[ELI-702] pulling in main

TOEL2 · TOEL2 · commit 6e8cba38848d · 2026-04-11T11:16:14.000+01:00
diff --git a/infrastructure/modules/lambda/outputs.tf b/infrastructure/modules/lambda/outputs.tf
@@ -16,3 +16,7 @@ output "aws_lambda_invoke_arn" {
 output "lambda_cmk_arn" {
   value = aws_kms_key.lambda_cmk.arn
 }
+
+output "lambda_signing_profile_name" {
+  value = aws_signer_signing_profile.lambda_signing.name
+}
diff --git a/infrastructure/modules/lambda/signing.tf b/infrastructure/modules/lambda/signing.tf
@@ -23,7 +23,3 @@ resource "aws_lambda_code_signing_config" "signing_config" {
 
   description = "Only allow Lambda bundles signed by our trusted signer profile"
 }
-
-output "lambda_signing_profile_name" {
-  value = aws_signer_signing_profile.lambda_signing.name
-}
diff --git a/infrastructure/stacks/api-layer/lambda.tf b/infrastructure/stacks/api-layer/lambda.tf
@@ -35,6 +35,12 @@ module "eligibility_signposting_lambda_function" {
   api_domain_name                           = local.api_domain_name
 }
 
+
+# Needed by github workflows to sign the lambda artifacts
+output "signing_profile_name" {
+  value = module.eligibility_signposting_lambda_function.lambda_signing_profile_name
+}
+
 # -----------------------------------------------------------------------------
 # Secret rotation lambdas
 # -----------------------------------------------------------------------------
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -91,6 +91,8 @@ data "aws_iam_policy_document" "permissions_boundary" {
 
       # Kinesis Stream - audit log streaming
       "kinesis:*",
+      # signing - code signing for Lambda functions
+      "signer:*",
 
       # CodeSigning
       "signer:*",
diff --git a/infrastructure/stacks/iams-developer-roles/locals.tf b/infrastructure/stacks/iams-developer-roles/locals.tf
@@ -1,3 +1,5 @@
 locals {
   stack_name = "iams-developer-roles"
+  lambda_signing_profile_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile"
+  lambda_signing_profile_arn  = "arn:aws:signer:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:/signing-profiles/${local.lambda_signing_profile_name}"
 }
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -57,7 +57,7 @@ pytest-docker = "^3.2.3"
 stamina = "^25.2.0"
 pytest-freezer = "^0.4.9"
 moto = "^5.1.19"
-requests = "^2.32.5"
+requests = "^2.33.0"
 jsonschema = "^4.25.1"
 behave = "^1.3.3"
 python-dotenv = "^1.2.1"

Original file line number	Diff line number	Diff line change
`@@ -16,3 +16,7 @@ output "aws_lambda_invoke_arn" {`
`16`	`16`	`output "lambda_cmk_arn" {`
`17`	`17`	`value = aws_kms_key.lambda_cmk.arn`
`18`	`18`	`}`
	`19`	`+`
	`20`	`+output "lambda_signing_profile_name" {`
	`21`	`+ value = aws_signer_signing_profile.lambda_signing.name`
	`22`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,3 @@ resource "aws_lambda_code_signing_config" "signing_config" {`
`23`	`23`
`24`	`24`	`description = "Only allow Lambda bundles signed by our trusted signer profile"`
`25`	`25`	`}`
`26`		`-`
`27`		`-output "lambda_signing_profile_name" {`
`28`		`- value = aws_signer_signing_profile.lambda_signing.name`
`29`		`-}`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
`1`	`1`	`locals {`
`2`	`2`	`stack_name = "iams-developer-roles"`
	`3`	`+ lambda_signing_profile_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile"`
	`4`	`+ lambda_signing_profile_arn = "arn:aws:signer:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:/signing-profiles/${local.lambda_signing_profile_name}"`
`3`	`5`	`}`