From f89a9ebca4c72d177570bffb522f06d61729689e Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Wed, 11 Jun 2025 14:29:16 +0100 Subject: [PATCH 01/18] eli-193 adding in lambda build to deployment --- .github/workflows/cicd-3-deploy.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index a04aa0a10..b46e14501 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -95,6 +95,17 @@ jobs: with: python-version: '3.13' + - name: "Build lambda artefact" + run: | + make dependencies install-python + make build + + - name: "Upload lambda artefact" + uses: actions/upload-artifact@v4 + with: + name: lambda + path: dist/lambda.zip + - name: "Download Built Lambdas" uses: actions/download-artifact@v4 with: From 0bce2f37723a25e176fe266fd2bb22b55806f89d Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Wed, 11 Jun 2025 14:43:39 +0100 Subject: [PATCH 02/18] eli-193 adding checkout repo --- .github/workflows/cicd-3-deploy.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index b46e14501..cdd8be918 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -79,7 +79,7 @@ jobs: deploy: name: "Deploy to an environment" runs-on: ubuntu-latest - needs: [ metadata ] + needs: [metadata] timeout-minutes: 10 permissions: id-token: write @@ -93,7 +93,10 @@ jobs: - name: "Set up Python" uses: actions/setup-python@v5 with: - python-version: '3.13' + python-version: "3.13" + + - name: "Checkout Repository" + uses: actions/checkout@v4 - name: "Build lambda artefact" run: | @@ -181,7 +184,6 @@ jobs: draft: false prerelease: ${{ inputs.environment == 'ref' }} - # TODO: complete notify step # success: # name: "Success notification" From 34c7ccc1c5695f95be3340a5a6246d351aec7c08 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Wed, 11 Jun 2025 14:57:38 +0100 Subject: [PATCH 03/18] eli-193 adding environment for publish --- .github/workflows/cicd-3-deploy.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index cdd8be918..3d2ab84c2 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -80,6 +80,7 @@ jobs: name: "Deploy to an environment" runs-on: ubuntu-latest needs: [metadata] + environment: ${{ github.event.inputs.environment }} timeout-minutes: 10 permissions: id-token: write From c63af7dc7a866ef9da97acaacf893ea3a8cfee23 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Wed, 11 Jun 2025 14:58:52 +0100 Subject: [PATCH 04/18] eli-193 further bug fix --- .github/workflows/cicd-3-deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 3d2ab84c2..cc3a12eff 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -80,7 +80,7 @@ jobs: name: "Deploy to an environment" runs-on: ubuntu-latest needs: [metadata] - environment: ${{ github.event.inputs.environment }} + environment: ${{ inputs.environment }} timeout-minutes: 10 permissions: id-token: write From 6d299c060e50af79318fd8e8167311b5810999ea Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Wed, 11 Jun 2025 16:05:06 +0100 Subject: [PATCH 05/18] eli-193 changing tf command to apply --- .github/workflows/cicd-3-deploy.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index cc3a12eff..5bf6cc38c 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -133,9 +133,9 @@ jobs: # just planning for now for safety and until review run: | mkdir -p ./build - echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=plan" + echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" make terraform env=$ENVIRONMENT stack=networking tf-command=plan workspace=$WORKSPACE - echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=plan" + echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" make terraform env=$ENVIRONMENT stack=api-layer tf-command=plan workspace=$WORKSPACE working-directory: ./infrastructure @@ -183,7 +183,7 @@ jobs: body: | Auto-release created during deployment. draft: false - prerelease: ${{ inputs.environment == 'ref' }} + prerelease: ${{ inputs.environment == 'preprod' }} # TODO: complete notify step # success: From f4b26e2474a162c0ecac7494d3b9de6272f11fe2 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Wed, 11 Jun 2025 16:20:28 +0100 Subject: [PATCH 06/18] eli-139 changing action to be apply not plan --- .github/workflows/cicd-3-deploy.