ELI-597: Automates NHS Number salt creation and rotation (#537)

* ELI-597: Initial setup for automation of secret rotation

* ELI-597: Use github env variable for sns subscription email

* (ELI-597) solving checkov issues and addressing comments

* (ELI-597) linting

* (ELI-597) linting

* ELI-597: Adds FBT001 ignore back

* ELI-597: Formats SNS emails and changes preprod and prod cron

* ELI-597: Adds vpc and encryption of rotation kms

* [ELI-597] fixing problems and addressing comments

* [ELI-597] linting error

---------

Co-authored-by: TOEL2 <tom.eldridge1@nhs.net>

Author: shweta-nhs

.github/workflows/base-deploy.yml

@@ -202,6 +202,7 @@ jobs:
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
+          TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
 
         working-directory: ./infrastructure
         shell: bash

infrastructure/.gitignore

@@ -38,3 +38,8 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+# Ignore secret rotation lambda zip files
+
+stacks/api-layer/scripts/create_pending_secret.zip
+stacks/api-layer/scripts/promote_to_current.zip

infrastructure/modules/secrets_manager/kms.tf

@@ -57,3 +57,59 @@ resource "aws_kms_key" "secrets_cmk" {
   })
   tags = var.tags
 }
+
+resource "aws_kms_key" "rotation_sns_cmk" {
+  description             = "KMS key for SNS topic encryption (CLI Login Notifications)"
+  deletion_window_in_days = 14
+  enable_key_rotation     = true
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow SNS and EventBridge Usage"
+        Effect = "Allow"
+        Principal = {
+          Service = [
+            "sns.amazonaws.com",
+            "events.amazonaws.com"
+          ]
+        }
+        Action = [
+          "kms:Decrypt",
+          "kms:GenerateDataKey"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow CloudWatch Logs Encryption"
+        Effect = "Allow"
+        Principal = {
+          Service = "logs.${var.region}.amazonaws.com"
+        }
+        Action = [
+          "kms:Encrypt*",
+          "kms:Decrypt*",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:Describe*"
+        ]
+        Resource = "*"
+        Condition = {
+          ArnLike = {
+            "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/stepfunctions/SecretRotationWorkflow"
+          }
+        }
+      }
+    ]
+  })
+}

infrastructure/modules/secrets_manager/outputs.tf

@@ -6,3 +6,14 @@ output "aws_hashing_secret_name" {
   value = aws_secretsmanager_secret.hashing_secret.name
 }
 
+output "kms_key_arn" {
+  value = aws_kms_key.secrets_cmk.arn
+}
+
+output "rotation_sns_key_id" {
+  value = aws_kms_key.rotation_sns_cmk.key_id
+}
+
+output "rotation_sns_key_arn" {
+  value = aws_kms_key.rotation_sns_cmk.arn
+}

infrastructure/stacks/api-layer/cloudwatch.tf

@@ -34,3 +34,9 @@ resource "aws_cloudwatch_log_stream" "firehose_audit_stream" {
     aws_cloudwatch_log_group.firehose_audit
   ]
 }
+
+resource "aws_cloudwatch_log_group" "rotation_sfn_logs" {
+  name              = "/aws/stepfunctions/SecretRotationWorkflow"
+  kms_key_id = module.secrets_manager.rotation_sns_key_arn
+  retention_in_days = 365
+}

infrastructure/stacks/api-layer/iam_policies.tf

@@ -561,3 +561,101 @@ resource "aws_iam_role_policy" "external_secret_read_policy_attachment" {
   role   = aws_iam_role.write_access_role[count.index].id
   policy = data.aws_iam_policy_document.secrets_access_policy.json
 }
+
+# --- Rotation Logic Policies ---
+resource "aws_iam_policy" "rotation_secrets_policy" {
+  name        = "rotation_secrets_policy"
+  description = "Allow Lambda to read/write ONLY the hashing secret"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "ManageSecretBits",
+        Effect = "Allow",
+        Action = [
+          "secretsmanager:DescribeSecret",
+          "secretsmanager:PutSecretValue",
+          "secretsmanager:UpdateSecretVersionStage",
+          "secretsmanager:GetSecretValue"
+        ],
+        Resource = module.secrets_manager.aws_hashing_secret_arn
+      },
+      {
+        Sid    = "AllowKMSKeyUsage",
+        Effect = "Allow",
+        Action = [
+          "kms:Decrypt",
+          "kms:GenerateDataKey"
+        ],
+        Resource = module.secrets_manager.kms_key_arn
+      },
+      {
+        Sid    = "BasicLogging",
+        Effect = "Allow",
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ],
+        Resource = [
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${aws_lambda_function.create_secret_lambda.function_name}:*",
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${aws_lambda_function.promote_secret_lambda.function_name}:*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "attach_rotation_secrets" {
+  role       = aws_iam_role.rotation_lambda_role.name
+  policy_arn = aws_iam_policy.rotation_secrets_policy.arn
+}
+
+resource "aws_iam_policy" "rotation_sfn_policy" {
+  name = "rotation_sfn_policy"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = "lambda:InvokeFunction",
+        Resource = [
+          aws_lambda_function.create_secret_lambda.arn,
+          aws_lambda_function.promote_secret_lambda.arn
+        ]
+      },
+      {
+        Effect   = "Allow",
+        Action   = "sns:Publish",
+        Resource = aws_sns_topic.secret_rotation.arn
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "kms:Decrypt",
+          "kms:GenerateDataKey"
+        ],
+        Resource = module.secrets_manager.rotation_sns_key_arn
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "logs:CreateLogDelivery",
+          "logs:GetLogDelivery",
+          "logs:UpdateLogDelivery",
+          "logs:DeleteLogDelivery",
+          "logs:ListLogDeliveries",
+          "logs:PutResourcePolicy",
+          "logs:DescribeResourcePolicies",
+          "logs:DescribeLogGroups"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "attach_rotation_sfn" {
+  role       = aws_iam_role.rotation_sfn_role.name
+  policy_arn = aws_iam_policy.rotation_sfn_policy.arn
+}

