_wrapper: false + + # - name: Initialise Terraform + # id: pre_core_init + # run: terraform init -backend-config=backend.conf + # working-directory: ./pre_core + # shell: bash + + # - name: Select Terraform Workspace + # id: pre_core_workspace + # run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name }} + # working-directory: ./pre_core + # shell: bash + + # - name: Run Terraform Plan + # id: pre_core_plan + # run: | + # terraform plan -input=false -no-color -var-file="${{ vars.TF_VARS_FILE }}" -out tf-pre_core.plan + # working-directory: ./pre_core + # shell: bash + + # - name: Run Terraform Apply + # run: terraform apply -auto-approve -input=false tf-pre_core.plan + # working-directory: ./pre_core ############################################ @@ -107,7 +129,6 @@ jobs: aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: From 117e8cae8f4b6e7e0aaa0fa56a9abccb6b6991cb Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 17 Dec 2025 14:51:46 +0000 Subject: [PATCH 24/48] [ndr-297] added missing shell reference --- .github/actions/tf-plan-apply/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/tf-plan-apply/action.yml b/.github/actions/tf-plan-apply/action.yml index 0065f4a51..7cedf8f34 100644 --- a/.github/actions/tf-plan-apply/action.yml +++ b/.github/actions/tf-plan-apply/action.yml @@ -81,4 +81,5 @@ runs: - name: Run Terraform Apply run: terraform apply -auto-approve -input=false tf.plan - working-directory: ${{ inputs.working_directory }} \ No newline at end of file + working-directory: ${{ inputs.working_directory }} + shell: bash From 27d3d9b70dd1f2298aba4d5735cb554dfa034acf Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 17 Dec 2025 15:04:46 +0000 Subject: [PATCH 25/48] [ndr-297] update workflow to use new action --- .github/actions/tf-plan-apply/action.yml | 13 -- .github/workflows/deploy-sandbox.yml | 170 +++++++++++++---------- 2 files changed, 94 insertions(+), 89 deletions(-) diff --git a/.github/actions/tf-plan-apply/action.yml b/.github/actions/tf-plan-apply/action.yml index 7cedf8f34..86a0c40a3 100644 --- a/.github/actions/tf-plan-apply/action.yml +++ b/.github/actions/tf-plan-apply/action.yml @@ -1,12 +1,7 @@ name: "Terraform Plan & Apply" - description: "Run Terraform plan & Apply for a given component" inputs: - git_ref: - description: "Branch, tag or SHA to deploy" - required: true - aws_assume_role: description: "AWS IAM Role to assume" required: true @@ -41,11 +36,6 @@ inputs: runs: using: "composite" steps: - # - name: Checkout Branch - # uses: actions/checkout@v5 - # with: - # ref: ${{ inputs.git_ref }} - - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v5 with: @@ -61,19 +51,16 @@ runs: terraform_wrapper: false - name: Initialise Terraform - # id: init run: terraform init -backend-config=${{ inputs.backend_conf }} working-directory: ${{ inputs.working_directory }} shell: bash - name: Select Terraform Workspace - # id: workspace run: terraform workspace select -or-create ${{ inputs.env_or_sandbox_name }} working-directory: ${{ inputs.working_directory }} shell: bash - name: Run Terraform Plan - # id: plan run: | terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" -out tf.plan working-directory: ${{ inputs.working_directory }} diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index d143ba454..3b753bdad 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -51,11 +51,10 @@ jobs: - name: Apply pre_core uses: ./.github/actions/tf-plan-apply with: - git_ref: ${{ github.event.inputs.git_ref}} aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} aws_region: ${{ vars.AWS_REGION }} backend_conf: "backend.conf" - working_directory: "./pre_core" + working_directory: "./pre_core" # Use separate pre_core directory env_or_sandbox_name: ${{ github.event.inputs.sandbox_name }} tf_vars_file: ${{ vars.TF_VARS_FILE }} @@ -121,42 +120,51 @@ jobs: with: ref: main - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} - role-skip-session-tagging: true - aws-region: ${{ vars.AWS_REGION }} - mask-aws-account-id: true - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 + - name: Apply Main + uses: ./.github/actions/tf-plan-apply with: - terraform_version: 1.13.3 - terraform_wrapper: false - - - name: Initialise Terraform - id: main_init - run: terraform init -backend-config=backend.conf - working-directory: ./infrastructure - shell: bash - - - name: Select Terraform Workspace - id: main_workspace - run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}} - working-directory: ./infrastructure - shell: bash - - - name: Run Terraform Plan - id: main_plan - run: | - terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-main.plan - working-directory: ./infrastructure - shell: bash + aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} + aws_region: ${{ vars.AWS_REGION }} + backend_conf: "backend.conf" + env_or_sandbox_name: ${{ github.event.inputs.sandbox_name }} + tf_vars_file: ${{ vars.TF_VARS_FILE }} - - name: Run Terraform Apply - run: terraform apply -auto-approve -input=false tf-main.plan - working-directory: ./infrastructure + # - name: Configure AWS Credentials + # uses: aws-actions/configure-aws-credentials@v5 + # with: + # role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + # role-skip-session-tagging: true + # aws-region: ${{ vars.AWS_REGION }} + # mask-aws-account-id: true + + # - name: Setup Terraform + # uses: hashicorp/setup-terraform@v3 + # with: + # terraform_version: 1.13.3 + # terraform_wrapper: false + + # - name: Initialise Terraform + # id: main_init + # run: terraform init -backend-config=backend.conf + # working-directory: ./infrastructure + # shell: bash + + # - name: Select Terraform Workspace + # id: main_workspace + # run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}} + # working-directory: ./infrastructure + # shell: bash + + # - name: Run Terraform Plan + # id: main_plan + # run: | + # terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-main.plan + # working-directory: ./infrastructure + # shell: bash + + # - name: Run Terraform Apply + # run: terraform apply -auto-approve -input=false tf-main.plan + # working-directory: ./infrastructure terraform_plan_apply_branch: name: Terraform Plan/Apply (branch) @@ -165,50 +173,60 @@ jobs: needs: terraform_plan_apply_main environment: development steps: - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v5 - with: - # Use role that we've just created in pre_core - role-to-assume: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role - role-skip-session-tagging: true - aws-region: ${{ vars.AWS_REGION }} - mask-aws-account-id: true - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.13.3 - terraform_wrapper: false + # - name: Configure AWS Credentials + # uses: aws-actions/configure-aws-credentials@v5 + # with: + # # Use role that we've just created in pre_core + # role-to-assume: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role + # role-skip-session-tagging: true + # aws-region: ${{ vars.AWS_REGION }} + # mask-aws-account-id: true + + # - name: Setup Terraform + # uses: hashicorp/setup-terraform@v3 + # with: + # terraform_version: 1.13.3 + # terraform_wrapper: false - name: Checkout Branch uses: actions/checkout@v5 with: ref: ${{ github.event.inputs.git_ref}} - # Checks that all Terraform configuration files adhere to a canonical format. - - name: Check Terraform Formatting - run: terraform fmt -check - working-directory: ./infrastructure - - - name: Initialise Terraform - id: init - run: terraform init -backend-config=backend.conf - working-directory: ./infrastructure - shell: bash - - - name: Select Terraform Workspace - id: workspace - run: terraform workspace select ${{ github.event.inputs.sandbox_name}} - working-directory: ./infrastructure - shell: bash - - - name: Run Terraform Plan - id: plan - run: | - terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan - working-directory: ./infrastructure - shell: bash + - name: Apply Branch + uses: ./.github/actions/tf-plan-apply + with: + aws_assume_role: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role + aws_region: ${{ vars.AWS_REGION }} + backend_conf: "backend.conf" + env_or_sandbox_name: ${{ github.event.inputs.sandbox_name }} + tf_vars_file: ${{ vars.TF_VARS_FILE }} + - - name: Run Terraform Apply (branch over main) - run: terraform apply -auto-approve -input=false tf.plan - working-directory: ./infrastructure + # # Checks that all Terraform configuration files adhere to a canonical format. + # - name: Check Terraform Formatting + # run: terraform fmt -check + # working-directory: ./infrastructure + + # - name: Initialise Terraform + # id: init + # run: terraform init -backend-config=backend.conf + # working-directory: ./infrastructure + # shell: bash + + # - name: Select Terraform Workspace + # id: workspace + # run: terraform workspace select ${{ github.event.inputs.sandbox_name}} + # working-directory: ./infrastructure + # shell: bash + + # - name: Run Terraform Plan + # id: plan + # run: | + # terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan + # working-directory: ./infrastructure + # shell: bash + + # - name: Run Terraform Apply (branch over main) + # run: terraform apply -auto-approve -input=false tf.plan + # working-directory: ./infrastructure From 5376087af3797cd4e58ade8bd8b3c59486512b1c Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 17 Dec 2025 15:10:18 +0000 Subject: [PATCH 26/48] [ndr-297] testing --- .github/workflows/deploy-sandbox.yml | 85 ++++++++++++++-------------- 1 file changed, 43 insertions(+), 42 deletions(-) diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 3b753bdad..5e3f0f5a7 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -120,51 +120,52 @@ jobs: with: ref: main - - name: Apply Main - uses: ./.github/actions/tf-plan-apply - with: - aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} - aws_region: ${{ vars.AWS_REGION }} - backend_conf: "backend.conf" - env_or_sandbox_name: ${{ github.event.inputs.sandbox_name }} - tf_vars_file: ${{ vars.TF_VARS_FILE }} - - # - name: Configure AWS Credentials - # uses: aws-actions/configure-aws-credentials@v5 + # TODO: We can't use this on the main branch, until the action is merged to main! + # - name: Apply Main + # uses: ./.github/actions/tf-plan-apply # with: - # role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} - # role-skip-session-tagging: true - # aws-region: ${{ vars.AWS_REGION }} - # mask-aws-account-id: true - - # - name: Setup Terraform - # uses: hashicorp/setup-terraform@v3 - # with: - # terraform_version: 1.13.3 - # terraform_wrapper: false - - # - name: Initialise Terraform - # id: main_init - # run: terraform init -backend-config=backend.conf - # working-directory: ./infrastructure - # shell: bash - - # - name: Select Terraform Workspace - # id: main_workspace - # run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}} - # working-directory: ./infrastructure - # shell: bash + # aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} + # aws_region: ${{ vars.AWS_REGION }} + # backend_conf: "backend.conf" + # env_or_sandbox_name: ${{ github.event.inputs.sandbox_name }} + # tf_vars_file: ${{ vars.TF_VARS_FILE }} + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-skip-session-tagging: true + aws-region: ${{ vars.AWS_REGION }} + mask-aws-account-id: true - # - name: Run Terraform Plan - # id: main_plan - # run: | - # terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-main.plan - # working-directory: ./infrastructure - # shell: bash + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.13.3 + terraform_wrapper: false + + - name: Initialise Terraform + id: main_init + run: terraform init -backend-config=backend.conf + working-directory: ./infrastructure + shell: bash + + - name: Select Terraform Workspace + id: main_workspace + run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}} + working-directory: ./infrastructure + shell: bash + + - name: Run Terraform Plan + id: main_plan + run: | + terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-main.plan + working-directory: ./infrastructure + shell: bash - # - name: Run Terraform Apply - # run: terraform apply -auto-approve -input=false tf-main.plan - # working-directory: ./infrastructure + - name: Run Terraform Apply + run: terraform apply -auto-approve -input=false tf-main.plan + working-directory: ./infrastructure terraform_plan_apply_branch: name: Terraform Plan/Apply (branch) From 07b010b93619cbace1bc6b847b8f7e6d82b2b947 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 17 Dec 2025 15:22:35 +0000 Subject: [PATCH 27/48] [ndr-297] code tidy-up --- .github/workflows/deploy-sandbox.yml | 102 ++------------------------- 1 file changed, 5 insertions(+), 97 deletions(-) diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 5e3f0f5a7..c487be268 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -35,8 +35,7 @@ jobs: SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }} -############################################ -# NEW +# APPLY PRE_CORE TF (FROM CHOSEN BRANCH) terraform_plan_apply_pre_core: name: Terraform Plan/Apply (pre_core) runs-on: ubuntu-latest @@ -59,56 +58,7 @@ jobs: tf_vars_file: ${{ vars.TF_VARS_FILE }} - # terraform_plan_apply_pre_core: - # name: Terraform Plan/Apply (pre_core) - # runs-on: ubuntu-latest - # needs: validate_inputs - # environment: development - # steps: - # - name: Checkout branch - # uses: actions/checkout@v5 - # with: - # ref: ${{ github.event.inputs.git_ref}} - - # - name: Configure AWS Credentials - # uses: aws-actions/configure-aws-credentials@v5 - # with: - # role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} - # role-skip-session-tagging: true - # aws-region: ${{ vars.AWS_REGION }} - # mask-aws-account-id: true - - # - name: Setup Terraform - # uses: hashicorp/setup-terraform@v3 - # with: - # terraform_version: 1.13.3 - # terraform_wrapper: false - - # - name: Initialise