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 5bf6cc38c..2c57a64c1 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -134,9 +134,9 @@ jobs: run: | mkdir -p ./build echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" - make terraform env=$ENVIRONMENT stack=networking tf-command=plan workspace=$WORKSPACE + make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" - make terraform env=$ENVIRONMENT stack=api-layer tf-command=plan workspace=$WORKSPACE + make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE working-directory: ./infrastructure - name: "Tag the deployment using incremental semantic versioning" From c7c3c5d6b3ef7ceeca9f35e469085ea25ee1e5c4 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Thu, 12 Jun 2025 09:58:26 +0100 Subject: [PATCH 07/18] eli-139 updating permissions to allow networking stack deployment from scratch --- .../github_actions_policies.tf | 32 ++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index ad521c848..93f159fdb 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -78,17 +78,23 @@ resource "aws_iam_policy" "api_infrastructure" { "kms:ScheduleKeyDeletion", "kms:PutKeyPolicy", "kms:Encrypt", + "kms:ListAliases", + "kms:TagResource", + "kms:GenerateDataKey", # Cloudwatch permissions "logs:Describe*", "logs:ListTagsForResource", "logs:PutRetentionPolicy", "logs:AssociateKmsKey", + "logs:CreateLogGroup", #EC2 permissions "ec2:Describe*", "ec2:CreateTags", "ec2:CreateNetworkAclEntry", + "ec2:CreateNetworkAcl", + "ec2:AssociateRouteTable", # IAM permissions (scoped to resources with specific path prefix) "iam:Get*", @@ -100,21 +106,45 @@ resource "aws_iam_policy" "api_infrastructure" { "iam:Delete*", "iam:PutRolePermissionsBoundary", "iam:PutRolePolicy", + "iam:CreateRole", + "iam:TagRole", + "iam:PassRole", # ssm "ssm:GetParameter", "ssm:GetParameters", "ssm:DescribeParameters", "ssm:ListTagsForResource", + "ssm:PutParameter", + "ssm:AddTagsToResource", # acm "acm:ListCertificates", "acm:DescribeCertificate", "acm:GetCertificate", "acm:ListTagsForCertificate", + "acm:RequestCertificate", + "acm:AddTagsToCertificate", + "acm:ImportCertificate", + + # ec2 - VPC + "ec2:CreateVpc", + "ec2:ModifyVpcAttribute", + "ec2:DeleteVpc", + "ec2:CreateRouteTable", + "ec2:CreateSubnet", + "ec2:RevokeSecurityGroupIngress", + "ec2:CreateSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:CreateVpcEndpoint", + "ec2:CreateFlowLogs", + "ec2:ReplaceNetworkAclAssociation", + "ec2:DeleteSecurityGroup", + "ec2:DeleteNetworkAcl" ], - Resource = "*" } ] From bc6face60ab39ed7eb7b532caaeb402af1056b22 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Thu, 12 Jun 2025 15:54:39 +0100 Subject: [PATCH 08/18] eli-139 making ssm deploy optional --- infrastructure/stacks/networking/ssm.tf | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/infrastructure/stacks/networking/ssm.tf b/infrastructure/stacks/networking/ssm.tf index 666396b98..5b379f1f9 100644 --- a/infrastructure/stacks/networking/ssm.tf +++ b/infrastructure/stacks/networking/ssm.tf @@ -10,22 +10,36 @@ # } # } # +data "aws_ssm_parameters_with_values" "existing_client_cert" { + names = ["/${var.environment}/mtls/api_client_cert"] +} + +data "aws_ssm_parameters_with_values" "existing_ca_cert" { + names = ["/${var.environment}/mtls/api_ca_cert"] +} + +data "aws_ssm_parameters_with_values" "existing_private_key_cert" { + names = ["/${var.environment}/mtls/api_private_key_cert"] +} + + resource "aws_ssm_parameter" "mtls_api_ca_cert" { + count = length(data.aws_ssm_parameters_with_values.existing_ca_cert.names) == 0 ? 