From 1161fb7debe747c230efdf49350e08d1bd130e22 Mon Sep 17 00:00:00 2001 From: Hadi Qureshi Date: Wed, 20 May 2026 17:24:20 +0100 Subject: [PATCH 1/2] feat: service IAM role assumable via SSO --- terraform/lambda/iam.tf | 79 ------------------------------------- terraform/lambda/main.tf | 14 +++++++ terraform/lambda/secrets.tf | 15 ------- 3 files changed, 14 insertions(+), 94 deletions(-) delete mode 100644 terraform/lambda/iam.tf delete mode 100644 terraform/lambda/secrets.tf diff --git a/terraform/lambda/iam.tf b/terraform/lambda/iam.tf deleted file mode 100644 index 9ff7f38..0000000 --- a/terraform/lambda/iam.tf +++ /dev/null @@ -1,79 +0,0 @@ -# Managed policy for S3 access -resource "aws_iam_policy" "s3_access" { - name = "${var.domain}-${var.service_subdomain}-s3-policy" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Effect = "Allow" - Action = [ - "s3:GetObject", - "s3:PutObject", - "s3:ListBucket" - ] - Resource = [ - "arn:aws:s3:::${data.terraform_remote_state.storage.outputs.tech_audit_data_bucket_name}", - "arn:aws:s3:::${data.terraform_remote_state.storage.outputs.tech_audit_data_bucket_name}/*" - ] - }] - }) -} - -# Managed policy for Secrets Manager access -resource "aws_iam_policy" "secrets_access" { - name = "${var.domain}-${var.service_subdomain}-secrets-policy" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Effect = "Allow" - Action = [ - "secretsmanager:GetSecretValue" - ] - Resource = data.terraform_remote_state.secrets.outputs.secret_arn - }] - }) -} - -# IAM User Group -resource "aws_iam_group" "group" { - name = "${var.domain}-${var.service_subdomain}-user-group" - path = "/" -} - -# Attach S3 policy to group -resource "aws_iam_group_policy_attachment" "group_s3_access_attachment" { - group = aws_iam_group.group.name - policy_arn = aws_iam_policy.s3_access.arn -} - -# Attach Secrets Manager policy to group -resource "aws_iam_group_policy_attachment" "group_secrets_attachment" { - group = aws_iam_group.group.name - policy_arn = aws_iam_policy.secrets_access.arn -} - -# IAM User -resource "aws_iam_user" "user" { - name = "${var.domain}-${var.service_subdomain}" - path = "/" -} - -# Assign IAM User to group -resource "aws_iam_user_group_membership" "user_group_attach" { - user = aws_iam_user.user.name - - groups = [ - aws_iam_group.group.name - ] -} - -# IAM Key Rotation Module -module "iam_key_rotation" { - source = "git::https://github.com/ONS-Innovation/keh-aws-iam-key-rotation.git?ref=v0.1.1" - - iam_username = aws_iam_user.user.name - access_key_secret_arn = aws_secretsmanager_secret.access_key.arn - secret_key_secret_arn = aws_secretsmanager_secret.secret_key.arn - rotation_in_days = 45 -} diff --git a/terraform/lambda/main.tf b/terraform/lambda/main.tf index eeed9a3..eedd7d6 100644 --- a/terraform/lambda/main.tf +++ b/terraform/lambda/main.tf @@ -22,6 +22,20 @@ resource "aws_iam_role" "lambda_execution_role" { Principal = { Service = "lambda.amazonaws.com" } + }, + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::${var.aws_account_id}:root" + } + Condition = { + ArnLike = { + "aws:PrincipalArn" = [ + "arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_Standard_Administrator_Access_*" + ] + } + } } ] }) diff --git a/terraform/lambda/secrets.tf b/terraform/lambda/secrets.tf deleted file mode 100644 index c87edbc..0000000 --- a/terraform/lambda/secrets.tf +++ /dev/null @@ -1,15 +0,0 @@ -# Secrets Manager resources for IAM user access keys - -resource "aws_secretsmanager_secret" "access_key" { - name = "${var.domain}-${var.service_subdomain}-access-key" - description = "Access Key ID for tech audit tool API IAM user" - recovery_window_in_days = 0 // Secret will be deleted immediately - force_overwrite_replica_secret = true // Allow overwriting the secret in case of changes -} - -resource "aws_secretsmanager_secret" "secret_key" { - name = "${var.domain}-${var.service_subdomain}-secret-key" - description = "Secret Access Key for tech audit tool API IAM user" - recovery_window_in_days = 0 // Secret will be deleted immediately - force_overwrite_replica_secret = true // Allow overwriting the secret in case of changes -} From c4efd1c761b3d05cf4a5d3fda46e5643b89a14ca Mon Sep 17 00:00:00 2001 From: Hadi Qureshi Date: Thu, 21 May 2026 12:36:03 +0100 Subject: [PATCH 2/2] chore: update README --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index 30d44ce..cfcbd6a 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,18 @@ Install dev dependencies to run linting tools make install-dev ``` +Sign in with AWS SSO, and export the correct profile for this service: + +```bash +aws sso login + +export AWS_PROFILE=keh-tech-audit-tool-api +``` + +This allows you to assume the AWS IAM role for the service, enabling the most secure development experience. This also means you will have limited permissions until you exit out of the profile. + +**Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine. + Set environment variables: ```bash