Skip to content

Commit cff6008

Browse files
authored
Merge pull request #40 from ONS-Innovation/credential-refactor-and-key-rotation
KEH 1706 & 1708: Credential Refactor and Key Rotation
2 parents dfc013d + 5d16fab commit cff6008

2 files changed

Lines changed: 90 additions & 0 deletions

File tree

terraform/lambda/iam.tf

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
# Managed policy for S3 access
2+
resource "aws_iam_policy" "s3_access" {
3+
name = "${var.domain}-${var.service_subdomain}-s3-policy"
4+
5+
policy = jsonencode({
6+
Version = "2012-10-17"
7+
Statement = [{
8+
Effect = "Allow"
9+
Action = [
10+
"s3:GetObject",
11+
"s3:PutObject",
12+
"s3:ListBucket"
13+
]
14+
Resource = [
15+
"arn:aws:s3:::${data.terraform_remote_state.storage.outputs.tech_audit_data_bucket_name}",
16+
"arn:aws:s3:::${data.terraform_remote_state.storage.outputs.tech_audit_data_bucket_name}/*"
17+
]
18+
}]
19+
})
20+
}
21+
22+
# Managed policy for Secrets Manager access
23+
resource "aws_iam_policy" "secrets_access" {
24+
name = "${var.domain}-${var.service_subdomain}-secrets-policy"
25+
26+
policy = jsonencode({
27+
Version = "2012-10-17"
28+
Statement = [{
29+
Effect = "Allow"
30+
Action = [
31+
"secretsmanager:GetSecretValue"
32+
]
33+
Resource = data.terraform_remote_state.secrets.outputs.secret_arn
34+
}]
35+
})
36+
}
37+
38+
# IAM User Group
39+
resource "aws_iam_group" "group" {
40+
name = "${var.domain}-${var.service_subdomain}-user-group"
41+
path = "/"
42+
}
43+
44+
# Attach S3 policy to group
45+
resource "aws_iam_group_policy_attachment" "group_s3_access_attachment" {
46+
group = aws_iam_group.group.name
47+
policy_arn = aws_iam_policy.s3_access.arn
48+
}
49+
50+
# Attach Secrets Manager policy to group
51+
resource "aws_iam_group_policy_attachment" "group_secrets_attachment" {
52+
group = aws_iam_group.group.name
53+
policy_arn = aws_iam_policy.secrets_access.arn
54+
}
55+
56+
# IAM User
57+
resource "aws_iam_user" "user" {
58+
name = "${var.domain}-${var.service_subdomain}"
59+
path = "/"
60+
}
61+
62+
# Assign IAM User to group
63+
resource "aws_iam_user_group_membership" "user_group_attach" {
64+
user = aws_iam_user.user.name
65+
66+
groups = [
67+
aws_iam_group.group.name
68+
]
69+
}
70+
71+
# IAM Key Rotation Module
72+
module "iam_key_rotation" {
73+
source = "git::https://github.com/ONS-Innovation/keh-aws-iam-key-rotation.git?ref=v0.1.0"
74+
75+
iam_username = aws_iam_user.user.name
76+
access_key_secret_arn = aws_secretsmanager_secret.access_key.arn
77+
secret_key_secret_arn = aws_secretsmanager_secret.secret_key.arn
78+
rotation_in_days = 90
79+
}

terraform/lambda/secrets.tf

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Secrets Manager resources for IAM user access keys
2+
3+
resource "aws_secretsmanager_secret" "access_key" {
4+
name = "${var.domain}-${var.service_subdomain}-access-key"
5+
description = "Access Key ID for tech audit tool API IAM user"
6+
}
7+
8+
resource "aws_secretsmanager_secret" "secret_key" {
9+
name = "${var.domain}-${var.service_subdomain}-secret-key"
10+
description = "Secret Access Key for tech audit tool API IAM user"
11+
}

0 commit comments

Comments
 (0)