From e63acefdc8c9eaf3d850dd0857f3bde15a3d4444 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Mon, 30 Jun 2025 23:04:46 +0100 Subject: [PATCH 1/9] fix : iam policy kms key --- .../stacks/iams-developer-roles/github_actions_policies.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 9405c9764..f549e0649 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -364,6 +364,8 @@ resource "aws_iam_policy" "iam_management" { Resource = [ # Lambda role "arn:aws:iam::*:role/eligibility_lambda-role*", + # Kinesis Role + "arn:aws:iam::*:role/eligibility_audit_firehose-role*", # API Gateway role "arn:aws:iam::*:role/*-api-gateway-*-role", # External write role From c59b621fefe85787abd2481f3877a9d8230bc5cf Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Mon, 30 Jun 2025 23:15:37 +0100 Subject: [PATCH 2/9] cicd fix --- .github/workflows/cicd-3-deploy.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 2c57a64c1..66bf56c36 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -133,6 +133,8 @@ jobs: # just planning for now for safety and until review run: | mkdir -p ./build + echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=iams-developer-roles tf-command=apply" + make terraform env=$ENVIRONMENT stack=iams-developer-roles tf-command=apply workspace=$WORKSPACE echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" From 1f772910b6cee3e458aed7571d05e57463dd70b5 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 01:57:28 +0100 Subject: [PATCH 3/9] github actions role fix --- .../github_actions_policies.tf | 31 ++++++++++++++++++- .../github_actions_role.tf | 2 +- .../terraform_developer_role.tf | 10 +++--- 3 files changed, 36 insertions(+), 7 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index f549e0649..dd5fe9b7f 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -376,7 +376,9 @@ resource "aws_iam_policy" "iam_management" { # VPC flow logs role "arn:aws:iam::*:role/vpc-flow-logs-role", # API role - "arn:aws:iam::*:role/*eligibility-signposting-api-role" + "arn:aws:iam::*:role/*eligibility-signposting-api-role", + # Kinesis firehose role + "arn:aws:iam::*:role/eligibility_audit_firehose-role*" ] } ] @@ -412,6 +414,28 @@ data "aws_iam_policy_document" "github_actions_assume_role" { } } +resource "aws_iam_policy" "cloudwatch_logging" { + name = "cloudwatch-logging-management" + description = "Allow access to logging resources" + path = "/service-policies/" + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = [ + "logs:ListTagsForResource", + "logs:DescribeLogGroups" + ], + Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*" + } + ] + }) + + tags = merge(local.tags, { Name = "cloudwatch-logging-management" }) +} + # Attach the policies to the role resource "aws_iam_role_policy_attachment" "terraform_state" { role = aws_iam_role.github_actions.name @@ -447,3 +471,8 @@ resource "aws_iam_role_policy_attachment" "iam_management" { role = aws_iam_role.github_actions.name policy_arn = aws_iam_policy.iam_management.arn } + +resource "aws_iam_role_policy_attachment" "cloudwatch_logging" { + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.cloudwatch_logging.arn +} diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_role.tf b/infrastructure/stacks/iams-developer-roles/github_actions_role.tf index 34946f165..a1305fdea 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_role.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_role.tf @@ -17,7 +17,7 @@ resource "aws_iam_openid_connect_provider" "github" { resource "aws_iam_role" "github_actions" { name = "github-actions-api-deployment-role" description = "Role for GitHub Actions to deploy infrastructure via Terraform" - permissions_boundary = aws_iam_policy.permissions_boundary.arn + permissions_boundary = aws_iam_policy.permissions_boundary.arn path = "/service-roles/" # Trust policy allowing GitHub Actions to assume the role diff --git a/infrastructure/stacks/iams-developer-roles/terraform_developer_role.tf b/infrastructure/stacks/iams-developer-roles/terraform_developer_role.tf index 571da4c4d..33636b71d 100644 --- a/infrastructure/stacks/iams-developer-roles/terraform_developer_role.tf +++ b/infrastructure/stacks/iams-developer-roles/terraform_developer_role.tf @@ -1,9 +1,9 @@ resource "aws_iam_role" "terraform_developer" { - name = "terraform-developer-role" - description = "Role for developers to plan and apply Terraform