eli-279 removing most permissions from developer role, as it's expected to only need to terraform plan locally / invoke lambda for testing in dev

Author: eddalmond1

infrastructure/stacks/iams-developer-roles/terraform_developer_policies.tf

@@ -1,11 +1,11 @@
 # Trust policy document
 data "aws_iam_policy_document" "terraform_developer_assume_role" {
   statement {
-    effect = "Allow"
+    effect  = "Allow"
     actions = ["sts:AssumeRole"]
 
     principals {
-      type = "AWS"
+      type        = "AWS"
       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
 
@@ -19,15 +19,9 @@ data "aws_iam_policy_document" "terraform_developer_assume_role" {
   }
 }
 
-# Policy document for terraform access
-# ARN(s) will need adding once they are in place / additional policies
-# created in the main api stack and this removed
+# Policy document for basic developer read only permissions
 data "aws_iam_policy_document" "terraform_developer_policy" {
-  #checkov:skip=CKV_AWS_356 Data source IAM policy document allows all resources with restricted actions
-  #checkov:skip=CKV_AWS_356 Ensure IAM policies does not allow data exfiltration
-  #checkov:skip=CKV_AWS_109 Ensure IAM policies does not allow permissions management / resource exposure without constraints
-  #checkov:skip=CKV_AWS_108 Ensure IAM policies does not allow data exfiltration
-  #checkov:skip=CKV_AWS_111 Ensure IAM policies does not allow write access without constraints
+
   # S3 bucket for Terraform state
   dynamic "statement" {
     for_each = var.environment != "prod" ? [1] : []
@@ -69,7 +63,9 @@ data "aws_iam_policy_document" "terraform_developer_policy" {
         "dynamodb:DescribeTable",
         "dynamodb:ListTables",
       ]
-      resources = ["*"]
+      resources = [
+        "arn:aws:dynamodb:*:${data.aws_caller_identity.current.account_id}:table:*eligibility_datastore"
+      ]
     }
   }
 
@@ -79,9 +75,6 @@ data "aws_iam_policy_document" "terraform_developer_policy" {
     content {
       effect = "Allow"
       actions = [
-        "dynamodb:CreateTable",
-        "dynamodb:UpdateTable",
-        "dynamodb:UpdateTableReplicaAutoScaling",
         "dynamodb:DescribeTable",
         "dynamodb:ListTables",
         "dynamodb:Query",
@@ -91,7 +84,9 @@ data "aws_iam_policy_document" "terraform_developer_policy" {
         "dynamodb:UpdateItem",
         "dynamodb:DeleteItem"
       ]
-      resources = ["*"]
+      resources = [
+        "arn:aws:dynamodb:*:${data.aws_caller_identity.current.account_id}:table:*eligibility_datastore"
+      ]
     }
   }
 
@@ -105,7 +100,9 @@ data "aws_iam_policy_document" "terraform_developer_policy" {
         "lambda:List*",
         "lambda:Get*",
       ]
-      resources = ["*"]
+      resources = [
+        "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*eligibility_signposting_api"
+      ]
     }
   }
 
@@ -115,53 +112,28 @@ data "aws_iam_policy_document" "terraform_developer_policy" {
     content {
       effect = "Allow"
       actions = [
-        "lambda:*"
+        "lambda:InvokeFunction",
+        "lambda:List*",
+        "lambda:Get*",
+      ]
+      resources = [
+        "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*eligibility_signposting_api"
       ]
-      resources = ["*"]
     }
   }
 
-  # CloudWatch and logging permissions
-  statement {
-    effect = "Allow"
-    actions = [
-      "logs:*",
-      "cloudtrail:*",
-      "cloudwatch:*"
-    ]
-    resources = ["*"]
-  }
 
   # IAM permissions (restricted)
   statement {
     effect = "Allow"
     actions = [
-      "iam:Get*",
       "iam:List*",
-      "iam:PassRole"
-    ]
-    resources = ["*"]
-  }
-
-  # KMS permissions
-  statement {
-    effect = "Allow"
-    actions = [
-      "kms:Describe*",
-      "kms:List*",
-      "kms:Get*"
     ]
-    resources = ["*"]
-  }
-
-  # SSM permissions
-  statement {
-    effect = "Allow"
-    actions = [
-      "ssm:GetParameter*",
-      "ssm:PutParameter"
+    resources = [
+      "arn:aws:iam::*:role/eligibility_lambda-role*",
+      "arn:aws:iam::*:role/*-api-gateway-*-role",
+      "arn:aws:iam::*:role/eligibility-signposting-api-*-external-write-role"
     ]
-    resources = ["*"]
   }
 
   # S3 permissions for application buckets
@@ -170,33 +142,13 @@ data "aws_iam_policy_document" "terraform_developer_policy" {
     actions = [
       "s3:List*",
       "s3:Get*",
-      "s3:Put*",
-      "s3:CreateBucket",
-      "s3:DeleteObject"
     ]
-    resources = ["*"]
-  }
-
-  # API Gateway permissions
-  statement {
-    effect = "Allow"
-    actions = [
-      "apigateway:*"
-    ]
-    resources = ["*"]
-  }
-
-  # Read-only permissions for broader resources
-  statement {
-    effect = "Allow"
-    actions = [
-      "ec2:Describe*",
-      "iam:Get*",
-      "iam:List*",
-      "s3:List*",
-      "kms:List*"
+    resources = [
+      "arn:aws:s3:::*eligibility-signposting-${var.environment}-eli-rules",
+      "arn:aws:s3:::*eligibility-signposting-${var.environment}-eli-rules/*",
+      "arn:aws:s3:::*eligibility-signposting-${var.environment}-eli-audit",
+      "arn:aws:s3:::*eligibility-signposting-${var.environment}-eli-audit/*",
     ]
-    resources = ["*"]
   }
 }
 
@@ -212,3 +164,5 @@ resource "aws_iam_role_policy_attachment" "terraform_developer_attachment" {
   role       = aws_iam_role.terraform_developer.name
   policy_arn = aws_iam_policy.terraform_developer_policy.arn
 }
+
+data "aws_region" "current" {}