Terraform - # id: pre_core_init - # run: terraform init -backend-config=backend.conf - # working-directory: ./pre_core - # shell: bash - - # - name: Select Terraform Workspace - # id: pre_core_workspace - # run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name }} - # working-directory: ./pre_core - # shell: bash - - # - name: Run Terraform Plan - # id: pre_core_plan - # run: | - # terraform plan -input=false -no-color -var-file="${{ vars.TF_VARS_FILE }}" -out tf-pre_core.plan - # working-directory: ./pre_core - # shell: bash - - # - name: Run Terraform Apply - # run: terraform apply -auto-approve -input=false tf-pre_core.plan - # working-directory: ./pre_core - -############################################ - + # APPLY MAIN terraform_plan_apply_main: name: Terraform Plan/Apply (main) runs-on: ubuntu-latest @@ -120,7 +70,7 @@ jobs: with: ref: main - # TODO: We can't use this on the main branch, until the action is merged to main! + # TODO: We can't use this on the main branch yet, until the action is merged to main! # - name: Apply Main # uses: ./.github/actions/tf-plan-apply # with: @@ -167,6 +117,8 @@ jobs: run: terraform apply -auto-approve -input=false tf-main.plan working-directory: ./infrastructure + + # APPLY CHOSEN BRANCH terraform_plan_apply_branch: name: Terraform Plan/Apply (branch) if: ${{ github.event.inputs.git_ref != 'main' }} @@ -174,21 +126,6 @@ jobs: needs: terraform_plan_apply_main environment: development steps: - # - name: Configure AWS Credentials - # uses: aws-actions/configure-aws-credentials@v5 - # with: - # # Use role that we've just created in pre_core - # role-to-assume: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role - # role-skip-session-tagging: true - # aws-region: ${{ vars.AWS_REGION }} - # mask-aws-account-id: true - - # - name: Setup Terraform - # uses: hashicorp/setup-terraform@v3 - # with: - # terraform_version: 1.13.3 - # terraform_wrapper: false - - name: Checkout Branch uses: actions/checkout@v5 with: @@ -202,32 +139,3 @@ jobs: backend_conf: "backend.conf" env_or_sandbox_name: ${{ github.event.inputs.sandbox_name }} tf_vars_file: ${{ vars.TF_VARS_FILE }} - - - # # Checks that all Terraform configuration files adhere to a canonical format. - # - name: Check Terraform Formatting - # run: terraform fmt -check - # working-directory: ./infrastructure - - # - name: Initialise Terraform - # id: init - # run: terraform init -backend-config=backend.conf - # working-directory: ./infrastructure - # shell: bash - - # - name: Select Terraform Workspace - # id: workspace - # run: terraform workspace select ${{ github.event.inputs.sandbox_name}} - # working-directory: ./infrastructure - # shell: bash - - # - name: Run Terraform Plan - # id: plan - # run: | - # terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan - # working-directory: ./infrastructure - # shell: bash - - # - name: Run Terraform Apply (branch over main) - # run: terraform apply -auto-approve -input=false tf.plan - # working-directory: ./infrastructure From 31d96ad33a7248e8ebcb1e374893d101417fdbd7 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Thu, 18 Dec 2025 13:46:50 +0000 Subject: [PATCH 28/48] [ndr-297] renamed inputs --- .github/actions/tf-plan-apply/action.yml | 17 +++++++++++++---- .github/workflows/deploy-sandbox.yml | 6 +++--- .github/workflows/tear-down-sandbox.yml | 3 ++- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/.github/actions/tf-plan-apply/action.yml b/.github/actions/tf-plan-apply/action.yml index 86a0c40a3..7924b2476 100644 --- a/.github/actions/tf-plan-apply/action.yml +++ b/.github/actions/tf-plan-apply/action.yml @@ -24,14 +24,18 @@ inputs: required: false default: "./infrastructure" - env_or_sandbox_name: - description: "Environment or Sandbox name [a-z0-9]{1,8}" + workspace: + description: "Environment (ndr-dev, test, etc) or Sandbox name [a-z0-9]{1,8}" required: true tf_vars_file: description: "Terraform variables file" required: true + tf_extra_args: + description: "Additional Terraform arguments to pass in" + required: false + default: "" runs: using: "composite" @@ -56,13 +60,18 @@ runs: shell: bash - name: Select Terraform Workspace - run: terraform workspace select -or-create ${{ inputs.env_or_sandbox_name }} + run: terraform workspace select -or-create ${{ inputs.workspace }} + working-directory: ${{ inputs.working_directory }} + shell: bash + + - name: Check Terraform Formatting + run: terraform fmt -check working-directory: ${{ inputs.working_directory }} shell: bash - name: Run Terraform Plan run: | - terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" -out tf.plan + terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" ${{ inputs.tf_extra_args }} -out tf.plan working-directory: ${{ inputs.working_directory }} shell: bash diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index c487be268..b714e0835 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -54,7 +54,7 @@ jobs: aws_region: ${{ vars.AWS_REGION }} backend_conf: "backend.conf" working_directory: "./pre_core" # Use separate pre_core directory - env_or_sandbox_name: ${{ github.event.inputs.sandbox_name }} + workspace: ${{ github.event.inputs.sandbox_name }} tf_vars_file: ${{ vars.TF_VARS_FILE }} @@ -77,7 +77,7 @@ jobs: # aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} # aws_region: ${{ vars.AWS_REGION }} # backend_conf: "backend.conf" - # env_or_sandbox_name: ${{ github.event.inputs.sandbox_name }} + # workspace: ${{ github.event.inputs.sandbox_name }} # tf_vars_file: ${{ vars.TF_VARS_FILE }} - name: Configure AWS Credentials @@ -137,5 +137,5 @@ jobs: aws_assume_role: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role aws_region: ${{ vars.AWS_REGION }} backend_conf: "backend.conf" - env_or_sandbox_name: ${{ github.event.inputs.sandbox_name }} + workspace: ${{ github.event.inputs.sandbox_name }} tf_vars_file: ${{ vars.TF_VARS_FILE }} diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml index dac8963d0..cd1e593c8 100644 --- a/.github/workflows/tear-down-sandbox.yml +++ b/.github/workflows/tear-down-sandbox.yml @@ -104,7 +104,8 @@ jobs: terraform_destroy_pre_core: name: Terraform Destroy (Pre-Core) - # TODO: Should we allow 'test' to be destroyed? + # Only destroy pre-core in development (sandbox) environment. Don't tear down in Test environment. + # TODO: TEST THAT BRANCH ISN'T NDR-DEV! if: ${{ github.event.inputs.environment == 'development' }} runs-on: ubuntu-latest needs: [terraform_destroy] From 666de66e5ba5b8be400498c2c335f26e8c219024 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Thu, 18 Dec 2025 14:55:07 +0000 Subject: [PATCH 29/48] [ndr-297] using new Env based AWS_ACCOUNT_ID --- .github/workflows/deploy-sandbox.yml | 3 +- .github/workflows/tear-down-sandbox.yml | 2 +- pre_core/iam_github_test.tf | 115 ------------------------ 3 files changed, 3 insertions(+), 117 deletions(-) diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index b714e0835..cf7c54fe8 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -119,6 +119,7 @@ jobs: # APPLY CHOSEN BRANCH + # USING THE NEWLY CREATED ROLE terraform_plan_apply_branch: name: Terraform Plan/Apply (branch) if: ${{ github.event.inputs.git_ref != 'main' }} @@ -134,7 +135,7 @@ jobs: - name: Apply Branch uses: ./.github/actions/tf-plan-apply with: - aws_assume_role: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role + aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role aws_region: ${{ vars.AWS_REGION }} backend_conf: "backend.conf" workspace: ${{ github.event.inputs.sandbox_name }} diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml index cd1e593c8..05667610b 100644 --- a/.github/workflows/tear-down-sandbox.yml +++ b/.github/workflows/tear-down-sandbox.yml @@ -81,7 +81,7 @@ jobs: uses: aws-actions/configure-aws-credentials@v5 with: # Use role created in pre_core - role-to-assume: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true diff --git a/pre_core/iam_github_test.tf b/pre_core/iam_github_test.tf index a18a1c218..7ac6966a2 100644 --- a/pre_core/iam_github_test.tf +++ b/pre_core/iam_github_test.tf @@ -106,121 +106,6 @@ resource "aws_iam_role" "github_role_test" { policy = jsonencode( { Statement = [ - { - Action = [ - "resource-groups:GetGroupQuery", - "backup:TagResource", - "sns:TagResource", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "logs:UntagResource", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "logs:TagResource", - "events:TagResource", - "resource-groups:DeleteGroup", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "iam:UntagInstanceProfile", - "events:UntagResource", - "iam:TagInstanceProfile", - ] - Effect = "Allow" - Resource = [ - "arn:aws:events:*:${var.pre_prod_account_id}:event-bus/*", - "arn:aws:events:*:${var.pre_prod_account_id}:rule/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:targetgroup/*/*", - "arn:aws:lambda:*:${var.pre_prod_account_id}:event-source-mapping:*", - "arn:aws:lambda:*:${var.pre_prod_account_id}:code-signing-config:*", - "arn:aws:lambda:*:${var.pre_prod_account_id}:function:*", - "arn:aws:cognito-identity:*:${var.pre_prod_account_id}:identitypool/*", - "arn:aws:resource-groups:*:${var.pre_prod_account_id}:group/*", - "arn:aws:backup:*:${var.pre_prod_account_id}:backup-plan:*", - "arn:aws:backup:*:${var.pre_prod_account_id}:report-plan:*-*", - "arn:aws:backup:*:${var.pre_prod_account_id}:restore-testing-plan:*-*", - "arn:aws:backup:*:${var.pre_prod_account_id}:backup-vault:*", - "arn:aws:backup:*:${var.pre_prod_account_id}:legal-hold:*", - "arn:aws:backup:*:${var.pre_prod_account_id}:framework:*-*", - "arn:aws:iam::${var.pre_prod_account_id}:policy/*", - "arn:aws:iam::${var.pre_prod_account_id}:instance-profile/*", - "arn:aws:iam::${var.pre_prod_account_id}:role/*", - "arn:aws:sns:*:${var.pre_prod_account_id}:*", - "arn:aws:logs:*:${var.pre_prod_account_id}:log-group:*", - "arn:aws:logs:*:${var.pre_prod_account_id}:delivery-source:*", - "arn:aws:logs:*:${var.pre_prod_account_id}:delivery:*", - "arn:aws:logs:*:${var.pre_prod_account_id}:destination:*", - "arn:aws:logs:*:${var.pre_prod_account_id}:delivery-destination:*", - "arn:aws:logs:*:${var.pre_prod_account_id}:anomaly-detector:*", - "*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:events:*:${var.pre_prod_account_id}:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${var.pre_prod_account_id}:loadbalancer/app/*/*", - ] - Sid = "VisualEditor2" - }, { Action = [ "resource-groups:SearchResources", From eabcf9740b24e32de83a4d0b0504128f7cabb248 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Fri, 19 Dec 2025 15:22:30 +0000 Subject: [PATCH 30/48] [ndr-297] refactored to remove deprecation warnings --- pre_core/iam_github_dev.tf | 706 +++++++++++++++++++------------------ 1 file changed, 358 insertions(+), 348 deletions(-) diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index d671f6507..7a2892ae4 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -1,8 +1,15 @@ # aws_iam_role.github_role_dev[0]: resource "aws_iam_role" "github_role_dev" { - # TODO: Remove empty tags and null entries? - count = local.is_sandbox_or_dev ? 1 : 0 - assume_role_policy = jsonencode( + count = local.is_sandbox_or_dev ? 1 : 0 + name = "${terraform.workspace}-github-actions-role" + description = "This role is to provide access for GitHub actions to the development environment. " + force_detach_policies = false + max_session_duration = 3600 + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} + assume_role_policy = jsonencode( { Statement = [ { @@ -34,353 +41,353 @@ resource "aws_iam_role" "github_role_dev" { Version = "2012-10-17" } ) - description = "This role is to provide access for GitHub actions to the development environment. " - force_detach_policies = false - managed_policy_arns = [ - # aws_iam_policy.config_policy_dev[0].arn, - # aws_iam_policy.ecr_github_access_policy_dev[0].arn, - aws_iam_policy.github_actions_terraform_full_dev[0].arn, - # aws_iam_policy.github_mtls_gateway_dev[0].arn, - # aws_iam_policy.github_terraform_tagging_policy_dev[0].arn, - # aws_iam_policy.lambda_github_access_policy_dev[0].arn, - # aws_iam_policy.repo_app_config_dev[0].arn, - # aws_iam_policy.terraform_github_dynamodb_access_policy_dev[0].arn, - # aws_iam_policy.terraform_github_s3_access_policy_dev[0].arn, - aws_iam_policy.github_actions_extended[0].arn, - "arn:aws:iam::aws:policy/ReadOnlyAccess", - ] - max_session_duration = 3600 - name = "${terraform.workspace}-github-actions-role" - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} - tags_all = {} - - inline_policy { - name = "cloudtrail" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cloudtrail:AddTags", - "cloudtrail:CreateTrail", - "cloudtrail:StartLogging", - "cloudtrail:DeleteTrail", - ] - Effect = "Allow" - Resource = [ - "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:trail/*", - "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:eventdatastore/*", - "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:channel/*", - ] - Sid = "VisualEditor0" - }, - { - Action = "organizations:ListAWSServiceAccessForOrganization" - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor1" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "cloudwatch_logs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "logs:DescribeLogGroups", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutRetentionPolicy", - "logs:PutResourcePolicy", - "logs:DeleteResourcePolicy", - "logs:DeleteRetentionPolicy", - "logs:TagResource", - "logs:UntagResource", - "logs:AssociateKmsKey", - "logs:DisassociateKmsKey", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*" - Sid = "Statement1" - }, - { - Action = [ - "logs:PutDeliverySource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:delivery-source:*", - ] - Sid = "Statement2" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "ecs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecs:UpdateCluster", - "ecs:PutClusterCapacityProviders", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "github-actions-waf-override" - policy = jsonencode( - { - Statement = [ - { - Action = "apigateway:SetWebACL" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "lambda_layer_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "lambda:DeleteLayerVersion", - "lambda:ListLayerVersions", - "lambda:ListLayers", - "lambda:AddLayerVersionPermission", - "lambda:GetLayerVersionPolicy", - "lambda:RemoveLayerVersionPermission", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "rum_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool", - ] - Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" - Sid = "VisualEditor0" - }, - { - Action = [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor", - ] - Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" - Sid = "VisualEditor1" - }, - { - Action = [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" - Sid = "VisualEditor2" - }, - { - Action = [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "step-functions" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "states:DescribeStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:CreateStateMachine", - "states:TagResource", - "states:UntagResource", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - - - - - - inline_policy { - name = "github_terraform_tagging_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "sns:TagResource", - "backup:TagResource", - "resource-groups:GetGroupQuery", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "resource-groups:DeleteGroup", - "events:TagResource", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", - "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", - "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor2" - }, - ] - Version = "2012-10-17" - } - ) - } +} +# INLINE POLICIES +resource "aws_iam_role_policy" "cloudtrail_dev" { + role = aws_iam_role.github_role_dev.id + name = "cloudtrail" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cloudtrail:AddTags", + "cloudtrail:CreateTrail", + "cloudtrail:StartLogging", + "cloudtrail:DeleteTrail", + ] + Effect = "Allow" + Resource = [ + "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:trail/*", + "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:eventdatastore/*", + "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:channel/*", + ] + Sid = "VisualEditor0" + }, + { + Action = "organizations:ListAWSServiceAccessForOrganization" + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor1" + }, + ] + Version = "2012-10-17" + } + ) } +resource "aws_iam_role_policy" "cloudwatch_logs_policy_dev" { + role = aws_iam_role.github_role_dev.id + name = "cloudwatch_logs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "logs:DescribeLogGroups", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutRetentionPolicy", + "logs:PutResourcePolicy", + "logs:DeleteResourcePolicy", + "logs:DeleteRetentionPolicy", + "logs:TagResource", + "logs:UntagResource", + "logs:AssociateKmsKey", + "logs:DisassociateKmsKey", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*" + Sid = "Statement1" + }, + { + Action = [ + "logs:PutDeliverySource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:delivery-source:*", + ] + Sid = "Statement2" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "ecs_policy_dev" { + role = aws_iam_role.github_role_dev.id + name = "ecs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecs:UpdateCluster", + "ecs:PutClusterCapacityProviders", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "github_actions_waf_override_dev" { + role = aws_iam_role.github_role_dev.id + name = "github_actions_waf_override" + policy = jsonencode( + { + Statement = [ + { + Action = "apigateway:SetWebACL" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "lambda_layer_policy_dev" { + role = aws_iam_role.github_role_dev.id + name = "lambda_layer_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "lambda:GetLayerVersion", + "lambda:PublishLayerVersion", + "lambda:DeleteLayerVersion", + "lambda:ListLayerVersions", + "lambda:ListLayers", + "lambda:AddLayerVersionPermission", + "lambda:GetLayerVersionPolicy", + "lambda:RemoveLayerVersionPermission", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "rum_policy_dev" { + role = aws_iam_role.github_role_dev.id + name = "rum_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-identity:SetIdentityPoolRoles", + "cognito-identity:CreateIdentityPool", + "cognito-identity:DeleteIdentityPool", + "cognito-identity:UpdateIdentityPool", + ] + Effect = "Allow" + Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" + Sid = "VisualEditor0" + }, + { + Action = [ + "rum:TagResource", + "rum:UntagResource", + "rum:ListTagsForResource", + "iam:PassRole", + "rum:UpdateAppMonitor", + "rum:GetAppMonitor", + "rum:CreateAppMonitor", + "rum:DeleteAppMonitor", + ] + Effect = "Allow" + Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" + Sid = "VisualEditor1" + }, + { + Action = [ + "logs:DeleteLogGroup", + "logs:DeleteResourcePolicy", + "logs:DescribeLogGroups", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" + Sid = "VisualEditor2" + }, + { + Action = [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries", + "logs:DescribeResourcePolicies", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "step_functions_dev" { + role = aws_iam_role.github_role_dev.id + name = "step_functions" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "states:DescribeStateMachine", + "states:UpdateStateMachine", + "states:DeleteStateMachine", + "states:CreateStateMachine", + "states:TagResource", + "states:UntagResource", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "github_terraform_tagging_policy_dev" { + role = aws_iam_role.github_role_dev.id + name = "github_terraform_tagging_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "sns:TagResource", + "backup:TagResource", + "resource-groups:GetGroupQuery", + "lambda:TagResource", + "resource-groups:UpdateGroup", + "iam:UntagRole", + "iam:TagRole", + "resource-groups:GetTags", + "sns:UntagResource", + "resource-groups:Untag", + "lambda:UntagResource", + "elasticloadbalancing:RemoveTags", + "cognito-identity:UntagResource", + "resource-groups:GetGroup", + "resource-groups:GetGroupConfiguration", + "backup:UntagResource", + "cognito-identity:TagResource", + "resource-groups:Tag", + "resource-groups:UpdateGroupQuery", + "iam:TagPolicy", + "resource-groups:DeleteGroup", + "events:TagResource", + "elasticloadbalancing:AddTags", + "iam:UntagPolicy", + "resource-groups:ListGroupResources", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", + "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", + "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", + ] + Sid = "VisualEditor0" + }, + { + Action = [ + "events:TagResource", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", + ] + Sid = "VisualEditor1" + }, + { + Action = [ + "resource-groups:SearchResources", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor2" + }, + ] + Version = "2012-10-17" + } + ) +} + + +# ATTACHED POLICIES + +resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_dev" { + role = aws_iam_role.github_role_dev.name + policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" +} + +resource "aws_iam_role_policy_attachment" "github_actions_terraform_full_dev" { + role = aws_iam_role.github_role_dev.name + policy_arn = aws_iam_policy.github_actions_terraform_full_dev.arn +} # aws_iam_policy.github_actions_terraform_full_dev[0]: resource "aws_iam_policy" "github_actions_terraform_full_dev" { @@ -634,11 +641,15 @@ resource "aws_iam_policy" "github_actions_terraform_full_dev" { } ) tags = {} - tags_all = {} } +resource "aws_iam_role_policy_attachment" "github_actions_extended_dev" { + role = aws_iam_role.github_role_dev.name + policy_arn = aws_iam_policy.github_actions_extended_dev.arn +} + # aws_iam_policy github_actions_extended # Incorporates permissions from: # config_policy @@ -649,7 +660,7 @@ resource "aws_iam_policy" "github_actions_terraform_full_dev" { # repo_app_config # terraform_github_dynamodb_access_policy # terraform_github_s3_access_policy -resource "aws_iam_policy" "github_actions_extended" { +resource "aws_iam_policy" "github_actions_extended_dev" { count = local.is_sandbox_or_dev ? 1 : 0 description = null name = "${terraform.workspace}-github_actions_extended" @@ -867,5 +878,4 @@ resource "aws_iam_policy" "github_actions_extended" { } ) tags = {} - tags_all = {} } From 0ac475c461b7dabe15f9aa4267ad99bbfc02018f Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Fri, 19 Dec 2025 15:25:25 +0000 Subject: [PATCH 31/48] [ndr-297] linting --- pre_core/iam_github_dev.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index 7a2892ae4..5e89f9329 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -9,7 +9,7 @@ resource "aws_iam_role" "github_role_dev" { path = "/" permissions_boundary = null tags = {} - assume_role_policy = jsonencode( + assume_role_policy = jsonencode( { Statement = [ { @@ -640,7 +640,7 @@ resource "aws_iam_policy" "github_actions_terraform_full_dev" { Version = "2012-10-17" } ) - tags = {} + tags = {} } @@ -877,5 +877,5 @@ resource "aws_iam_policy" "github_actions_extended_dev" { Version = "2012-10-17" } ) - tags = {} + tags = {} } From 61d2adb225ef91f1829b30b4fc0127cad157a677 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Fri, 19 Dec 2025 15:35:18 +0000 Subject: [PATCH 32/48] [ndr-297] fixed array reference --- pre_core/iam_github_dev.tf | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index 5e89f9329..bb998998e 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -47,7 +47,8 @@ resource "aws_iam_role" "github_role_dev" { # INLINE POLICIES resource "aws_iam_role_policy" "cloudtrail_dev" { - role = aws_iam_role.github_role_dev.id + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id name = "cloudtrail" policy = jsonencode( { @@ -80,7 +81,8 @@ resource "aws_iam_role_policy" "cloudtrail_dev" { } resource "aws_iam_role_policy" "cloudwatch_logs_policy_dev" { - role = aws_iam_role.github_role_dev.id + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id name = "cloudwatch_logs_policy" policy = jsonencode( { @@ -121,7 +123,8 @@ resource "aws_iam_role_policy" "cloudwatch_logs_policy_dev" { } resource "aws_iam_role_policy" "ecs_policy_dev" { - role = aws_iam_role.github_role_dev.id + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id name = "ecs_policy" policy = jsonencode( { @@ -142,7 +145,8 @@ resource "aws_iam_role_policy" "ecs_policy_dev" { } resource "aws_iam_role_policy" "github_actions_waf_override_dev" { - role = aws_iam_role.github_role_dev.id + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id name = "github_actions_waf_override" policy = jsonencode( { @@ -159,7 +163,8 @@ resource "aws_iam_role_policy" "github_actions_waf_override_dev" { } resource "aws_iam_role_policy" "lambda_layer_policy_dev" { - role = aws_iam_role.github_role_dev.id + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id name = "lambda_layer_policy" policy = jsonencode( { @@ -186,7 +191,8 @@ resource "aws_iam_role_policy" "lambda_layer_policy_dev" { } resource "aws_iam_role_policy" "rum_policy_dev" { - role = aws_iam_role.github_role_dev.id + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id name = "rum_policy" policy = jsonencode( { @@ -247,7 +253,8 @@ resource "aws_iam_role_policy" "rum_policy_dev" { } resource "aws_iam_role_policy" "step_functions_dev" { - role = aws_iam_role.github_role_dev.id + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id name = "step_functions" policy = jsonencode( { @@ -272,7 +279,8 @@ resource "aws_iam_role_policy" "step_functions_dev" { } resource "aws_iam_role_policy" "github_terraform_tagging_policy_dev" { - role = aws_iam_role.github_role_dev.id + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id name = "github_terraform_tagging_policy" policy = jsonencode( { @@ -380,13 +388,15 @@ resource "aws_iam_role_policy" "github_terraform_tagging_policy_dev" { # ATTACHED POLICIES resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_dev" { - role = aws_iam_role.github_role_dev.name + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].name policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } resource "aws_iam_role_policy_attachment" "github_actions_terraform_full_dev" { - role = aws_iam_role.github_role_dev.name - policy_arn = aws_iam_policy.github_actions_terraform_full_dev.arn + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].name + policy_arn = aws_iam_policy.github_actions_terraform_full_dev[0].arn } # aws_iam_policy.github_actions_terraform_full_dev[0]: @@ -646,8 +656,9 @@ resource "aws_iam_policy" "github_actions_terraform_full_dev" { resource "aws_iam_role_policy_attachment" "github_actions_extended_dev" { - role = aws_iam_role.github_role_dev.name - policy_arn = aws_iam_policy.github_actions_extended_dev.arn + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].name + policy_arn = aws_iam_policy.github_actions_extended_dev[0].arn } # aws_iam_policy github_actions_extended From 4270a9b2751361c99d27581a80a993641f605282 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Fri, 19 Dec 2025 15:35:41 +0000 Subject: [PATCH 33/48] [ndr-297] linting --- pre_core/iam_github_dev.tf | 54 +++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/pre_core/iam_github_dev.tf b/pre_core/iam_github_dev.tf index bb998998e..39cae66aa 100644 --- a/pre_core/iam_github_dev.tf +++ b/pre_core/iam_github_dev.tf @@ -47,9 +47,9 @@ resource "aws_iam_role" "github_role_dev" { # INLINE POLICIES resource "aws_iam_role_policy" "cloudtrail_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.github_role_dev[0].id - name = "cloudtrail" + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id + name = "cloudtrail" policy = jsonencode( { Statement = [ @@ -81,9 +81,9 @@ resource "aws_iam_role_policy" "cloudtrail_dev" { } resource "aws_iam_role_policy" "cloudwatch_logs_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.github_role_dev[0].id - name = "cloudwatch_logs_policy" + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id + name = "cloudwatch_logs_policy" policy = jsonencode( { Statement = [ @@ -123,9 +123,9 @@ resource "aws_iam_role_policy" "cloudwatch_logs_policy_dev" { } resource "aws_iam_role_policy" "ecs_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.github_role_dev[0].id - name = "ecs_policy" + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id + name = "ecs_policy" policy = jsonencode( { Statement = [ @@ -145,9 +145,9 @@ resource "aws_iam_role_policy" "ecs_policy_dev" { } resource "aws_iam_role_policy" "github_actions_waf_override_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.github_role_dev[0].id - name = "github_actions_waf_override" + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id + name = "github_actions_waf_override" policy = jsonencode( { Statement = [ @@ -163,9 +163,9 @@ resource "aws_iam_role_policy" "github_actions_waf_override_dev" { } resource "aws_iam_role_policy" "lambda_layer_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.github_role_dev[0].id - name = "lambda_layer_policy" + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id + name = "lambda_layer_policy" policy = jsonencode( { Statement = [ @@ -191,9 +191,9 @@ resource "aws_iam_role_policy" "lambda_layer_policy_dev" { } resource "aws_iam_role_policy" "rum_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.github_role_dev[0].id - name = "rum_policy" + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id + name = "rum_policy" policy = jsonencode( { Statement = [ @@ -253,9 +253,9 @@ resource "aws_iam_role_policy" "rum_policy_dev" { } resource "aws_iam_role_policy" "step_functions_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.github_role_dev[0].id - name = "step_functions" + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id + name = "step_functions" policy = jsonencode( { Statement = [ @@ -279,9 +279,9 @@ resource "aws_iam_role_policy" "step_functions_dev" { } resource "aws_iam_role_policy" "github_terraform_tagging_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.github_role_dev[0].id - name = "github_terraform_tagging_policy" + count = local.is_sandbox_or_dev ? 1 : 0 + role = aws_iam_role.github_role_dev[0].id + name = "github_terraform_tagging_policy" policy = jsonencode( { Statement = [ @@ -388,13 +388,13 @@ resource "aws_iam_role_policy" "github_terraform_tagging_policy_dev" { # ATTACHED POLICIES resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 + count = local.is_sandbox_or_dev ? 1 : 0 role = aws_iam_role.github_role_dev[0].name policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } resource "aws_iam_role_policy_attachment" "github_actions_terraform_full_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 + count = local.is_sandbox_or_dev ? 1 : 0 role = aws_iam_role.github_role_dev[0].name policy_arn = aws_iam_policy.github_actions_terraform_full_dev[0].arn } @@ -656,7 +656,7 @@ resource "aws_iam_policy" "github_actions_terraform_full_dev" { resource "aws_iam_role_policy_attachment" "github_actions_extended_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 + count = local.is_sandbox_or_dev ? 1 : 0 role = aws_iam_role.github_role_dev[0].name policy_arn = aws_iam_policy.github_actions_extended_dev[0].arn } From 54b44c651ed105d07d5c5e2cdbd8d29858d44556 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Fri, 19 Dec 2025 16:13:50 +0000 Subject: [PATCH 34/48] [ndr-297] add pre-core to deployment workflow --- .github/workflows/automated-deploy-dev.yml | 32 +++++++++++++++++++--- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/.github/workflows/automated-deploy-dev.yml b/.github/workflows/automated-deploy-dev.yml index a9859ff59..de1aa78ba 100644 --- a/.github/workflows/automated-deploy-dev.yml +++ b/.github/workflows/automated-deploy-dev.yml @@ -13,11 +13,35 @@ permissions: actions: read # This is required for Plan comment id-token: write # This is required for requesting the JWT contents: write # This is required for SBOM action - + jobs: + + # Terraform apply of pre-core will only occur on a push (merge request completion) + terraform_plan_apply_pre_core: + if: github.ref == 'refs/heads/main' + name: Terraform Plan/Apply (pre_core) + runs-on: ubuntu-latest + environment: development + steps: + - name: Checkout branch + uses: actions/checkout@v5 + + - name: Apply pre_core + uses: ./.github/actions/tf-plan-apply + with: + aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} + aws_region: ${{ vars.AWS_REGION }} + backend_conf: "backend.conf" + working_directory: "./pre_core" # Use separate pre_core directory + workspace: ${{ secrets.AWS_WORKSPACE }} + tf_vars_file: ${{ vars.TF_VARS_FILE }} + + # Will run when terraform_plan_apply_pre_core completes or is skipped terraform_plan_apply: name: Terraform Plan/Apply (ndr-dev) runs-on: ubuntu-latest + needs: terraform_plan_apply_pre_core + if: always() && (needs.terraform_plan_apply_pre_core.result == 'skipped' || needs.terraform_plan_apply_pre_core.result == 'success') environment: development steps: - name: Checkout @@ -73,7 +97,7 @@ jobs: echo "::add-mask::$cert_block" fi done || echo "No certificate blocks found to mask." - + # Mask sensitive URLs in the Terraform Plan output grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do if [ -n "$api_url" ]; then @@ -153,7 +177,7 @@ jobs: // 2. Prepare format of the comment const output = `### Report for environment: ndr-dev - + #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
Initialization Output @@ -191,7 +215,7 @@ jobs: body: output }) } - + github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, From f8d9ee78ba5435b98ef607a678399b4054ded6fc Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Tue, 6 Jan 2026 07:30:23 +0000 Subject: [PATCH 35/48] [ndr-297] renaming pre_core to base_iam --- .github/workflows/automated-deploy-dev.yml | 14 +++--- .github/workflows/deploy-pre-prod.yml | 48 +++++++++++++++++++ .github/workflows/deploy-sandbox.yml | 13 ++--- .github/workflows/deploy-test.yml | 48 +++++++++++++++++-- .github/workflows/tear-down-sandbox.yml | 14 +++--- {pre_core => base_iam}/Makefile | 0 base_iam/backend.conf | 1 + {pre_core => base_iam}/dev.tfvars | 0 {pre_core => base_iam}/iam_github_dev.tf | 0 {pre_core => base_iam}/iam_github_pre-prod.tf | 0 {pre_core => base_iam}/iam_github_test.tf | 0 {pre_core => base_iam}/main.tf | 0 {pre_core => base_iam}/policy_tool.py | 0 {pre_core => base_iam}/providers.tf | 0 {pre_core => base_iam}/terraform.tf | 3 +- {pre_core => base_iam}/variables.tf | 0 pre_core/backend.conf | 1 - 17 files changed, 115 insertions(+), 27 deletions(-) rename {pre_core => base_iam}/Makefile (100%) create mode 100644 base_iam/backend.conf rename {pre_core => base_iam}/dev.tfvars (100%) rename {pre_core => base_iam}/iam_github_dev.tf (100%) rename {pre_core => base_iam}/iam_github_pre-prod.tf (100%) rename {pre_core => base_iam}/iam_github_test.tf (100%) rename {pre_core => base_iam}/main.tf (100%) rename {pre_core => base_iam}/policy_tool.py (100%) rename {pre_core => base_iam}/providers.tf (100%) rename {pre_core => base_iam}/terraform.tf (78%) rename {pre_core => base_iam}/variables.tf (100%) delete mode 100644 pre_core/backend.conf diff --git a/.github/workflows/automated-deploy-dev.yml b/.github/workflows/automated-deploy-dev.yml index de1aa78ba..e4ad87cbf 100644 --- a/.github/workflows/automated-deploy-dev.yml +++ b/.github/workflows/automated-deploy-dev.yml @@ -17,31 +17,31 @@ permissions: jobs: # Terraform apply of pre-core will only occur on a push (merge request completion) - terraform_plan_apply_pre_core: + terraform_plan_apply_base_iam: if: github.ref == 'refs/heads/main' - name: Terraform Plan/Apply (pre_core) + name: Terraform Plan/Apply (base_iam) runs-on: ubuntu-latest environment: development steps: - name: Checkout branch uses: actions/checkout@v5 - - name: Apply pre_core + - name: Apply base_iam uses: ./.github/actions/tf-plan-apply with: aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} aws_region: ${{ vars.AWS_REGION }} backend_conf: "backend.conf" - working_directory: "./pre_core" # Use separate pre_core directory + working_directory: "./base_iam" # Use separate base_iam directory workspace: ${{ secrets.AWS_WORKSPACE }} tf_vars_file: ${{ vars.TF_VARS_FILE }} - # Will run when terraform_plan_apply_pre_core completes or is skipped + # Will run when terraform_plan_apply_base_iam completes or is skipped terraform_plan_apply: name: Terraform Plan/Apply (ndr-dev) runs-on: ubuntu-latest - needs: terraform_plan_apply_pre_core - if: always() && (needs.terraform_plan_apply_pre_core.result == 'skipped' || needs.terraform_plan_apply_pre_core.result == 'success') + needs: terraform_plan_apply_base_iam + if: always() && (needs.terraform_plan_apply_base_iam.result == 'skipped' || needs.terraform_plan_apply_base_iam.result == 'success') environment: development steps: - name: Checkout diff --git a/.github/workflows/deploy-pre-prod.yml b/.github/workflows/deploy-pre-prod.yml index bce8e835b..bca4ed88f 100644 --- a/.github/workflows/deploy-pre-prod.yml +++ b/.github/workflows/deploy-pre-prod.yml @@ -44,6 +44,54 @@ jobs: run: | echo Tag to deploy: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }} + + + + # # TODO: Activate this section and delete the existing plan_apply job + # terraform_plan_apply_base_iam: + # name: Terraform Plan/Apply (base_iam) + # runs-on: ubuntu-latest + # needs: ["tag_main"] + # environment: pre-prod + # steps: + # - name: Checkout branch + # uses: actions/checkout@v5 + # with: + # ref: ${{ needs.tag_main.outputs.version }} + + # - name: Apply base_iam + # uses: ./.github/actions/tf-plan-apply + # with: + # aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} + # aws_region: ${{ vars.AWS_REGION }} + # backend_conf: "backend-pre-prod.conf" + # working_directory: "./base_iam" # Use separate base_iam directory + # workspace: ${{ secrets.AWS_WORKSPACE }} + # tf_vars_file: ${{ vars.TF_VARS_FILE }} + + # terraform_plan_apply: + # name: Terraform Plan/Apply (pre-prod) + # runs-on: ubuntu-latest + # needs: ["tag_main", "terraform_plan_apply_base_iam"] + # environment: pre-prod + # steps: + # - name: Checkout Branch + # uses: actions/checkout@v5 + # with: + # ref: ${{ needs.tag_main.outputs.version }} + + # - name: Apply Branch + # uses: ./.github/actions/tf-plan-apply + # with: + # aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} + # aws_region: ${{ vars.AWS_REGION }} + # backend_conf: "backend-pre-prod.conf" + # workspace: ${{ secrets.AWS_WORKSPACE }} + # tf_vars_file: ${{ vars.TF_VARS_FILE }} + + + + terraform_plan_apply: name: Terraform Plan/Apply (pre-prod) runs-on: ubuntu-latest diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index cf7c54fe8..3873a8e85 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -35,9 +35,9 @@ jobs: SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }} -# APPLY PRE_CORE TF (FROM CHOSEN BRANCH) - terraform_plan_apply_pre_core: - name: Terraform Plan/Apply (pre_core) +# APPLY base_iam TF (FROM CHOSEN BRANCH) + terraform_plan_apply_base_iam: + name: Terraform Plan/Apply (base_iam) runs-on: ubuntu-latest needs: validate_inputs environment: development @@ -47,13 +47,14 @@ jobs: with: ref: ${{ github.event.inputs.git_ref}} - - name: Apply pre_core + - name: Apply base_iam uses: ./.github/actions/tf-plan-apply with: + # TODO: DO we need to change to the new role at some point here? aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} aws_region: ${{ vars.AWS_REGION }} backend_conf: "backend.conf" - working_directory: "./pre_core" # Use separate pre_core directory + working_directory: "./base_iam" # Use separate base_iam directory workspace: ${{ github.event.inputs.sandbox_name }} tf_vars_file: ${{ vars.TF_VARS_FILE }} @@ -62,7 +63,7 @@ jobs: terraform_plan_apply_main: name: Terraform Plan/Apply (main) runs-on: ubuntu-latest - needs: terraform_plan_apply_pre_core + needs: terraform_plan_apply_base_iam environment: development steps: - name: Checkout main diff --git a/.github/workflows/deploy-test.yml b/.github/workflows/deploy-test.yml index 57db6674e..5c7f9bf72 100644 --- a/.github/workflows/deploy-test.yml +++ b/.github/workflows/deploy-test.yml @@ -16,10 +16,50 @@ permissions: contents: read # This is required for actions/checkout jobs: - # TODO: Add pre-core plan/apply - # TODO: Remember to pass in:-var=pre_prod_account_id=${{ secrets.PRE_PROD_AWS_ACCOUNT_ID }} - # TODO: Change existing apply to use new pre_core role - + # TODO: Activate this section and delete the existing job + # terraform_plan_apply_base_iam: + # name: Terraform Plan/Apply (base_iam) + # runs-on: ubuntu-latest + # environment: test + # steps: + # - name: Checkout branch + # uses: actions/checkout@v5 + # with: + # ref: ${{ github.event.inputs.git_ref}} + + # - name: Apply base_iam + # uses: ./.github/actions/tf-plan-apply + # with: + # aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} + # aws_region: ${{ vars.AWS_REGION }} + # backend_conf: "backend-test.conf" + # working_directory: "./base_iam" # Use separate base_iam directory + # workspace: ${{ secrets.AWS_WORKSPACE }} + # tf_vars_file: ${{ vars.TF_VARS_FILE }} + + # terraform_plan_apply_test: + # name: Terraform Plan/Apply (ndr-test) + # runs-on: ubuntu-latest + # needs: terraform_plan_apply_base_iam + # environment: test + # steps: + # - name: Checkout Branch + # uses: actions/checkout@v5 + # with: + # ref: ${{ github.event.inputs.git_ref}} + + # - name: Apply Branch + # uses: ./.github/actions/tf-plan-apply + # with: + # aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} + # aws_region: ${{ vars.AWS_REGION }} + # backend_conf: "backend-test.conf" + # workspace: ${{ secrets.AWS_WORKSPACE }} + # tf_vars_file: ${{ vars.TF_VARS_FILE }} + + + + terraform_plan_apply: name: Terraform Plan/Apply (ndr-test) runs-on: ubuntu-latest diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml index 05667610b..4ce6d5b5c 100644 --- a/.github/workflows/tear-down-sandbox.yml +++ b/.github/workflows/tear-down-sandbox.yml @@ -80,7 +80,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v5 with: - # Use role created in pre_core + # Use role created in base_iam role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true @@ -102,8 +102,8 @@ jobs: run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" working-directory: ./infrastructure - terraform_destroy_pre_core: - name: Terraform Destroy (Pre-Core) + terraform_destroy_base_iam: + name: Terraform Destroy (base_iam) # Only destroy pre-core in development (sandbox) environment. Don't tear down in Test environment. # TODO: TEST THAT BRANCH ISN'T NDR-DEV! if: ${{ github.event.inputs.environment == 'development' }} @@ -130,20 +130,20 @@ jobs: - name: Initialise Terraform run: terraform init -backend-config=${{ vars.TF_BACKEND_FILE }} - working-directory: ./pre_core + working-directory: ./base_iam - name: Select Terraform Workspace run: terraform workspace select ${{ inputs.sandbox_name }} - working-directory: ./pre_core + working-directory: ./base_iam - name: Run Terraform Destroy run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" - working-directory: ./pre_core + working-directory: ./base_iam cleanup_resources: name: Cleanup Resources runs-on: ubuntu-latest - needs: [terraform_destroy_pre_core] + needs: [terraform_destroy_base_iam] environment: ${{ inputs.environment }} steps: - name: Checkout diff --git a/pre_core/Makefile b/base_iam/Makefile similarity index 100% rename from pre_core/Makefile rename to base_iam/Makefile diff --git a/base_iam/backend.conf b/base_iam/backend.conf new file mode 100644 index 000000000..486a8d720 --- /dev/null +++ b/base_iam/backend.conf @@ -0,0 +1 @@ +bucket = "ndr-dev-terraform-state-533825906475" \ No newline at end of file diff --git a/pre_core/dev.tfvars b/base_iam/dev.tfvars similarity index 100% rename from pre_core/dev.tfvars rename to base_iam/dev.tfvars diff --git a/pre_core/iam_github_dev.tf b/base_iam/iam_github_dev.tf similarity index 100% rename from pre_core/iam_github_dev.tf rename to base_iam/iam_github_dev.tf diff --git a/pre_core/iam_github_pre-prod.tf b/base_iam/iam_github_pre-prod.tf similarity index 100% rename from pre_core/iam_github_pre-prod.tf rename to base_iam/iam_github_pre-prod.tf diff --git a/pre_core/iam_github_test.tf b/base_iam/iam_github_test.tf similarity index 100% rename from pre_core/iam_github_test.tf rename to base_iam/iam_github_test.tf diff --git a/pre_core/main.tf b/base_iam/main.tf similarity index 100% rename from pre_core/main.tf rename to base_iam/main.tf diff --git a/pre_core/policy_tool.py b/base_iam/policy_tool.py similarity index 100% rename from pre_core/policy_tool.py rename to base_iam/policy_tool.py diff --git a/pre_core/providers.tf b/base_iam/providers.tf similarity index 100% rename from pre_core/providers.tf rename to base_iam/providers.tf diff --git a/pre_core/terraform.tf b/base_iam/terraform.tf similarity index 78% rename from pre_core/terraform.tf rename to base_iam/terraform.tf index dfb229474..24af370ad 100644 --- a/pre_core/terraform.tf +++ b/base_iam/terraform.tf @@ -15,8 +15,7 @@ terraform { backend "s3" { use_lockfile = true region = "eu-west-2" - # key = "ndr/terraform.tfstate" - key = "ndr_pre_core/terraform.tfstate" + key = "ndr_base_iam/terraform.tfstate" encrypt = true } } \ No newline at end of file diff --git a/pre_core/variables.tf b/base_iam/variables.tf similarity index 100% rename from pre_core/variables.tf rename to base_iam/variables.tf diff --git a/pre_core/backend.conf b/pre_core/backend.conf deleted file mode 100644 index 5ade2f1b5..000000000 --- a/pre_core/backend.conf +++ /dev/null @@ -1 +0,0 @@ -bucket = "ndr-dev-terraform-state-533825906475" From 7bf2ac3c10eca2a467f39c6f0d96c2d8a01aab5b Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Tue, 6 Jan 2026 07:31:08 +0000 Subject: [PATCH 36/48] [ndr-297] reformatting --- base_iam/terraform.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base_iam/terraform.tf b/base_iam/terraform.tf index 24af370ad..357c70a84 100644 --- a/base_iam/terraform.tf +++ b/base_iam/terraform.tf @@ -15,7 +15,7 @@ terraform { backend "s3" { use_lockfile = true region = "eu-west-2" - key = "ndr_base_iam/terraform.tfstate" - encrypt = true + key = "ndr_base_iam/terraform.tfstate" + encrypt = true } } \ No newline at end of file From 942fe6d67cc2308ccf60d4907dc56997a5f7207c Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Tue, 6 Jan 2026 10:20:44 +0000 Subject: [PATCH 37/48] [ndr-297] Test for teadown of ndr-dev --- .github/workflows/tear-down-sandbox.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml index 4ce6d5b5c..690a200d1 100644 --- a/.github/workflows/tear-down-sandbox.yml +++ b/.github/workflows/tear-down-sandbox.yml @@ -104,9 +104,8 @@ jobs: terraform_destroy_base_iam: name: Terraform Destroy (base_iam) - # Only destroy pre-core in development (sandbox) environment. Don't tear down in Test environment. - # TODO: TEST THAT BRANCH ISN'T NDR-DEV! - if: ${{ github.event.inputs.environment == 'development' }} + # Only destroy base_iam in a Sandbox environment. Don't tear down in Test or ndr-dev environments. + if: ${{ github.event.inputs.environment == 'development' && github.event.inputs.sandbox_name != 'ndr-dev' }} runs-on: ubuntu-latest needs: [terraform_destroy] environment: ${{ inputs.environment }} From 078811478891f4310f9fa7a47d025d1b8756ebcb Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Tue, 6 Jan 2026 14:54:30 +0000 Subject: [PATCH 38/48] [ndr-297] tidy dead code --- .github/workflows/automated-deploy-dev.yml | 4 ++-- base_iam/providers.tf | 6 +++--- base_iam/terraform.tf | 4 ---- base_iam/variables.tf | 6 ------ 4 files changed, 5 insertions(+), 15 deletions(-) diff --git a/.github/workflows/automated-deploy-dev.yml b/.github/workflows/automated-deploy-dev.yml index e4ad87cbf..3d6d8448e 100644 --- a/.github/workflows/automated-deploy-dev.yml +++ b/.github/workflows/automated-deploy-dev.yml @@ -16,7 +16,7 @@ permissions: jobs: - # Terraform apply of pre-core will only occur on a push (merge request completion) + # Terraform apply of base_iam will only occur on a push (merge request completion) terraform_plan_apply_base_iam: if: github.ref == 'refs/heads/main' name: Terraform Plan/Apply (base_iam) @@ -36,11 +36,11 @@ jobs: workspace: ${{ secrets.AWS_WORKSPACE }} tf_vars_file: ${{ vars.TF_VARS_FILE }} - # Will run when terraform_plan_apply_base_iam completes or is skipped terraform_plan_apply: name: Terraform Plan/Apply (ndr-dev) runs-on: ubuntu-latest needs: terraform_plan_apply_base_iam + # Will run when terraform_plan_apply_base_iam completes or is skipped if: always() && (needs.terraform_plan_apply_base_iam.result == 'skipped' || needs.terraform_plan_apply_base_iam.result == 'success') environment: development steps: diff --git a/base_iam/providers.tf b/base_iam/providers.tf index 632024e0d..008d9033c 100644 --- a/base_iam/providers.tf +++ b/base_iam/providers.tf @@ -1,8 +1,8 @@ provider "aws" { region = var.region - # allowed_account_ids = [ - # data.aws_caller_identity.current.account_id, - # ] + allowed_account_ids = [ + data.aws_caller_identity.current.account_id, + ] default_tags { tags = { Owner = var.owner diff --git a/base_iam/terraform.tf b/base_iam/terraform.tf index 357c70a84..d5512a934 100644 --- a/base_iam/terraform.tf +++ b/base_iam/terraform.tf @@ -5,10 +5,6 @@ terraform { source = "hashicorp/aws" version = "~> 5.0" } - # awscc = { - # source = "hashicorp/awscc" - # version = "~> 1.0" - # } } diff --git a/base_iam/variables.tf b/base_iam/variables.tf index 0342b54be..6c2751e26 100644 --- a/base_iam/variables.tf +++ b/base_iam/variables.tf @@ -9,12 +9,6 @@ variable "region" { description = "The region to be used for bootstrapping" } -variable "pre_prod_account_id" { - type = string - description = "The Pre-Prod AWS Account ID (required by Test environment GitHub IAM Role)" - default = "" -} - variable "owner" { description = "Identifies the team or person responsible for the resource (used for tagging)." type = string From bcb9102ca707037a32206cac0d366ef1c5159652 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Tue, 6 Jan 2026 15:19:23 +0000 Subject: [PATCH 39/48] [ndr-297] tidy code --- base_iam/providers.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/base_iam/providers.tf b/base_iam/providers.tf index 008d9033c..5835ddb8e 100644 --- a/base_iam/providers.tf +++ b/base_iam/providers.tf @@ -1,8 +1,5 @@ provider "aws" { region = var.region - allowed_account_ids = [ - data.aws_caller_identity.current.account_id, - ] default_tags { tags = { Owner = var.owner From e5acc55d8017f0534cd4a5baa3a515a6bf42932a Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Tue, 6 Jan 2026 16:48:08 +0000 Subject: [PATCH 40/48] [ndr-297] injection of aws_account_id --- .github/actions/tf-plan-apply/action.yml | 6 +++++- .github/workflows/deploy-sandbox.yml | 1 + base_iam/providers.tf | 3 +++ base_iam/variables.tf | 5 +++++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/actions/tf-plan-apply/action.yml b/.github/actions/tf-plan-apply/action.yml index 7924b2476..0959c7c79 100644 --- a/.github/actions/tf-plan-apply/action.yml +++ b/.github/actions/tf-plan-apply/action.yml @@ -37,6 +37,10 @@ inputs: required: false default: "" + aws_account_id: + description: "AWS Account ID" + required: true + runs: using: "composite" steps: @@ -71,7 +75,7 @@ runs: - name: Run Terraform Plan run: | - terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" ${{ inputs.tf_extra_args }} -out tf.plan + terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" -var aws_account_id=${{ inputs.aws_account_id }} ${{ inputs.tf_extra_args }} -out tf.plan working-directory: ${{ inputs.working_directory }} shell: bash diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 3873a8e85..bc840e62a 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -57,6 +57,7 @@ jobs: working_directory: "./base_iam" # Use separate base_iam directory workspace: ${{ github.event.inputs.sandbox_name }} tf_vars_file: ${{ vars.TF_VARS_FILE }} + aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} # APPLY MAIN diff --git a/base_iam/providers.tf b/base_iam/providers.tf index 5835ddb8e..1fbd2fe22 100644 --- a/base_iam/providers.tf +++ b/base_iam/providers.tf @@ -1,5 +1,8 @@ provider "aws" { region = var.region + allowed_account_ids = [ + var.aws_account_id + ] default_tags { tags = { Owner = var.owner diff --git a/base_iam/variables.tf b/base_iam/variables.tf index 6c2751e26..2b6e0d9e9 100644 --- a/base_iam/variables.tf +++ b/base_iam/variables.tf @@ -15,6 +15,11 @@ variable "owner" { default = "nhse/ndr-team" } +variable "aws_account_id" { + type = string + description = "The AWS Account ID (numeric)" +} + locals { is_sandbox = !contains(["ndr-dev", "ndr-test", "pre-prod", "prod"], terraform.workspace) is_production = contains(["pre-prod", "prod"], terraform.workspace) From 2e6fe72c8ff96ad54b3a4cc650237e0ffa88b1e7 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 7 Jan 2026 09:58:40 +0000 Subject: [PATCH 41/48] [ndr-297] updated missing account_id --- .github/actions/tf-plan-apply/action.yml | 5 +++-- .github/workflows/deploy-pre-prod.yml | 1 + .github/workflows/deploy-test.yml | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/actions/tf-plan-apply/action.yml b/.github/actions/tf-plan-apply/action.yml index 0959c7c79..d601fcb12 100644 --- a/.github/actions/tf-plan-apply/action.yml +++ b/.github/actions/tf-plan-apply/action.yml @@ -38,8 +38,9 @@ inputs: default: "" aws_account_id: - description: "AWS Account ID" - required: true + description: "AWS Account ID - Only required when working_directory is base_iam" + required: false + default: "none" runs: using: "composite" diff --git a/.github/workflows/deploy-pre-prod.yml b/.github/workflows/deploy-pre-prod.yml index bca4ed88f..329c5f0d1 100644 --- a/.github/workflows/deploy-pre-prod.yml +++ b/.github/workflows/deploy-pre-prod.yml @@ -68,6 +68,7 @@ jobs: # working_directory: "./base_iam" # Use separate base_iam directory # workspace: ${{ secrets.AWS_WORKSPACE }} # tf_vars_file: ${{ vars.TF_VARS_FILE }} + # aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} # terraform_plan_apply: # name: Terraform Plan/Apply (pre-prod) diff --git a/.github/workflows/deploy-test.yml b/.github/workflows/deploy-test.yml index 5c7f9bf72..6f2dfb355 100644 --- a/.github/workflows/deploy-test.yml +++ b/.github/workflows/deploy-test.yml @@ -36,6 +36,7 @@ jobs: # working_directory: "./base_iam" # Use separate base_iam directory # workspace: ${{ secrets.AWS_WORKSPACE }} # tf_vars_file: ${{ vars.TF_VARS_FILE }} + # aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} # terraform_plan_apply_test: # name: Terraform Plan/Apply (ndr-test) From a61b0fbcc603218fe6cbed3846a4c9127f682a86 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 7 Jan 2026 10:27:56 +0000 Subject: [PATCH 42/48] [ndr-297] optional account_id --- .github/actions/tf-plan-apply/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/tf-plan-apply/action.yml b/.github/actions/tf-plan-apply/action.yml index d601fcb12..b158bcebb 100644 --- a/.github/actions/tf-plan-apply/action.yml +++ b/.github/actions/tf-plan-apply/action.yml @@ -76,7 +76,8 @@ runs: - name: Run Terraform Plan run: | - terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" -var aws_account_id=${{ inputs.aws_account_id }} ${{ inputs.tf_extra_args }} -out tf.plan + # terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" -var aws_account_id=${{ inputs.aws_account_id }} ${{ inputs.tf_extra_args }} -out tf.plan + terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" ${{ inputs.aws_account_id != 'none' && '-var aws_account_id=${{ inputs.aws_account_id }}' }} ${{ inputs.tf_extra_args }} -out tf.plan working-directory: ${{ inputs.working_directory }} shell: bash From 7480d9c52d6849d26d7ed1c9f098c76e2b17e9f1 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 7 Jan 2026 10:34:19 +0000 Subject: [PATCH 43/48] [ndr-927] fix for account_id --- .github/actions/tf-plan-apply/action.yml | 10 +++++----- .github/workflows/deploy-sandbox.yml | 3 ++- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/actions/tf-plan-apply/action.yml b/.github/actions/tf-plan-apply/action.yml index b158bcebb..ff3e86828 100644 --- a/.github/actions/tf-plan-apply/action.yml +++ b/.github/actions/tf-plan-apply/action.yml @@ -37,10 +37,10 @@ inputs: required: false default: "" - aws_account_id: - description: "AWS Account ID - Only required when working_directory is base_iam" - required: false - default: "none" + # aws_account_id: + # description: "AWS Account ID - Only required when working_directory is base_iam" + # required: false + # default: "none" runs: using: "composite" @@ -77,7 +77,7 @@ runs: - name: Run Terraform Plan run: | # terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" -var aws_account_id=${{ inputs.aws_account_id }} ${{ inputs.tf_extra_args }} -out tf.plan - terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" ${{ inputs.aws_account_id != 'none' && '-var aws_account_id=${{ inputs.aws_account_id }}' }} ${{ inputs.tf_extra_args }} -out tf.plan + terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" ${{ inputs.tf_extra_args }} -out tf.plan working-directory: ${{ inputs.working_directory }} shell: bash diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index bc840e62a..ff08abec6 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -57,7 +57,8 @@ jobs: working_directory: "./base_iam" # Use separate base_iam directory workspace: ${{ github.event.inputs.sandbox_name }} tf_vars_file: ${{ vars.TF_VARS_FILE }} - aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} + # aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} + tf_extra_ags: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}" # APPLY MAIN From 97f4e8a09ba2e2de1c0167f7fdaf2a7aa5b8d9a4 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 7 Jan 2026 10:36:01 +0000 Subject: [PATCH 44/48] [ndr-297] fix typo --- .github/workflows/deploy-sandbox.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index ff08abec6..7452f68de 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -58,7 +58,7 @@ jobs: workspace: ${{ github.event.inputs.sandbox_name }} tf_vars_file: ${{ vars.TF_VARS_FILE }} # aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} - tf_extra_ags: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}" + tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}" # APPLY MAIN From 6f867f0df342a42f3c437093804cd880dcdadf5d Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 7 Jan 2026 11:46:22 +0000 Subject: [PATCH 45/48] [ndr-297] added account_id to teardown --- .github/actions/tf-plan-apply/action.yml | 6 ------ .github/workflows/deploy-pre-prod.yml | 2 +- .github/workflows/deploy-sandbox.yml | 3 +-- .github/workflows/deploy-test.yml | 2 +- .github/workflows/tear-down-sandbox.yml | 3 ++- 5 files changed, 5 insertions(+), 11 deletions(-) diff --git a/.github/actions/tf-plan-apply/action.yml b/.github/actions/tf-plan-apply/action.yml index ff3e86828..7924b2476 100644 --- a/.github/actions/tf-plan-apply/action.yml +++ b/.github/actions/tf-plan-apply/action.yml @@ -37,11 +37,6 @@ inputs: required: false default: "" - # aws_account_id: - # description: "AWS Account ID - Only required when working_directory is base_iam" - # required: false - # default: "none" - runs: using: "composite" steps: @@ -76,7 +71,6 @@ runs: - name: Run Terraform Plan run: | - # terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" -var aws_account_id=${{ inputs.aws_account_id }} ${{ inputs.tf_extra_args }} -out tf.plan terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" ${{ inputs.tf_extra_args }} -out tf.plan working-directory: ${{ inputs.working_directory }} shell: bash diff --git a/.github/workflows/deploy-pre-prod.yml b/.github/workflows/deploy-pre-prod.yml index 329c5f0d1..b53b3bdb8 100644 --- a/.github/workflows/deploy-pre-prod.yml +++ b/.github/workflows/deploy-pre-prod.yml @@ -68,7 +68,7 @@ jobs: # working_directory: "./base_iam" # Use separate base_iam directory # workspace: ${{ secrets.AWS_WORKSPACE }} # tf_vars_file: ${{ vars.TF_VARS_FILE }} - # aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} + # tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}" # terraform_plan_apply: # name: Terraform Plan/Apply (pre-prod) diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 7452f68de..11858c792 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -50,14 +50,13 @@ jobs: - name: Apply base_iam uses: ./.github/actions/tf-plan-apply with: - # TODO: DO we need to change to the new role at some point here? + # TODO: After initial deployment, can be changed to: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }} aws_region: ${{ vars.AWS_REGION }} backend_conf: "backend.conf" working_directory: "./base_iam" # Use separate base_iam directory workspace: ${{ github.event.inputs.sandbox_name }} tf_vars_file: ${{ vars.TF_VARS_FILE }} - # aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}" diff --git a/.github/workflows/deploy-test.yml b/.github/workflows/deploy-test.yml index 6f2dfb355..047e740ed 100644 --- a/.github/workflows/deploy-test.yml +++ b/.github/workflows/deploy-test.yml @@ -36,7 +36,7 @@ jobs: # working_directory: "./base_iam" # Use separate base_iam directory # workspace: ${{ secrets.AWS_WORKSPACE }} # tf_vars_file: ${{ vars.TF_VARS_FILE }} - # aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} + # tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}" # terraform_plan_apply_test: # name: Terraform Plan/Apply (ndr-test) diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml index 690a200d1..f93450b31 100644 --- a/.github/workflows/tear-down-sandbox.yml +++ b/.github/workflows/tear-down-sandbox.yml @@ -136,7 +136,8 @@ jobs: working-directory: ./base_iam - name: Run Terraform Destroy - run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" + run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" -var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }} + working-directory: ./base_iam cleanup_resources: From 1e6a612df2be92bc7222e759cd406553fc948666 Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Wed, 7 Jan 2026 16:47:34 +0000 Subject: [PATCH 46/48] [ndr-297] added details for other envs --- base_iam/backend-pre-prod.conf | 1 + base_iam/backend-prod.conf | 1 + base_iam/backend-test.conf | 1 + base_iam/preprod.tfvars | 2 ++ base_iam/prod.tfvars | 2 ++ base_iam/test.tfvars | 2 ++ 6 files changed, 9 insertions(+) create mode 100644 base_iam/backend-pre-prod.conf create mode 100644 base_iam/backend-prod.conf create mode 100644 base_iam/backend-test.conf create mode 100644 base_iam/preprod.tfvars create mode 100644 base_iam/prod.tfvars create mode 100644 base_iam/test.tfvars diff --git a/base_iam/backend-pre-prod.conf b/base_iam/backend-pre-prod.conf new file mode 100644 index 000000000..7a3171088 --- /dev/null +++ b/base_iam/backend-pre-prod.conf @@ -0,0 +1 @@ +bucket = "ndr-pre-prod-terraform-state-694282683086" \ No newline at end of file diff --git a/base_iam/backend-prod.conf b/base_iam/backend-prod.conf new file mode 100644 index 000000000..2c3521439 --- /dev/null +++ b/base_iam/backend-prod.conf @@ -0,0 +1 @@ +bucket = "ndr-prod-terraform-state-487224344892" \ No newline at end of file diff --git a/base_iam/backend-test.conf b/base_iam/backend-test.conf new file mode 100644 index 000000000..b189b63a6 --- /dev/null +++ b/base_iam/backend-test.conf @@ -0,0 +1 @@ +bucket = "ndr-test-terraform-state-211125386286" \ No newline at end of file diff --git a/base_iam/preprod.tfvars b/base_iam/preprod.tfvars new file mode 100644 index 000000000..8681ad845 --- /dev/null +++ b/base_iam/preprod.tfvars @@ -0,0 +1,2 @@ +environment = "pre-prod" +owner = "nhse/ndr-team" diff --git a/base_iam/prod.tfvars b/base_iam/prod.tfvars new file mode 100644 index 000000000..c0cfc43c5 --- /dev/null +++ b/base_iam/prod.tfvars @@ -0,0 +1,2 @@ +environment = "prod" +owner = "nhse/ndr-team" diff --git a/base_iam/test.tfvars b/base_iam/test.tfvars new file mode 100644 index 000000000..77cdb18da --- /dev/null +++ b/base_iam/test.tfvars @@ -0,0 +1,2 @@ +environment = "test" +owner = "nhse/ndr-team" From 69376fbfe3783258d45d49b9d16b73a163703bdb Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Thu, 8 Jan 2026 15:59:35 +0000 Subject: [PATCH 47/48] [ndr-297] replaced deprecated tf --- base_iam/iam_github_pre-prod.tf | 908 +++++++++++++++----------------- base_iam/iam_github_test.tf | 453 ++++++++-------- 2 files changed, 666 insertions(+), 695 deletions(-) diff --git a/base_iam/iam_github_pre-prod.tf b/base_iam/iam_github_pre-prod.tf index 490e76c8a..3c5c65af2 100644 --- a/base_iam/iam_github_pre-prod.tf +++ b/base_iam/iam_github_pre-prod.tf @@ -1,6 +1,14 @@ # aws_iam_role.github_role_pre-prod[0]: -resource "aws_iam_role" "github_role_pre-prod" { - count = local.is_pre_production ? 1 : 0 +resource "aws_iam_role" "github_role_pre_prod" { + count = local.is_pre_production ? 1 : 0 + description = "This role is to provide access for GitHub actions to the pre-prod environment. " + force_detach_policies = false + max_session_duration = 3600 + name = "Github-Actions-pre-prod-role" + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} assume_role_policy = jsonencode( { Statement = [ @@ -33,490 +41,419 @@ resource "aws_iam_role" "github_role_pre-prod" { Version = "2012-10-17" } ) - description = "This role is to provide access for GitHub actions to the pre-prod environment. " - force_detach_policies = false - managed_policy_arns = [ - aws_iam_policy.github_actions_policy_pre-prod[0].arn, - aws_iam_policy.github_extended_policy_1_pre-prod[0].arn, - "arn:aws:iam::aws:policy/ReadOnlyAccess", - ] - max_session_duration = 3600 - name = "Github-Actions-pre-prod-role" - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} - tags_all = {} +} + + +# INLINE POLICIES + +resource "aws_iam_role_policy" "cloudfront_policy_pre_prod" { + count = local.is_pre_production ? 1 : 0 + role = aws_iam_role.github_role_pre_prod[0].id + name = "cloudfront_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cloudfront:CreateCachePolicy", + "cloudfront:DeleteCachePolicy", + "cloudfront:CreateOriginAccessControl", + "cloudfront:CreateDistribution", + "cloudfront:TagResource", + "cloudfront:UntagResource", + "cloudfront:DeleteDistribution", + "lambda:EnableReplication", + "cloudfront:UpdateDistribution", + "cloudfront:DeleteOriginAccessControl", + "cloudfront:CreateInvalidation", + "cloudfront:UpdateOriginAccessControl", + "cloudfront:CreateOriginRequestPolicy", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "cloudwatch_logs_policy_pre_prod" { + count = local.is_pre_production ? 1 : 0 + role = aws_iam_role.github_role_pre_prod[0].id + name = "cloudwatch_logs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "logs:ListTagsLogGroup", + "logs:CreateLogDelivery", + "logs:PutMetricFilter", + "logs:DeleteMetricFilter", + "logs:DescribeLogGroups", + "logs:PutRetentionPolicy", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutResourcePolicy", + ] + Effect = "Allow" + Resource = "*" + Sid = "AllowLogGroup" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "ecr_policy_pre_prod" { + count = local.is_pre_production ? 1 : 0 + role = aws_iam_role.github_role_pre_prod[0].id + name = "ecr_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecr:InitiateLayerUpload", + "ecr:BatchDeleteImage", + "ecr:CompleteLayerUpload", + "ecr:InitiateLayerUpload", + "ecr:PutImage", + "ecr:UploadLayerPart", + ] + Effect = "Allow" + Resource = [ + "arn:aws:ecr:eu-west-2:${data.aws_caller_identity.current.account_id}:repository/ndr-pre-prod-app", + "arn:aws:ecr:eu-west-2:${data.aws_caller_identity.current.account_id}:repository/pre-prod-data-collection", + ] + Sid = "AllowAppAndOdsUpdate" + }, + ] + Version = "2012-10-17" + } + ) +} - inline_policy { - name = "cloudfront_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cloudfront:CreateCachePolicy", - "cloudfront:DeleteCachePolicy", - "cloudfront:CreateOriginAccessControl", - "cloudfront:CreateDistribution", - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:DeleteDistribution", - "lambda:EnableReplication", - "cloudfront:UpdateDistribution", - "cloudfront:DeleteOriginAccessControl", - "cloudfront:CreateInvalidation", - "cloudfront:UpdateOriginAccessControl", - "cloudfront:CreateOriginRequestPolicy", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "cloudwatch_logs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "logs:ListTagsLogGroup", - "logs:CreateLogDelivery", - "logs:PutMetricFilter", - "logs:DeleteMetricFilter", - "logs:DescribeLogGroups", - "logs:PutRetentionPolicy", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutResourcePolicy", - ] - Effect = "Allow" - Resource = "*" - Sid = "AllowLogGroup" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "ecr_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecr:InitiateLayerUpload", - "ecr:BatchDeleteImage", - "ecr:CompleteLayerUpload", - "ecr:InitiateLayerUpload", - "ecr:PutImage", - "ecr:UploadLayerPart", - ] - Effect = "Allow" - Resource = [ - "arn:aws:ecr:eu-west-2:${data.aws_caller_identity.current.account_id}:repository/ndr-pre-prod-app", - "arn:aws:ecr:eu-west-2:${data.aws_caller_identity.current.account_id}:repository/pre-prod-data-collection", - ] - Sid = "AllowAppAndOdsUpdate" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "ecs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecs:UpdateCluster", - "ecs:PutClusterCapacityProviders", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "github-extended-policy-virus-scanner" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ssm:CreateDocument", - "iam:TagRole", - "SNS:TagResource", - "cognito-idp:CreateUserPool", - "cognito-idp:TagResource", - "cognito-idp:SetUserPoolMfaConfig", - "iam:CreateInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:DeleteInstanceProfile", - "cloudformation:CreateResource", - "cognito-idp:DeleteUserPool", - "cognito-idp:CreateGroup", - "cognito-idp:AdminCreateUser", - "cognito-idp:CreateUserPoolClient", - "cognito-idp:AdminAddUserToGroup", - ] - Effect = "Allow" - Resource = "*" - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "lambda" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "lambda:CreateFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:GetFunction", - "lambda:GetFunctionConfiguration", - "lambda:InvokeFunction", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration", - "kms:CreateGrant", - "kms:Decrypt", - "kms:Encrypt", - "kms:TagResource", - "kms:UntagResource", - "s3:PutObject", - ] - Effect = "Allow" - Resource = [ - "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*", - "arn:aws:lambda:eu-west-2:*:function:*", - ] - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "mtls-gateway" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "acm:RequestCertificate", - "route53:ListHostedZones", - "acm:ListCertificates", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor1" - }, - { - Action = [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "route53:GetHostedZone", - "route53:ChangeResourceRecordSets", - "apigateway:AddCertificateToDomain", - "acm:AddTagsToCertificate", - "apigateway:RemoveCertificateFromDomain", - "acm:ListTagsForCertificate", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames", - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:route53:::hostedzone/*", - "arn:aws:acm:eu-west-2:${data.aws_caller_identity.current.account_id}:certificate/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "apigateway:AddCertificateToDomain", - "apigateway:RemoveCertificateFromDomain", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:apigateway:eu-west-2::/domainnames", - ] - Sid = "VisualEditor3" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor4" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "resource_tagging" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "resource-groups:GetGroupQuery", - "backup:TagResource", - "sns:TagResource", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "logs:UntagResource", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "logs:TagResource", - "events:TagResource", - "resource-groups:DeleteGroup", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "iam:UntagInstanceProfile", - "events:UntagResource", - "iam:TagInstanceProfile", - ] - Effect = "Allow" - Resource = [ - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", - "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", - "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", - "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery-source:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:destination:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery-destination:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:anomaly-detector:*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "rum_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool", - ] - Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" - Sid = "AllowIdentityPool" - }, - { - Action = [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor", - ] - Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" - Sid = "AllowAppMonitor" - }, - { - Action = [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" - Sid = "AllowRumServiceLogs" - }, - { - Action = [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies", - ] - Effect = "Allow" - Resource = "*" - Sid = "AllowRumServiceAllLogs" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "scheduler_policy" - policy = jsonencode( - { - Statement = [ - { - Action = "scheduler:DeleteSchedule" - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "step_functions" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "states:DescribeStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:CreateStateMachine", - "states:TagResource", - "states:UntagResource", - ] - Effect = "Allow" - Resource = "arn:aws:states:eu-west-2:${data.aws_caller_identity.current.account_id}:stateMachine:*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } +resource "aws_iam_role_policy" "ecs_policy_pre_prod" { + count = local.is_pre_production ? 1 : 0 + role = aws_iam_role.github_role_pre_prod[0].id + name = "ecs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ecs:UpdateCluster", + "ecs:PutClusterCapacityProviders", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) } +resource "aws_iam_role_policy" "github_extended_policy_virus_scanner_pre_prod" { + count = local.is_pre_production ? 1 : 0 + role = aws_iam_role.github_role_pre_prod[0].id + name = "github-extended-policy-virus-scanner" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "ssm:CreateDocument", + "iam:TagRole", + "SNS:TagResource", + "cognito-idp:CreateUserPool", + "cognito-idp:TagResource", + "cognito-idp:SetUserPoolMfaConfig", + "iam:CreateInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:DeleteInstanceProfile", + "cloudformation:CreateResource", + "cognito-idp:DeleteUserPool", + "cognito-idp:CreateGroup", + "cognito-idp:AdminCreateUser", + "cognito-idp:CreateUserPoolClient", + "cognito-idp:AdminAddUserToGroup", + ] + Effect = "Allow" + Resource = "*" + Sid = "Statement1" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "lambda_pre_prod" { + count = local.is_pre_production ? 1 : 0 + role = aws_iam_role.github_role_pre_prod[0].id + name = "lambda" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "lambda:CreateFunction", + "lambda:DeleteFunctionConcurrency", + "lambda:GetFunction", + "lambda:GetFunctionConfiguration", + "lambda:InvokeFunction", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration", + "kms:CreateGrant", + "kms:Decrypt", + "kms:Encrypt", + "kms:TagResource", + "kms:UntagResource", + "s3:PutObject", + ] + Effect = "Allow" + Resource = [ + "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*", + "arn:aws:lambda:eu-west-2:*:function:*", + ] + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "mtls_gateway_pre_prod" { + count = local.is_pre_production ? 1 : 0 + role = aws_iam_role.github_role_pre_prod[0].id + name = "mtls-gateway" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "acm:RequestCertificate", + "route53:ListHostedZones", + "acm:ListCertificates", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor1" + }, + { + Action = [ + "acm:DeleteCertificate", + "acm:DescribeCertificate", + "acm:GetCertificate", + "route53:GetHostedZone", + "route53:ChangeResourceRecordSets", + "apigateway:AddCertificateToDomain", + "acm:AddTagsToCertificate", + "apigateway:RemoveCertificateFromDomain", + "acm:ListTagsForCertificate", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames", + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:route53:::hostedzone/*", + "arn:aws:acm:eu-west-2:${data.aws_caller_identity.current.account_id}:certificate/*", + ] + Sid = "VisualEditor2" + }, + { + Action = [ + "apigateway:AddCertificateToDomain", + "apigateway:RemoveCertificateFromDomain", + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:apigateway:eu-west-2::/domainnames", + ] + Sid = "VisualEditor3" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + Sid = "VisualEditor4" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "resource_tagging_pre_prod" { + count = local.is_pre_production ? 1 : 0 + role = aws_iam_role.github_role_pre_prod[0].id + name = "resource_tagging" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "resource-groups:GetGroupQuery", + "backup:TagResource", + "sns:TagResource", + "lambda:TagResource", + "resource-groups:UpdateGroup", + "iam:UntagRole", + "iam:TagRole", + "resource-groups:GetTags", + "sns:UntagResource", + "resource-groups:Untag", + "lambda:UntagResource", + "elasticloadbalancing:RemoveTags", + "cognito-identity:UntagResource", + "resource-groups:GetGroup", + "resource-groups:GetGroupConfiguration", + "backup:UntagResource", + "cognito-identity:TagResource", + "resource-groups:Tag", + "logs:UntagResource", + "resource-groups:UpdateGroupQuery", + "iam:TagPolicy", + "logs:TagResource", + "events:TagResource", + "resource-groups:DeleteGroup", + "elasticloadbalancing:AddTags", + "iam:UntagPolicy", + "resource-groups:ListGroupResources", + "iam:UntagInstanceProfile", + "events:UntagResource", + "iam:TagInstanceProfile", + ] + Effect = "Allow" + Resource = [ + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", + "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", + "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", + "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery-source:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:destination:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery-destination:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:anomaly-detector:*", + ] + Sid = "VisualEditor0" + }, + { + Action = [ + "events:TagResource", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + "events:UntagResource", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", + ] + Sid = "VisualEditor1" + }, + { + Action = [ + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:AddTags", + ] + Effect = "Allow" + Resource = [ + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", + ] + Sid = "VisualEditor2" + }, + { + Action = [ + "resource-groups:SearchResources", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) +} + + +############################################################################################################## +# ATTACHED POLICIES + +resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_pre_prod" { + count = local.is_pre_production? 1 : 0 + role = aws_iam_role.github_role_pre_prod[0].name + policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" +} + +resource "aws_iam_role_policy_attachment" "github_actions_policy_pre_prod" { + count = local.is_pre_production ? 1 : 0 + role = aws_iam_role.github_role_pre_prod[0].name + policy_arn = aws_iam_policy.github_actions_policy_pre_prod[0].arn +} # aws_iam_policy.github_actions_policy_pre-prod[0]: -resource "aws_iam_policy" "github_actions_policy_pre-prod" { +resource "aws_iam_policy" "github_actions_policy_pre_prod" { count = local.is_pre_production ? 1 : 0 description = null name = "github-actions-policy" @@ -769,12 +706,16 @@ resource "aws_iam_policy" "github_actions_policy_pre-prod" { } ) tags = {} - tags_all = {} } +resource "aws_iam_role_policy_attachment" "github_extended_policy_1_pre_prod" { + count = local.is_pre_production ? 1 : 0 + role = aws_iam_role.github_role_pre_prod[0].name + policy_arn = aws_iam_policy.github_extended_policy_1_pre_prod[0].arn +} # aws_iam_policy.github_extended_policy_1_pre-prod[0]: -resource "aws_iam_policy" "github_extended_policy_1_pre-prod" { +resource "aws_iam_policy" "github_extended_policy_1_pre_prod" { count = local.is_pre_production ? 1 : 0 description = "more required items for GitHub access" name = "github-extended-policy-1" @@ -912,5 +853,4 @@ resource "aws_iam_policy" "github_extended_policy_1_pre-prod" { } ) tags = {} - tags_all = {} } diff --git a/base_iam/iam_github_test.tf b/base_iam/iam_github_test.tf index 7ac6966a2..3848a2464 100644 --- a/base_iam/iam_github_test.tf +++ b/base_iam/iam_github_test.tf @@ -1,6 +1,14 @@ # aws_iam_role.github_role_test[0]: resource "aws_iam_role" "github_role_test" { count = local.is_testing ? 1 : 0 + description = "This role is for the deployment of infrastructure and code from GitHub" + force_detach_policies = false + max_session_duration = 3600 + name = "github-action-role" + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} assume_role_policy = jsonencode( { Statement = [ @@ -26,218 +34,238 @@ resource "aws_iam_role" "github_role_test" { Version = "2012-10-17" } ) - description = "This role is for the deployment of infrastructure and code from GitHub" - force_detach_policies = false - managed_policy_arns = [ - aws_iam_policy.github_action_policy_test[0].arn, - aws_iam_policy.github_action_policy_2_test[0].arn, - "arn:aws:iam::aws:policy/ReadOnlyAccess", - ] - max_session_duration = 3600 - name = "github-action-role" - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} - tags_all = {} +} + +# INLINE POLICIES - inline_policy { - name = "cloudfront_policies" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cloudfront:CreateCachePolicy", - "cloudfront:DeleteCachePolicy", - "cloudfront:CreateOriginAccessControl", - "cloudfront:CreateDistribution", - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:DeleteDistribution", - "lambda:EnableReplication", - "cloudfront:UpdateDistribution", - "cloudfront:DeleteOriginAccessControl", - "cloudfront:CreateInvalidation", - "cloudfront:CreateOriginRequestPolicy", - "cloudfront:DeleteOriginRequestPolicy", - "cloudfront:UpdateOriginRequestPolicy", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "cloudwatch_logs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "logs:DescribeLogGroups", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutRetentionPolicy", - "logs:PutResourcePolicy", - "logs:DeleteResourcePolicy", - "logs:DeleteRetentionPolicy", - "logs:TagResource", - "logs:UntagResource", - "logs:AssociateKmsKey", - "logs:DisassociateKmsKey", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*" - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "resource_tagging" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "rum_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool", - ] - Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" - Sid = "VisualEditor0" - }, - { - Action = [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor", - ] - Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" - Sid = "VisualEditor1" - }, - { - Action = [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" - Sid = "VisualEditor2" - }, - { - Action = [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "scheduler-policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "scheduler:TagResource", - "scheduler:CreateSchedule", - "scheduler:UntagResource", - "scheduler:DeleteSchedule", - "scheduler:UpdateSchedule", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } - inline_policy { - name = "virus-scan-cognito" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-idp:TagResource", - "cognito-idp:DeleteUserPool", - "cognito-idp:AdminCreateUser", - "cognito-idp:CreateUserPoolClient", - "cognito-idp:CreateGroup", - "cognito-idp:CreateUserPool", - "cognito-idp:SetUserPoolMfaConfig", - "cognito-idp:AdminAddUserToGroup", - "cloudformation:CreateResource", - "cloudformation:DeleteResource", - "cognito-idp:DeleteGroup", - "appconfig:DeleteEnvironment", - "appconfig:DeleteConfigurationProfile", - "iam:RemoveRoleFromInstanceProfile", - "cognito-idp:DeleteUserPoolClient", - "cognito-idp:AdminRemoveUserFromGroup", - "cognito-idp:AdminDeleteUser", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - } + +resource "aws_iam_role_policy" "cloudfront_policies_test" { + count = local.is_testing ? 