1 : 0 name = "/${var.environment}/mtls/api_ca_cert" type = "SecureString" key_id = aws_kms_key.networking_ssm_key.id value = var.API_CA_CERT tier = "Advanced" tags = { - Stack = local.stack_name + Stack = local.stack_name } - lifecycle { ignore_changes = [value] } } resource "aws_ssm_parameter" "mtls_api_client_cert" { + count = length(data.aws_ssm_parameters_with_values.existing_client_cert.names) == 0 ? 1 : 0 name = "/${var.environment}/mtls/api_client_cert" type = "SecureString" key_id = aws_kms_key.networking_ssm_key.id @@ -34,13 +48,13 @@ resource "aws_ssm_parameter" "mtls_api_client_cert" { tags = { Stack = local.stack_name } - lifecycle { ignore_changes = [value] } } resource "aws_ssm_parameter" "mtls_api_private_key_cert" { + count = length(data.aws_ssm_parameters_with_values.existing_private_key_cert.names) == 0 ? 1 : 0 name = "/${var.environment}/mtls/api_private_key_cert" type = "SecureString" key_id = aws_kms_key.networking_ssm_key.id From 4ae5d124ad4c53c43a9e036768e6e1332cbd9513 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Thu, 12 Jun 2025 16:02:25 +0100 Subject: [PATCH 09/18] eli-139 trying new approach to conditional creation of ssm --- infrastructure/stacks/networking/ssm.tf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/infrastructure/stacks/networking/ssm.tf b/infrastructure/stacks/networking/ssm.tf index 5b379f1f9..7d1b7ae23 100644 --- a/infrastructure/stacks/networking/ssm.tf +++ b/infrastructure/stacks/networking/ssm.tf @@ -10,21 +10,21 @@ # } # } # -data "aws_ssm_parameters_with_values" "existing_client_cert" { - names = ["/${var.environment}/mtls/api_client_cert"] +data "aws_ssm_parameter" "existing_ca_cert" { + name = "/${var.environment}/mtls/api_ca_cert" } -data "aws_ssm_parameters_with_values" "existing_ca_cert" { - names = ["/${var.environment}/mtls/api_ca_cert"] +data "aws_ssm_parameter" "existing_client_cert" { + name = "/${var.environment}/mtls/api_client_cert" } -data "aws_ssm_parameters_with_values" "existing_private_key_cert" { - names = ["/${var.environment}/mtls/api_private_key_cert"] +data "aws_ssm_parameter" "existing_private_key_cert" { + name = "/${var.environment}/mtls/api_private_key_cert" } resource "aws_ssm_parameter" "mtls_api_ca_cert" { - count = length(data.aws_ssm_parameters_with_values.existing_ca_cert.names) == 0 ? 1 : 0 + count = can(data.aws_ssm_parameter.existing_ca_cert.id) ? 0 : 1 name = "/${var.environment}/mtls/api_ca_cert" type = "SecureString" key_id = aws_kms_key.networking_ssm_key.id @@ -39,7 +39,7 @@ resource "aws_ssm_parameter" "mtls_api_ca_cert" { } resource "aws_ssm_parameter" "mtls_api_client_cert" { - count = length(data.aws_ssm_parameters_with_values.existing_client_cert.names) == 0 ? 1 : 0 + count = can(data.aws_ssm_parameter.existing_client_cert.id) ? 0 : 1 name = "/${var.environment}/mtls/api_client_cert" type = "SecureString" key_id = aws_kms_key.networking_ssm_key.id @@ -54,7 +54,7 @@ resource "aws_ssm_parameter" "mtls_api_client_cert" { } resource "aws_ssm_parameter" "mtls_api_private_key_cert" { - count = length(data.aws_ssm_parameters_with_values.existing_private_key_cert.names) == 0 ? 1 : 0 + count = can(data.aws_ssm_parameter.existing_private_key_cert.id) ? 0 : 1 name = "/${var.environment}/mtls/api_private_key_cert" type = "SecureString" key_id = aws_kms_key.networking_ssm_key.id From 36cb4f9454da2929fc5f0b6ae7f811be2eae3196 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Thu, 12 Jun 2025 16:15:49 +0100 Subject: [PATCH 10/18] making acm imported cert take into account count on ssm params --- infrastructure/stacks/networking/acm_certificates.