diff --git a/README.md b/README.md index 30d44ce..cfcbd6a 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,18 @@ Install dev dependencies to run linting tools make install-dev ``` +Sign in with AWS SSO, and export the correct profile for this service: + +```bash +aws sso login + +export AWS_PROFILE=keh-tech-audit-tool-api +``` + +This allows you to assume the AWS IAM role for the service, enabling the most secure development experience. This also means you will have limited permissions until you exit out of the profile. + +**Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine. + Set environment variables: ```bash diff --git a/terraform/lambda/iam.tf b/terraform/lambda/iam.tf deleted file mode 100644 index 9ff7f38..0000000 --- a/terraform/lambda/iam.tf +++ /dev/null @@ -1,79 +0,0 @@ -# Managed policy for S3 access -resource "aws_iam_policy" "s3_access" { - name = "${var.domain}-${var.service_subdomain}-s3-policy" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Effect = "Allow" - Action = [ - "s3:GetObject", - "s3:PutObject", - "s3:ListBucket" - ] - Resource = [ - "arn:aws:s3:::${data.terraform_remote_state.storage.outputs.tech_audit_data_bucket_name}", - "arn:aws:s3:::${data.terraform_remote_state.storage.outputs.tech_audit_data_bucket_name}/*" - ] - }] - }) -} - -# Managed policy for Secrets Manager access -resource "aws_iam_policy" "secrets_access" { - name = "${var.domain}-${var.service_subdomain}-secrets-policy" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Effect = "Allow" - Action = [ - "secretsmanager:GetSecretValue" - ] - Resource = data.terraform_remote_state.secrets.outputs.secret_arn - }] - }) -} - -# IAM User Group -resource "aws_iam_group" "group" { - name = "${var.domain}-${var.service_subdomain}-user-group" - path = "/" -} - -# Attach S3 policy to group -resource "aws_iam_group_policy_attachment" "group_s3_access_attachment" { - group = aws_iam_group.group.name - policy_arn = aws_iam_policy.s3_access.arn -} - -# Attach Secrets Manager policy to group -resource "aws_iam_group_policy_attachment" "group_secrets_attachment" { - group = aws_iam_group.group.name - policy_arn = aws_iam_policy.secrets_access.arn -} - -# IAM User -resource "aws_iam_user" "user" { - name = "${var.domain}-${var.service_subdomain}" - path = "/" -} - -# Assign IAM User to group -resource "aws_iam_user_group_membership" "user_group_attach" { - user = aws_iam_user.user.name - - groups = [ - aws_iam_group.group.name - ] -} - -# IAM Key Rotation Module -module "iam_key_rotation" { - source = "git::https://github.com/ONS-Innovation/keh-aws-iam-key-rotation.git?ref=v0.1.1" - - iam_username = aws_iam_user.user.name - access_key_secret_arn = aws_secretsmanager_secret.access_key.arn - secret_key_secret_arn = aws_secretsmanager_secret.secret_key.arn - rotation_in_days = 45 -} diff --git a/terraform/lambda/main.tf b/terraform/lambda/main.tf index eeed9a3..eedd7d6 100644 --- a/terraform/lambda/main.tf +++ b/terraform/lambda/main.tf @@ -22,6 +22,20 @@ resource "aws_iam_role" "lambda_execution_role" { Principal = { Service = "lambda.amazonaws.com" } + }, + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::${var.aws_account_id}:root" + } + Condition = { + ArnLike = { + "aws:PrincipalArn" = [ + "arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_Standard_Administrator_Access_*" + ] + } + } } ] }) diff --git a/terraform/lambda/secrets.tf b/terraform/lambda/secrets.tf deleted file mode 100644 index c87edbc..0000000 --- a/terraform/lambda/secrets.tf +++ /dev/null @@ -1,15 +0,0 @@ -# Secrets Manager resources for IAM user access keys - -resource "aws_secretsmanager_secret" "access_key" { - name = "${var.domain}-${var.service_subdomain}-access-key" - description = "Access Key ID for tech audit tool API IAM user" - recovery_window_in_days = 0 // Secret will be deleted immediately - force_overwrite_replica_secret = true // Allow overwriting the secret in case of changes -} - -resource "aws_secretsmanager_secret" "secret_key" { - name = "${var.domain}-${var.service_subdomain}-secret-key" - description = "Secret Access Key for tech audit tool API IAM user" - recovery_window_in_days = 0 // Secret will be deleted immediately - force_overwrite_replica_secret = true // Allow overwriting the secret in case of changes -}