[ELI-702] - adding the new signing resources and attaching to lambda

TOEL2 · TOEL2 · commit 3b31922c29f4 · 2026-03-25T19:58:59.000Z
diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf
@@ -11,6 +11,8 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
 
   source_code_hash = filebase64sha256(var.file_name)
 
+  code_signing_config_arn = aws_lambda_code_signing_config.signing_config.arn
+
   runtime     = var.runtime
   timeout     = 30
   memory_size = 2048
diff --git a/infrastructure/modules/lambda/signing.tf b/infrastructure/modules/lambda/signing.tf
@@ -0,0 +1,24 @@
+resource "aws_signer_signing_profile" "lambda_signing" {
+  name_prefix = "eligibility-signing-"
+
+  platform_id = "AWSLambda-SHA384-ECDSA"
+
+  signature_validity_period {
+    value = 365
+    type  = "DAYS"
+  }
+}
+
+resource "aws_lambda_code_signing_config" "signing_config" {
+  allowed_publishers {
+    signing_profile_version_arns = [
+      aws_signer_signing_profile.lambda_signing.version_arn
+    ]
+  }
+
+  policies {
+    untrusted_artifact_on_deployment = "Enforce"
+  }
+
+  description = "Only allow Lambda bundles signed by our trusted signer profile"
+}