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/infrastructure/stacks/networking/acm_certificates.tf b/infrastructure/stacks/networking/acm_certificates.tf index 9568682ad..579c238d9 100644 --- a/infrastructure/stacks/networking/acm_certificates.tf +++ b/infrastructure/stacks/networking/acm_certificates.tf @@ -1,15 +1,15 @@ resource "aws_acm_certificate" "imported_cert" { - private_key = aws_ssm_parameter.mtls_api_private_key_cert.value - certificate_body = aws_ssm_parameter.mtls_api_client_cert.value - certificate_chain = aws_ssm_parameter.mtls_api_ca_cert.value + private_key = can(data.aws_ssm_parameter.existing_private_key_cert.id) ? data.aws_ssm_parameter.existing_private_key_cert.value : aws_ssm_parameter.mtls_api_private_key_cert[0].value + certificate_body = can(data.aws_ssm_parameter.existing_client_cert.id) ? data.aws_ssm_parameter.existing_client_cert.value : aws_ssm_parameter.mtls_api_client_cert[0].value + certificate_chain = can(data.aws_ssm_parameter.existing_ca_cert.id) ? data.aws_ssm_parameter.existing_ca_cert.value : aws_ssm_parameter.mtls_api_ca_cert[0].value lifecycle { create_before_destroy = true } tags = { - Region = local.region - Stack = local.stack_name + Region = local.region + Stack = local.stack_name CertificateType = "Imported" } } From f01ffc5122cd8eceda1f81484dbe3a8db9d503f3 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Thu, 12 Jun 2025 16:20:03 +0100 Subject: [PATCH 11/18] reverting ACM + SSM changes --- .../stacks/networking/acm_certificates.tf | 10 +++++----- infrastructure/stacks/networking/ssm.tf | 20 +++---------------- 2 files changed, 8 insertions(+), 22 deletions(-) diff --git a/infrastructure/stacks/networking/acm_certificates.tf b/infrastructure/stacks/networking/acm_certificates.tf index 579c238d9..9568682ad 100644 --- a/infrastructure/stacks/networking/acm_certificates.tf +++ b/infrastructure/stacks/networking/acm_certificates.tf @@ -1,15 +1,15 @@ resource "aws_acm_certificate" "imported_cert" { - private_key = can(data.aws_ssm_parameter.existing_private_key_cert.id) ? data.aws_ssm_parameter.existing_private_key_cert.value : aws_ssm_parameter.mtls_api_private_key_cert[0].value - certificate_body = can(data.aws_ssm_parameter.existing_client_cert.id) ? data.aws_ssm_parameter.existing_client_cert.value : aws_ssm_parameter.mtls_api_client_cert[0].value - certificate_chain = can(data.aws_ssm_parameter.existing_ca_cert.id) ? data.aws_ssm_parameter.existing_ca_cert.value : aws_ssm_parameter.mtls_api_ca_cert[0].value + private_key = aws_ssm_parameter.mtls_api_private_key_cert.value + certificate_body = aws_ssm_parameter.mtls_api_client_cert.value + certificate_chain = aws_ssm_parameter.mtls_api_ca_cert.value lifecycle { create_before_destroy = true } tags = { - Region = local.region - Stack = local.stack_name + Region = local.region + Stack = local.stack_name CertificateType = "Imported" } } diff --git a/infrastructure/stacks/networking/ssm.tf b/infrastructure/stacks/networking/ssm.tf index 7d1b7ae23..666396b98 100644 --- a/infrastructure/stacks/networking/ssm.tf +++ b/infrastructure/stacks/networking/ssm.tf @@ -10,36 +10,22 @@ # } # } # -data "aws_ssm_parameter" "existing_ca_cert" { - name = "/${var.environment}/mtls/api_ca_cert" -} - -data "aws_ssm_parameter" "existing_client_cert" { - name = "/${var.environment}/mtls/api_client_cert" -} - -data "aws_ssm_parameter" "existing_private_key_cert" { - name = "/${var.environment}/mtls/api_private_key_cert" -} - - resource "aws_ssm_parameter" "mtls_api_ca_cert" { - count = can(data.aws_ssm_parameter.existing_ca_cert.id) ? 0 : 1 name = "/${var.environment}/mtls/api_ca_cert" type = "SecureString" key_id = aws_kms_key.networking_ssm_key.id value = var.API_CA_CERT tier = "Advanced" tags = { - Stack = local.stack_name + Stack = local.stack_name } + lifecycle { ignore_changes = [value] } } resource "aws_ssm_parameter" "mtls_api_client_cert" { - count = can(data.aws_ssm_parameter.existing_client_cert.id) ? 0 : 1 name = "/${var.environment}/mtls/api_client_cert" type = "SecureString" key_id = aws_kms_key.networking_ssm_key.id @@ -48,13 +34,13 @@ resource "aws_ssm_parameter" "mtls_api_client_cert" { tags = { Stack = local.stack_name } + lifecycle { ignore_changes = [value] } } resource "aws_ssm_parameter" "mtls_api_private_key_cert" { - count = can(data.aws_ssm_parameter.existing_private_key_cert.id) ? 