Merge branch 'main' into feature/ELI-702-code-signing

Author: TOEL2

.github/CODEOWNERS

@@ -0,0 +1,14 @@
+# Default owner
+* @NHSDigital/eligibility-signposting-api-code-owners
+
+# Terraform / infra
+*.tf @NHSDigital/eligibility-signposting-api-code-owners
+
+# Lambda / API code
+/src/ @NHSDigital/eligibility-signposting-api-code-owners
+
+# Tests
+/tests/ @NHSDigital/eligibility-signposting-api-code-owners
+
+# GitHub workflows
+/.github/workflows/ @NHSDigital/eligibility-signposting-api-code-owners

.github/workflows/cicd-3-test-deploy.yaml

@@ -66,6 +66,17 @@ jobs:
         with:
           terraform_version: ${{ needs.metadata.outputs.terraform_version }}
 
+      - name: "Configure AWS Credentials (IAM Bootstrap Role)"
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-iam-bootstrap-role
+          aws-region: eu-west-2
+
+      - name: "Deploy IAM roles (iams-developer-roles stack)"
+        working-directory: ./infrastructure
+        run: |
+          make terraform env=test stack=iams-developer-roles tf-command=apply workspace=default
+
       - name: "Configure AWS Credentials"
         uses: aws-actions/configure-aws-credentials@v6
         with:

infrastructure/stacks/api-layer/cloudtrail.tf

@@ -27,34 +27,6 @@ resource "aws_kms_key" "cloudtrail_kms_key" {
   deletion_window_in_days = 14
   enable_key_rotation     = true
 
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Sid    = "EnableRootPermissions"
-        Effect = "Allow"
-        Principal = {
-          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
-        }
-        Action   = "kms:*"
-        Resource = "*"
-      },
-      {
-        Sid    = "AllowCloudTrailEncryptLogs"
-        Effect = "Allow"
-        Principal = {
-          Service = "cloudtrail.amazonaws.com"
-        }
-        Action = [
-          "kms:GenerateDataKey*",
-          "kms:DescribeKey",
-          "kms:Encrypt"
-        ]
-        Resource = "*"
-      }
-    ]
-  })
-
   tags = {
     environment  = var.environment
     project_name = var.project_name

infrastructure/stacks/api-layer/cloudwatch.tf

@@ -46,4 +46,6 @@ resource "aws_cloudwatch_log_group" "cloudtrail_log_group" {
   name              = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}elid-aws-cloudtrail-logs"
   retention_in_days = 365
   kms_key_id        = aws_kms_alias.cloudtrail_kms_alias.arn
+
+  depends_on = [aws_kms_key_policy.cloudtrail_kms_key_policy]
 }

infrastructure/stacks/api-layer/s3_buckets.tf

@@ -60,7 +60,7 @@ module "s3_dq_metrics_bucket" {
 
 module "s3_cloudtrail_bucket" {
   source       = "../../modules/s3"
-  bucket_name  = "eli-cloudwatch-logs"
+  bucket_name  = "eli-cloudwatch"
   environment  = var.environment
   project_name = var.project_name
   stack_name   = local.stack_name

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -235,10 +235,10 @@ resource "aws_iam_policy" "s3_management" {
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics/*",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics-access-logs",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics-access-logs/*",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs/*",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs-access-logs",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs-access-logs/*",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch/*",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-access-logs",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-access-logs/*",
         ]
       }
     ]

infrastructure/stacks/iams-developer-roles/github_actions_role.tf

@@ -87,6 +87,7 @@ data "aws_iam_policy_document" "github_actions_iam_bootstrap_assume_role" {
         "${var.github_org}/${var.github_repo}/.github/workflows/iam-bootstrap-deploy.yaml@*",
         "${var.github_org}/${var.github_repo}/.github/workflows/base-deploy.yml@*",
         "${var.github_org}/${var.github_repo}/.github/workflows/cicd-2-publish.yaml@*",
+        "${var.github_org}/${var.github_repo}/.github/workflows/cicd-3-test-deploy.yaml@*",
       ]
     }
   }

poetry.lock

@@ -47,7 +47,7 @@ pytest = "^8.4.2"
 pytest-asyncio = "^1.3.0"
 pytest-cov = "^7.0.0"
 pytest-nhsd-apim = "^5.0.14"
-aiohttp = "^3.13.2"
+aiohttp = "^3.13.4"
 awscli = "^1.37.24"
 awscli-local = "^0.22.2"
 polyfactory = "^3.2.0"