Skip to content

Commit dfd4e19

Browse files
eddalmond1eddalmond1
committed
Merge branch 'main' into bugfix/eja-eli-606-fixing-terraform-calls
2 parents 748a0af + 6abac06 commit dfd4e19

44 files changed

Lines changed: 3335 additions & 162 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/base-deploy.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ jobs:
8383
run: |
8484
git fetch --tags --force
8585
SHA="${{ github.event.workflow_run.head_sha }}"
86-
TAG=$(git tag --points-at "$SHA" | grep '^dev-' | head -n1 || true)
86+
TAG=$(git tag --points-at "$SHA" | grep '^dev-' | sort -r | head -n1 || true)
8787
if [ -z "$TAG" ]; then
8888
echo "Using the dev tag provided in the input field" >&2
8989
TAG="${{ inputs.ref }}"
@@ -203,6 +203,7 @@ jobs:
203203
TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
204204
TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
205205
TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
206+
TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
206207

207208
working-directory: ./infrastructure
208209
shell: bash

.github/workflows/cicd-2-publish.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,7 @@ jobs:
103103
TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
104104
TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
105105
TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
106+
TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
106107

107108
run: |
108109
mkdir -p ./build

.github/workflows/cicd-3-test-deploy.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ jobs:
3838
run: |
3939
git fetch --tags --force
4040
SHA="${{ github.event.workflow_run.head_sha }}"
41-
TAG=$(git tag --points-at "$SHA" | grep '^dev-' | head -n1 || true)
41+
TAG=$(git tag --points-at "$SHA" | grep '^dev-' | sort -r | head -n1 || true)
4242
if [ -z "$TAG" ]; then
4343
echo "No dev-* tag found on $SHA" >&2
4444
exit 1
@@ -90,6 +90,7 @@ jobs:
9090
TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
9191
TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
9292
TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
93+
TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
9394

9495
run: |
9596
mkdir -p ./build

.github/workflows/release-candidate.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -237,6 +237,8 @@ jobs:
237237
TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
238238
TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
239239
TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
240+
TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
241+
240242
run: |
241243
mkdir -p ./build
242244
echo "🚀 Deploying ${{ needs.validate.outputs.dev_tag }} to TEST"

.github/workflows/trigger-vita-preprod-tests.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
name: Trigger Vita Preprod Tests
2+
3+
on:
4+
workflow_dispatch:
5+
6+
jobs:
7+
call-vita-tests:
8+
name: Call Vita Integration Tests
9+
uses: NHSDigital/eligibility-signposting-api-regression-tests/.github/workflows/my-vaccs-int-tests.yml@main
10+
secrets:
11+
ELID_PREPROD_AWS_ACCOUNT_ID: ${{ secrets.PREPROD_AWS_ACCOUNT_ID }}

infrastructure/modules/lambda/lambda.tf

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -17,14 +17,15 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
1717

1818
environment {
1919
variables = {
20-
PERSON_TABLE_NAME = var.eligibility_status_table_name,
21-
RULES_BUCKET_NAME = var.eligibility_rules_bucket_name,
22-
KINESIS_AUDIT_STREAM_TO_S3 = var.kinesis_audit_stream_to_s3_name
23-
ENV = var.environment
24-
LOG_LEVEL = var.log_level
25-
ENABLE_XRAY_PATCHING = var.enable_xray_patching
26-
API_DOMAIN_NAME = var.api_domain_name
27-
HASHING_SECRET_NAME = var.hashing_secret_name
20+
PERSON_TABLE_NAME = var.eligibility_status_table_name,
21+
RULES_BUCKET_NAME = var.eligibility_rules_bucket_name,
22+
CONSUMER_MAPPING_BUCKET_NAME = var.eligibility_consumer_mappings_bucket_name,
23+
KINESIS_AUDIT_STREAM_TO_S3 = var.kinesis_audit_stream_to_s3_name
24+
ENV = var.environment
25+
LOG_LEVEL = var.log_level
26+
ENABLE_XRAY_PATCHING = var.enable_xray_patching
27+
API_DOMAIN_NAME = var.api_domain_name
28+
HASHING_SECRET_NAME = var.hashing_secret_name
2829
}
2930
}
3031

infrastructure/modules/lambda/variables.tf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,11 @@ variable "eligibility_rules_bucket_name" {
4444
type = string
4545
}
4646