1 : 0 + role = aws_iam_role.github_role_test[0].id + name = "cloudfront_policies" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cloudfront:CreateCachePolicy", + "cloudfront:DeleteCachePolicy", + "cloudfront:CreateOriginAccessControl", + "cloudfront:CreateDistribution", + "cloudfront:TagResource", + "cloudfront:UntagResource", + "cloudfront:DeleteDistribution", + "lambda:EnableReplication", + "cloudfront:UpdateDistribution", + "cloudfront:DeleteOriginAccessControl", + "cloudfront:CreateInvalidation", + "cloudfront:CreateOriginRequestPolicy", + "cloudfront:DeleteOriginRequestPolicy", + "cloudfront:UpdateOriginRequestPolicy", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) } +resource "aws_iam_role_policy" "cloudwatch_logs_policy_test" { + count = local.is_testing ? 1 : 0 + role = aws_iam_role.github_role_test[0].id + name = "cloudwatch_logs_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "logs:DescribeLogGroups", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutRetentionPolicy", + "logs:PutResourcePolicy", + "logs:DeleteResourcePolicy", + "logs:DeleteRetentionPolicy", + "logs:TagResource", + "logs:UntagResource", + "logs:AssociateKmsKey", + "logs:DisassociateKmsKey", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*" + Sid = "Statement1" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "resource_tagging_test" { + count = local.is_testing ? 1 : 0 + role = aws_iam_role.github_role_test[0].id + name = "resource_tagging" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "resource-groups:SearchResources", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "rum_policy_test" { + count = local.is_testing ? 1 : 0 + role = aws_iam_role.github_role_test[0].id + name = "rum_policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-identity:SetIdentityPoolRoles", + "cognito-identity:CreateIdentityPool", + "cognito-identity:DeleteIdentityPool", + "cognito-identity:UpdateIdentityPool", + ] + Effect = "Allow" + Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" + Sid = "VisualEditor0" + }, + { + Action = [ + "rum:TagResource", + "rum:UntagResource", + "rum:ListTagsForResource", + "iam:PassRole", + "rum:UpdateAppMonitor", + "rum:GetAppMonitor", + "rum:CreateAppMonitor", + "rum:DeleteAppMonitor", + ] + Effect = "Allow" + Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" + Sid = "VisualEditor1" + }, + { + Action = [ + "logs:DeleteLogGroup", + "logs:DeleteResourcePolicy", + "logs:DescribeLogGroups", + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" + Sid = "VisualEditor2" + }, + { + Action = [ + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:UpdateLogDelivery", + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries", + "logs:DescribeResourcePolicies", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor3" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "scheduler_policy_test" { + count = local.is_testing ? 1 : 0 + role = aws_iam_role.github_role_test[0].id + name = "scheduler-policy" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "scheduler:TagResource", + "scheduler:CreateSchedule", + "scheduler:UntagResource", + "scheduler:DeleteSchedule", + "scheduler:UpdateSchedule", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) +} + +resource "aws_iam_role_policy" "virus_scan_cognito_test" { + count = local.is_testing ? 1 : 0 + role = aws_iam_role.github_role_test[0].id + name = "virus-scan-cognito" + policy = jsonencode( + { + Statement = [ + { + Action = [ + "cognito-idp:TagResource", + "cognito-idp:DeleteUserPool", + "cognito-idp:AdminCreateUser", + "cognito-idp:CreateUserPoolClient", + "cognito-idp:CreateGroup", + "cognito-idp:CreateUserPool", + "cognito-idp:SetUserPoolMfaConfig", + "cognito-idp:AdminAddUserToGroup", + "cloudformation:CreateResource", + "cloudformation:DeleteResource", + "cognito-idp:DeleteGroup", + "appconfig:DeleteEnvironment", + "appconfig:DeleteConfigurationProfile", + "iam:RemoveRoleFromInstanceProfile", + "cognito-idp:DeleteUserPoolClient", + "cognito-idp:AdminRemoveUserFromGroup", + "cognito-idp:AdminDeleteUser", + ] + Effect = "Allow" + Resource = "*" + Sid = "VisualEditor0" + }, + ] + Version = "2012-10-17" + } + ) +} + +############################################################### +# ATTACHED POLICIES + +resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_test" { + count = local.is_testing? 1 : 0 + role = aws_iam_role.github_role_test[0].name + policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" +} + +resource "aws_iam_role_policy_attachment" "github_action_policy_test" { + count = local.is_testing ? 1 : 0 + role = aws_iam_role.github_role_test[0].name + policy_arn = aws_iam_policy.github_action_policy_test[0].arn +} # aws_iam_policy.github_action_policy_test[0]: resource "aws_iam_policy" "github_action_policy_test" { @@ -494,9 +522,13 @@ resource "aws_iam_policy" "github_action_policy_test" { } ) tags = {} - tags_all = {} } +resource "aws_iam_role_policy_attachment" "github_action_policy_2_test" { + count = local.is_testing ? 1 : 0 + role = aws_iam_role.github_role_test[0].name + policy_arn = aws_iam_policy.github_action_policy_2_test[0].arn +} # aws_iam_policy.github_action_policy_2_test[0]: resource "aws_iam_policy" "github_action_policy_2_test" { @@ -598,5 +630,4 @@ resource "aws_iam_policy" "github_action_policy_2_test" { } ) tags = {} - tags_all = {} } From f2b256b9853bd4b2c9f96b8dce25206712a95bfb Mon Sep 17 00:00:00 2001 From: Tim Knight Date: Thu, 8 Jan 2026 15:59:55 +0000 Subject: [PATCH 48/48] [ndr-297] linting --- base_iam/iam_github_pre-prod.tf | 22 +++++++++++----------- base_iam/iam_github_test.tf | 32 ++++++++++++++++---------------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/base_iam/iam_github_pre-prod.tf b/base_iam/iam_github_pre-prod.tf index 3c5c65af2..992ef4a4a 100644 --- a/base_iam/iam_github_pre-prod.tf +++ b/base_iam/iam_github_pre-prod.tf @@ -49,7 +49,7 @@ resource "aws_iam_role" "github_role_pre_prod" { resource "aws_iam_role_policy" "cloudfront_policy_pre_prod" { count = local.is_pre_production ? 1 : 0 role = aws_iam_role.github_role_pre_prod[0].id - name = "cloudfront_policy" + name = "cloudfront_policy" policy = jsonencode( { Statement = [ @@ -82,7 +82,7 @@ resource "aws_iam_role_policy" "cloudfront_policy_pre_prod" { resource "aws_iam_role_policy" "cloudwatch_logs_policy_pre_prod" { count = local.is_pre_production ? 1 : 0 role = aws_iam_role.github_role_pre_prod[0].id - name = "cloudwatch_logs_policy" + name = "cloudwatch_logs_policy" policy = jsonencode( { Statement = [ @@ -112,7 +112,7 @@ resource "aws_iam_role_policy" "cloudwatch_logs_policy_pre_prod" { resource "aws_iam_role_policy" "ecr_policy_pre_prod" { count = local.is_pre_production ? 1 : 0 role = aws_iam_role.github_role_pre_prod[0].id - name = "ecr_policy" + name = "ecr_policy" policy = jsonencode( { Statement = [ @@ -141,7 +141,7 @@ resource "aws_iam_role_policy" "ecr_policy_pre_prod" { resource "aws_iam_role_policy" "ecs_policy_pre_prod" { count = local.is_pre_production ? 1 : 0 role = aws_iam_role.github_role_pre_prod[0].id - name = "ecs_policy" + name = "ecs_policy" policy = jsonencode( { Statement = [ @@ -163,7 +163,7 @@ resource "aws_iam_role_policy" "ecs_policy_pre_prod" { resource "aws_iam_role_policy" "github_extended_policy_virus_scanner_pre_prod" { count = local.is_pre_production ? 1 : 0 role = aws_iam_role.github_role_pre_prod[0].id - name = "github-extended-policy-virus-scanner" + name = "github-extended-policy-virus-scanner" policy = jsonencode( { Statement = [ @@ -198,7 +198,7 @@ resource "aws_iam_role_policy" "github_extended_policy_virus_scanner_pre_prod" { resource "aws_iam_role_policy" "lambda_pre_prod" { count = local.is_pre_production ? 1 : 0 role = aws_iam_role.github_role_pre_prod[0].id - name = "lambda" + name = "lambda" policy = jsonencode( { Statement = [ @@ -234,7 +234,7 @@ resource "aws_iam_role_policy" "lambda_pre_prod" { resource "aws_iam_role_policy" "mtls_gateway_pre_prod" { count = local.is_pre_production ? 1 : 0 role = aws_iam_role.github_role_pre_prod[0].id - name = "mtls-gateway" + name = "mtls-gateway" policy = jsonencode( { Statement = [ @@ -302,7 +302,7 @@ resource "aws_iam_role_policy" "mtls_gateway_pre_prod" { resource "aws_iam_role_policy" "resource_tagging_pre_prod" { count = local.is_pre_production ? 1 : 0 role = aws_iam_role.github_role_pre_prod[0].id - name = "resource_tagging" + name = "resource_tagging" policy = jsonencode( { Statement = [ @@ -441,7 +441,7 @@ resource "aws_iam_role_policy" "resource_tagging_pre_prod" { # ATTACHED POLICIES resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_pre_prod" { - count = local.is_pre_production? 1 : 0 + count = local.is_pre_production ? 1 : 0 role = aws_iam_role.github_role_pre_prod[0].name policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } @@ -705,7 +705,7 @@ resource "aws_iam_policy" "github_actions_policy_pre_prod" { Version = "2012-10-17" } ) - tags = {} + tags = {} } resource "aws_iam_role_policy_attachment" "github_extended_policy_1_pre_prod" { @@ -852,5 +852,5 @@ resource "aws_iam_policy" "github_extended_policy_1_pre_prod" { Version = "2012-10-17" } ) - tags = {} + tags = {} } diff --git a/base_iam/iam_github_test.tf b/base_iam/iam_github_test.tf index 3848a2464..0dddc44f3 100644 --- a/base_iam/iam_github_test.tf +++ b/base_iam/iam_github_test.tf @@ -1,14 +1,14 @@ # aws_iam_role.github_role_test[0]: resource "aws_iam_role" "github_role_test" { - count = local.is_testing ? 1 : 0 + count = local.is_testing ? 1 : 0 description = "This role is for the deployment of infrastructure and code from GitHub" force_detach_policies = false - max_session_duration = 3600 - name = "github-action-role" - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} + max_session_duration = 3600 + name = "github-action-role" + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} assume_role_policy = jsonencode( { Statement = [ @@ -42,7 +42,7 @@ resource "aws_iam_role" "github_role_test" { resource "aws_iam_role_policy" "cloudfront_policies_test" { count = local.is_testing ? 1 : 0 role = aws_iam_role.github_role_test[0].id - name = "cloudfront_policies" + name = "cloudfront_policies" policy = jsonencode( { Statement = [ @@ -76,7 +76,7 @@ resource "aws_iam_role_policy" "cloudfront_policies_test" { resource "aws_iam_role_policy" "cloudwatch_logs_policy_test" { count = local.is_testing ? 1 : 0 role = aws_iam_role.github_role_test[0].id - name = "cloudwatch_logs_policy" + name = "cloudwatch_logs_policy" policy = jsonencode( { Statement = [ @@ -108,7 +108,7 @@ resource "aws_iam_role_policy" "cloudwatch_logs_policy_test" { resource "aws_iam_role_policy" "resource_tagging_test" { count = local.is_testing ? 1 : 0 role = aws_iam_role.github_role_test[0].id - name = "resource_tagging" + name = "resource_tagging" policy = jsonencode( { Statement = [ @@ -131,7 +131,7 @@ resource "aws_iam_role_policy" "resource_tagging_test" { resource "aws_iam_role_policy" "rum_policy_test" { count = local.is_testing ? 1 : 0 role = aws_iam_role.github_role_test[0].id - name = "rum_policy" + name = "rum_policy" policy = jsonencode( { Statement = [ @@ -193,7 +193,7 @@ resource "aws_iam_role_policy" "rum_policy_test" { resource "aws_iam_role_policy" "scheduler_policy_test" { count = local.is_testing ? 1 : 0 role = aws_iam_role.github_role_test[0].id - name = "scheduler-policy" + name = "scheduler-policy" policy = jsonencode( { Statement = [ @@ -218,7 +218,7 @@ resource "aws_iam_role_policy" "scheduler_policy_test" { resource "aws_iam_role_policy" "virus_scan_cognito_test" { count = local.is_testing ? 1 : 0 role = aws_iam_role.github_role_test[0].id - name = "virus-scan-cognito" + name = "virus-scan-cognito" policy = jsonencode( { Statement = [ @@ -256,7 +256,7 @@ resource "aws_iam_role_policy" "virus_scan_cognito_test" { # ATTACHED POLICIES resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_test" { - count = local.is_testing? 1 : 0 + count = local.is_testing ? 1 : 0 role = aws_iam_role.github_role_test[0].name policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } @@ -521,7 +521,7 @@ resource "aws_iam_policy" "github_action_policy_test" { Version = "2012-10-17" } ) - tags = {} + tags = {} } resource "aws_iam_role_policy_attachment" "github_action_policy_2_test" { @@ -629,5 +629,5 @@ resource "aws_iam_policy" "github_action_policy_2_test" { Version = "2012-10-17" } ) - tags = {} + tags = {} }