infrastructure/stacks/api-layer/iam_roles.tf

@@ -74,3 +74,71 @@ resource "aws_iam_role" "eligibility_audit_firehose_role" {
   assume_role_policy   = data.aws_iam_policy_document.firehose_assume_role.json
   permissions_boundary = aws_iam_policy.assumed_role_permissions_boundary.arn
 }
+
+# --- Secret Rotation Roles ---
+resource "aws_iam_role" "rotation_lambda_role" {
+  name = "secret_rotation_lambda_role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action = "sts:AssumeRole",
+      Effect = "Allow",
+      Principal = { Service = "lambda.amazonaws.com" }
+    }]
+  })
+}
+
+resource "aws_iam_role" "rotation_sfn_role" {
+  name = "secret_rotation_workflow_role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action = "sts:AssumeRole",
+      Effect = "Allow",
+      Principal = { Service = "states.amazonaws.com" }
+    }]
+  })
+}
+
+# -----------------------------------------------------------------------------
+# IAM Role: Allow EventBridge to Start the Step Function
+# -----------------------------------------------------------------------------
+
+resource "aws_iam_role" "eventbridge_sfn_invoke_role" {
+  name = "eventbridge_invoke_sfn_role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = { Service = "events.amazonaws.com" }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "eventbridge_sfn_policy" {
+  name = "eventbridge_sfn_start_policy"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = "states:StartExecution"
+        Resource = aws_sfn_state_machine.rotation_machine.arn
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "attach_eb_sfn" {
+  role       = aws_iam_role.eventbridge_sfn_invoke_role.name
+  policy_arn = aws_iam_policy.eventbridge_sfn_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "rotation_vpc_access" {
+  role       = aws_iam_role.rotation_lambda_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}

infrastructure/stacks/api-layer/lambda.tf

@@ -33,3 +33,65 @@ module "eligibility_signposting_lambda_function" {
   provisioned_concurrency_count     = 5
   api_domain_name                   = local.api_domain_name
 }
+
+# -----------------------------------------------------------------------------
+# Secret rotation lambdas
+# -----------------------------------------------------------------------------
+
+# 1. Generator Lambda
+data "archive_file" "create_zip" {
+  type        = "zip"
+  source_file = "${path.module}/scripts/create_pending_secret.py"
+  output_path = "${path.module}/scripts/create_pending_secret.zip"
+}
+
+resource "aws_lambda_function" "create_secret_lambda" {
+  #checkov:skip=CKV_AWS_116: No deadletter queue is required for this Lambda function
+  #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238
+  #checkov:skip=CKV_AWS_50: No x-ray needed for this function
+  #checkov:skip=CKV_AWS_173: No encryption needed for the secret name
+
+  filename                       = data.archive_file.create_zip.output_path
+  function_name                  = "${terraform.workspace}-CreatePendingSecretFunction"
+  role                           = aws_iam_role.rotation_lambda_role.arn
+  handler                        = "create_pending_secret.lambda_handler"
+  runtime                        = "python3.13"
+  timeout                        = 30
+  reserved_concurrent_executions = 1
+  environment {
+    variables = { SECRET_NAME = module.secrets_manager.aws_hashing_secret_name }
+  }
+  vpc_config {
+    subnet_ids = [for s in data.aws_subnet.private_subnets : s.id]
+    security_group_ids = [data.aws_security_group.main_sg.id]
+  }
+}
+
+# 2. Promoter Lambda
+data "archive_file" "promote_zip" {
+  type        = "zip"
+  source_file = "${path.module}/scripts/promote_to_current.py"
+  output_path = "${path.module}/scripts/promote_to_current.zip"
+}
+
+resource "aws_lambda_function" "promote_secret_lambda" {
+  #checkov:skip=CKV_AWS_116: No deadletter queue is required for this Lambda function
+  #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238
+  #checkov:skip=CKV_AWS_50: No x-ray needed for this function
+  #checkov:skip=CKV_AWS_173: No encryption needed for the secret name
+
+  filename                       = data.archive_file.promote_zip.output_path
+  function_name                  = "${terraform.workspace}-PromoteToCurrentFunction"
+  role                           = aws_iam_role.rotation_lambda_role.arn
+  handler                        = "promote_to_current.lambda_handler"
+  runtime                        = "python3.13"
+  timeout                        = 30
+  reserved_concurrent_executions = 1
+  environment {
+    variables = { SECRET_NAME = module.secrets_manager.aws_hashing_secret_name }
+  }
+  vpc_config {
+    subnet_ids = [for s in data.aws_subnet.private_subnets : s.id]
+    security_group_ids = [data.aws_security_group.main_sg.id]
+  }
+}