47+
variable "eligibility_consumer_mappings_bucket_name" {
48+
description = "consumer mappings bucket name"
49+
type = string
50+
}
51+
4752
variable "eligibility_status_table_name" {
4853
description = "eligibility datastore table name"
4954
type = string

infrastructure/stacks/api-layer/iam_policies.tf

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,60 @@ data "aws_iam_policy_document" "rules_s3_bucket_policy" {
104104
}
105105
}
106106

107+
# Policy doc for S3 Consumer Mappings bucket
108+
data "aws_iam_policy_document" "s3_consumer_mapping_bucket_policy" {
109+
statement {
110+
sid = "AllowSSLRequestsOnly"
111+
actions = [
112+
"s3:GetObject",
113+
"s3:ListBucket",
114+
]
115+
resources = [
116+
module.s3_consumer_mappings_bucket.storage_bucket_arn,
117+
"${module.s3_consumer_mappings_bucket.storage_bucket_arn}/*",
118+
]
119+
condition {
120+
test = "Bool"
121+
values = ["true"]
122+
variable = "aws:SecureTransport"
123+
}
124+
}
125+
}
126+
127+
# ensure only secure transport is allowed
128+
129+
resource "aws_s3_bucket_policy" "consumer_mapping_s3_bucket" {
130+
bucket = module.s3_consumer_mappings_bucket.storage_bucket_id
131+
policy = data.aws_iam_policy_document.consumer_mapping_s3_bucket_policy.json
132+
}
133+
134+
data "aws_iam_policy_document" "consumer_mapping_s3_bucket_policy" {
135+
statement {
136+
sid = "AllowSslRequestsOnly"
137+
actions = [
138+
"s3:*",
139+
]
140+
effect = "Deny"
141+
resources = [
142+
module.s3_consumer_mappings_bucket.storage_bucket_arn,
143+
"${module.s3_consumer_mappings_bucket.storage_bucket_arn}/*",
144+
]
145+
principals {
146+
type = "*"
147+
identifiers = ["*"]
148+
}
149+
condition {
150+
test = "Bool"
151+
values = [
152+
"false",
153+
]
154+
155+
variable = "aws:SecureTransport"
156+
}
157+
}
158+
}
159+
160+
# audit bucket
107161
resource "aws_s3_bucket_policy" "audit_s3_bucket" {
108162
bucket = module.s3_audit_bucket.storage_bucket_id
109163
policy = data.aws_iam_policy_document.audit_s3_bucket_policy.json
@@ -137,11 +191,18 @@ data "aws_iam_policy_document" "audit_s3_bucket_policy" {
137191

138192
# Attach s3 read policy to Lambda role
139193
resource "aws_iam_role_policy" "lambda_s3_read_policy" {
194+
# for rules bucket
140195
name = "S3ReadAccess"
141196
role = aws_iam_role.eligibility_lambda_role.id
142197
policy = data.aws_iam_policy_document.s3_rules_bucket_policy.json
143198
}
144199

200+
resource "aws_iam_role_policy" "lambda_s3_mapping_read_policy" {
201+
name = "S3ConsumerMappingReadAccess"
202+
role = aws_iam_role.eligibility_lambda_role.id
203+
policy = data.aws_iam_policy_document.s3_consumer_mapping_bucket_policy.json
204+
}
205+
145206
# Attach s3 write policy to kinesis firehose role
146207
resource "aws_iam_role_policy" "kinesis_firehose_s3_write_policy" {
147208
name = "S3WriteAccess"
@@ -290,6 +351,41 @@ resource "aws_kms_key_policy" "s3_rules_kms_key" {
290351
policy = data.aws_iam_policy_document.s3_rules_kms_key_policy.json
291352
}
292353