0 : 1 name = "/${var.environment}/mtls/api_private_key_cert" type = "SecureString" key_id = aws_kms_key.networking_ssm_key.id From 7c41334c123a48ab7badae6657371b1f9dd987af Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Thu, 12 Jun 2025 16:45:15 +0100 Subject: [PATCH 12/18] eli-139 changing alias name for networking ssm key --- infrastructure/stacks/api-layer/data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/data.tf b/infrastructure/stacks/api-layer/data.tf index ae018e6b6..f4dfb5827 100644 --- a/infrastructure/stacks/api-layer/data.tf +++ b/infrastructure/stacks/api-layer/data.tf @@ -16,7 +16,7 @@ data "aws_acm_certificate" "validation_cert" { } data "aws_kms_alias" "networking_ssm_key" { - name = "alias/dev-Networking-ssm-parameters" + name = "alias/${var.environment}-Networking-ssm-parameters" } data "aws_ssm_parameter" "mtls_api_client_cert" { From dbb02e177c4ac426fa9d4dd4ff2435ba9dbd4b90 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Thu, 12 Jun 2025 17:40:33 +0100 Subject: [PATCH 13/18] eli-139 updating permissions for api gateway --- infrastructure/modules/api_gateway/iam.tf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/infrastructure/modules/api_gateway/iam.tf b/infrastructure/modules/api_gateway/iam.tf index 5393e0066..83a1051df 100644 --- a/infrastructure/modules/api_gateway/iam.tf +++ b/infrastructure/modules/api_gateway/iam.tf @@ -19,7 +19,16 @@ data "aws_iam_policy_document" "api_gateway_logging" { sid = "AllowCloudWatchLogging" effect = "Allow" actions = [ - "logs:CreateLogGroup", + "logs:CreateLogGroup" + ] + resources = [ + "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:*" + ] + } + statement { + sid = "AllowCloudWatchLogStreamAndEvents" + effect = "Allow" + actions = [ "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", From f82e5b2aa69262440a4ca6b57a73a0c4df49c5ab Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Fri, 13 Jun 2025 10:42:17 +0100 Subject: [PATCH 14/18] eli-139 amending api gateway permissions to enable deployment --- infrastructure/modules/api_gateway/iam.tf | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/infrastructure/modules/api_gateway/iam.tf b/infrastructure/modules/api_gateway/iam.tf index 83a1051df..dcfa472ac 100644 --- a/infrastructure/modules/api_gateway/iam.tf +++ b/infrastructure/modules/api_gateway/iam.tf @@ -16,7 +16,7 @@ resource "aws_iam_role" "api_gateway" { data "aws_iam_policy_document" "api_gateway_logging" { statement { - sid = "AllowCloudWatchLogging" + sid = "AllowCreateLogGroup" effect = "Allow" actions = [ "logs:CreateLogGroup" @@ -26,17 +26,26 @@ data "aws_iam_policy_document" "api_gateway_logging" { ] } statement { - sid = "AllowCloudWatchLogStreamAndEvents" + sid = "AllowLogStreamAndEvents" effect = "Allow" actions = [ "logs:CreateLogStream", + "logs:PutLogEvents" + ] + resources = [ + "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*" + ] + } + statement { + sid = "AllowDescribeAndGet" + effect = "Allow" + actions = [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", - "logs:PutLogEvents", "logs:GetLogEvents", "logs:FilterLogEvents" ] - resources = [aws_cloudwatch_log_group.api_gateway.arn] + resources = ["*"] } } From 4dc466e3be362e6d4c0a185d00955431ed975048 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Fri, 13 Jun 2025 12:41:57 +0100 Subject: [PATCH 15/18] eli-139 adding dependencies for api gateway creation --- infrastructure/stacks/api-layer/api_gateway.