[ELI-702] creating the resources and outputs

Author: TOEL2

infrastructure/modules/lambda/outputs.tf

@@ -16,3 +16,7 @@ output "aws_lambda_invoke_arn" {
 output "lambda_cmk_arn" {
   value = aws_kms_key.lambda_cmk.arn
 }
+
+output "lambda_signing_profile_name" {
+  value = aws_signer_signing_profile.lambda_signing.name
+}

infrastructure/modules/lambda/signing.tf

@@ -0,0 +1,25 @@
+resource "aws_signer_signing_profile" "lambda_signing" {
+  name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile"
+  #aws signer is strict with names, does not like hyphens or underscores
+
+  platform_id = "AWSLambda-SHA384-ECDSA"
+
+  signature_validity_period {
+    value = 365
+    type  = "DAYS"
+  }
+}
+
+resource "aws_lambda_code_signing_config" "signing_config" {
+  allowed_publishers {
+    signing_profile_version_arns = [
+      aws_signer_signing_profile.lambda_signing.version_arn
+    ]
+  }
+
+  policies {
+    untrusted_artifact_on_deployment = "Enforce"
+  }
+
+   description = "Only allow Lambda bundles signed by our trusted signer profile"
+}

infrastructure/stacks/api-layer/lambda.tf

@@ -35,6 +35,12 @@ module "eligibility_signposting_lambda_function" {
   api_domain_name                           = local.api_domain_name
 }
 
+
+# Needed by github workflows to sign the lambda artifacts
+output "signing_profile_name" {
+  value = module.eligibility_signposting_lambda_function.lambda_signing_profile_name
+}
+
 # -----------------------------------------------------------------------------
 # Secret rotation lambdas
 # -----------------------------------------------------------------------------