354+
data "aws_iam_policy_document" "s3_consumer_mapping_kms_key_policy" {
355+
#checkov:skip=CKV_AWS_111: Root user needs full KMS key management
356+
#checkov:skip=CKV_AWS_356: Root user needs full KMS key management
357+
#checkov:skip=CKV_AWS_109: Root user needs full KMS key management
358+
statement {
359+
sid = "EnableIamUserPermissions"
360+
effect = "Allow"
361+
principals {
362+
type = "AWS"
363+
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
364+
}
365+
actions = ["kms:*"]
366+
resources = ["*"]
367+
}
368+
369+
#checkov:skip=CKV_AWS_111: Permission boundary enforces restrictions for this policy
370+
#checkov:skip=CKV_AWS_356: Permission boundary enforces resource-level controls
371+
#checkov:skip=CKV_AWS_109: Permission boundary governs write-access constraints
372+
statement {
373+
sid = "AllowLambdaDecrypt"
374+
effect = "Allow"
375+
principals {
376+
type = "AWS"
377+
identifiers = [aws_iam_role.eligibility_lambda_role.arn]
378+
}
379+
actions = ["kms:Decrypt"]
380+
resources = ["*"]
381+
}
382+
}
383+
384+
resource "aws_kms_key_policy" "s3_consumer_mapping_kms_key" {
385+
key_id = module.s3_consumer_mappings_bucket.storage_bucket_kms_key_id
386+
policy = data.aws_iam_policy_document.s3_consumer_mapping_kms_key_policy.json
387+
}
388+
293389
resource "aws_iam_role_policy" "splunk_firehose_policy" {
294390
#checkov:skip=CKV_AWS_290: Firehose requires write access to dynamic log streams without static constraints
295391
#checkov:skip=CKV_AWS_355: Firehose logging requires wildcard resource for CloudWatch log groups/streams

infrastructure/stacks/api-layer/lambda.tf

Lines changed: 21 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -11,27 +11,28 @@ data "aws_subnet" "private_subnets" {
1111
}
1212

1313
module "eligibility_signposting_lambda_function" {
14-
source = "../../modules/lambda"
15-
eligibility_lambda_role_arn = aws_iam_role.eligibility_lambda_role.arn
16-
eligibility_lambda_role_name = aws_iam_role.eligibility_lambda_role.name
17-
workspace = local.workspace
18-
environment = var.environment
19-
runtime = "python3.13"
20-
lambda_func_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api"
14+
source = "../../modules/lambda"
15+
eligibility_lambda_role_arn = aws_iam_role.eligibility_lambda_role.arn
16+
eligibility_lambda_role_name = aws_iam_role.eligibility_lambda_role.name
17+
workspace = local.workspace
18+
environment = var.environment
19+
runtime = "python3.13"
20+
lambda_func_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api"
2121
security_group_ids = [data.aws_security_group.main_sg.id]
22-
vpc_intra_subnets = [for v in data.aws_subnet.private_subnets : v.id]
23-
file_name = "../../../dist/lambda.zip"
24-
handler = "eligibility_signposting_api.app.lambda_handler"
25-
eligibility_rules_bucket_name = module.s3_rules_bucket.storage_bucket_name
26-
eligibility_status_table_name = module.eligibility_status_table.table_name
27-
kinesis_audit_stream_to_s3_name = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name
28-
hashing_secret_name = module.secrets_manager.aws_hashing_secret_name
29-
lambda_insights_extension_version = 38
30-
log_level = "INFO"
31-
enable_xray_patching = "true"
32-
stack_name = local.stack_name
33-
provisioned_concurrency_count = 5
34-
api_domain_name = local.api_domain_name
22+
vpc_intra_subnets = [for v in data.aws_subnet.private_subnets : v.id]
23+
file_name = "../../../dist/lambda.zip"
24+
handler = "eligibility_signposting_api.app.lambda_handler"
25+
eligibility_rules_bucket_name = module.s3_rules_bucket.storage_bucket_name
26+
eligibility_consumer_mappings_bucket_name = module.s3_consumer_mappings_bucket.storage_bucket_name
27+
eligibility_status_table_name = module.eligibility_status_table.table_name
28+
kinesis_audit_stream_to_s3_name = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name
29+
hashing_secret_name = module.secrets_manager.aws_hashing_secret_name
30+
lambda_insights_extension_version = 38
31+
log_level = "INFO"
32+
enable_xray_patching = "true"
33+
stack_name = local.stack_name
34+
provisioned_concurrency_count = 5
35+
api_domain_name = local.api_domain_name
3536
}
3637

3738
# -----------------------------------------------------------------------------

infrastructure/stacks/api-layer/s3_buckets.tf

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,15 @@ module "s3_rules_bucket" {
77
workspace = terraform.workspace
88
}
99

10+
module "s3_consumer_mappings_bucket" {
11+
source = "../../modules/s3"
12+
bucket_name = "consumer-map"
13+
environment = var.environment
14+
project_name = var.project_name
15+
stack_name = local.stack_name
16+
workspace = terraform.workspace
17+
}
18+
1019
module "s3_audit_bucket" {
1120
source = "../../modules/s3"
1221
bucket_name = "eli-audit"

0 commit comments

Comments
 (0)