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/infrastructure/stacks/api-layer/api_gateway.tf b/infrastructure/stacks/api-layer/api_gateway.tf index 0c5691196..5d28ebbb4 100644 --- a/infrastructure/stacks/api-layer/api_gateway.tf +++ b/infrastructure/stacks/api-layer/api_gateway.tf @@ -99,6 +99,14 @@ resource "aws_api_gateway_domain_name" "check_eligibility" { lifecycle { create_before_destroy = true } + + depends_on = [ + aws_s3_object.pem_file, + data.aws_acm_certificate.imported_cert, + data.aws_acm_certificate.validation_cert, + module.s3_truststore_bucket, + module.eligibility_signposting_api_gateway.aws_cloudwatch_log_group.api_gateway + ] } resource "aws_api_gateway_base_path_mapping" "eligibility-signposting-api" { From 2604350eb88d93e5cd5ea112720fa796bf677d4d Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Fri, 13 Jun 2025 12:46:55 +0100 Subject: [PATCH 16/18] eli-139 bugfix on api gateway resource --- infrastructure/stacks/api-layer/api_gateway.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/api_gateway.tf b/infrastructure/stacks/api-layer/api_gateway.tf index 5d28ebbb4..745210a25 100644 --- a/infrastructure/stacks/api-layer/api_gateway.tf +++ b/infrastructure/stacks/api-layer/api_gateway.tf @@ -105,7 +105,7 @@ resource "aws_api_gateway_domain_name" "check_eligibility" { data.aws_acm_certificate.imported_cert, data.aws_acm_certificate.validation_cert, module.s3_truststore_bucket, - module.eligibility_signposting_api_gateway.aws_cloudwatch_log_group.api_gateway + module.eligibility_signposting_api_gateway ] } From 0e076a927418294e0b507dc4c33e42ce38ae2683 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Fri, 13 Jun 2025 14:20:51 +0100 Subject: [PATCH 17/18] eli-139 reverting policies as handled on another ticket --- .../github_actions_policies.tf | 32 +------------------ 1 file changed, 1 insertion(+), 31 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 93f159fdb..ad521c848 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -78,23 +78,17 @@ resource "aws_iam_policy" "api_infrastructure" { "kms:ScheduleKeyDeletion", "kms:PutKeyPolicy", "kms:Encrypt", - "kms:ListAliases", - "kms:TagResource", - "kms:GenerateDataKey", # Cloudwatch permissions "logs:Describe*", "logs:ListTagsForResource", "logs:PutRetentionPolicy", "logs:AssociateKmsKey", - "logs:CreateLogGroup", #EC2 permissions "ec2:Describe*", "ec2:CreateTags", "ec2:CreateNetworkAclEntry", - "ec2:CreateNetworkAcl", - "ec2:AssociateRouteTable", # IAM permissions (scoped to resources with specific path prefix) "iam:Get*", @@ -106,45 +100,21 @@ resource "aws_iam_policy" "api_infrastructure" { "iam:Delete*", "iam:PutRolePermissionsBoundary", "iam:PutRolePolicy", - "iam:CreateRole", - "iam:TagRole", - "iam:PassRole", # ssm "ssm:GetParameter", "ssm:GetParameters", "ssm:DescribeParameters", "ssm:ListTagsForResource", - "ssm:PutParameter", - "ssm:AddTagsToResource", # acm "acm:ListCertificates", "acm:DescribeCertificate", "acm:GetCertificate", "acm:ListTagsForCertificate", - "acm:RequestCertificate", - "acm:AddTagsToCertificate", - "acm:ImportCertificate", - - # ec2 - VPC - "ec2:CreateVpc", - "ec2:ModifyVpcAttribute", - "ec2:DeleteVpc", - "ec2:CreateRouteTable", - "ec2:CreateSubnet", - "ec2:RevokeSecurityGroupIngress", - "ec2:CreateSecurityGroup", - "ec2:RevokeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:CreateVpcEndpoint", - "ec2:CreateFlowLogs", - "ec2:ReplaceNetworkAclAssociation", - "ec2:DeleteSecurityGroup", - "ec2:DeleteNetworkAcl" ], + Resource = "*" } ] From 7ed508849caf3c8aad8ed0a0b6a0e82579a13d3a Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Tue, 17 Jun 2025 13:23:29 +0100 Subject: [PATCH 18/18] eli-139 adding checkov skip for global read permissions in API Gateway log describe and get operations --- infrastructure/modules/api_gateway/iam.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/infrastructure/modules/api_gateway/iam.tf b/infrastructure/modules/api_gateway/iam.tf index dcfa472ac..c59937a70 100644 --- a/infrastructure/modules/api_gateway/iam.tf +++ b/infrastructure/modules/api_gateway/iam.tf @@ -15,6 +15,7 @@ resource "aws_iam_role" "api_gateway" { } data "aws_iam_policy_document" "api_gateway_logging" { + #checkov:skip=CKV_AWS_356: Wildcard permissions needed for global log event reads statement { sid = "AllowCreateLogGroup" effect = "Allow"