changes" - assume_role_policy = data.aws_iam_policy_document.terraform_developer_assume_role.json - permissions_boundary = aws_iam_policy.permissions_boundary.arn # Attach permissions boundary - max_session_duration = 14400 # 4 hours + name = "terraform-developer-role" + description = "Role for developers to plan and apply Terraform changes" + assume_role_policy = data.aws_iam_policy_document.terraform_developer_assume_role.json + permissions_boundary = aws_iam_policy.permissions_boundary.arn # Attach permissions boundary + max_session_duration = 14400 # 4 hours tags = merge( local.tags, From 392d082ef9b1a9f2f2ef440953f69a77048b5524 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 02:02:55 +0100 Subject: [PATCH 4/9] testing --- .github/workflows/cicd-2-publish.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index bb77dd247..6674cceac 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -5,9 +5,8 @@ name: "CI/CD publish" on: - push: - branches: - - main + pull_request: + types: [opened, synchronize, reopened] concurrency: group: terraform-dev From d2ce5b3456cd0410b431064246326c7f0b2368a6 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 03:03:50 +0100 Subject: [PATCH 5/9] firehose policy for github actions --- .../github_actions_policies.tf | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index dd5fe9b7f..40e10d905 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -436,6 +436,27 @@ resource "aws_iam_policy" "cloudwatch_logging" { tags = merge(local.tags, { Name = "cloudwatch-logging-management" }) } +resource "aws_iam_policy" "firehose_readonly" { + name = "firehose-describe-access" + description = "Allow GitHub Actions to describe Firehose delivery stream" + path = "/service-policies/" + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = [ + "firehose:DescribeDeliveryStream" + ], + Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*" + } + ] + }) + + tags = merge(local.tags, { Name = "firehose-describe-access" }) +} + # Attach the policies to the role resource "aws_iam_role_policy_attachment" "terraform_state" { role = aws_iam_role.github_actions.name @@ -476,3 +497,8 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_logging" { role = aws_iam_role.github_actions.name policy_arn = aws_iam_policy.cloudwatch_logging.arn } + +resource "aws_iam_role_policy_attachment" "firehose_readonly_attach" { + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.firehose_readonly.arn +} From 61b160c42342bf731d8ababdd809be7a855e45d9 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 03:17:38 +0100 Subject: [PATCH 6/9] firehose ListTagsForDeliveryStream policy for github actions --- .../stacks/iams-developer-roles/github_actions_policies.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 40e10d905..c0fd0ed43 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -447,7 +447,8 @@ resource "aws_iam_policy" "firehose_readonly" { { Effect = "Allow", Action = [ - "firehose:DescribeDeliveryStream" + "firehose:DescribeDeliveryStream", + "firehose:ListTagsForDeliveryStream" ], Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*" } From 3d8bba0af51fdc89774cdea43c3d75cf7e73872e Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 03:22:52 +0100 Subject: [PATCH 7/9] Revert "testing" This reverts commit 392d082ef9b1a9f2f2ef440953f69a77048b5524. --- .github/workflows/cicd-2-publish.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index 6674cceac..bb77dd247 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -5,8 +5,9 @@ name: "CI/CD publish" on: - pull_request: - types: [opened, synchronize, reopened] + push: + branches: + - main concurrency: group: terraform-dev From 550b5a64efbddfe8cdcc8127facbb7fe196a4f00 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 03:29:31 +0100 Subject: [PATCH 8/9] developer roles run in dev env --- .github/workflows/cicd-2-publish.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index bb77dd247..b346b04bd 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -104,6 +104,8 @@ jobs: # just planning for now for safety and until review run: | mkdir -p ./build + echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=iams-developer-roles tf-command=apply" + make terraform env=$ENVIRONMENT stack=iams-developer-roles tf-command=apply workspace=$WORKSPACE echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" From 1321bf5a7ce12fcc1f25b92bf770710ae76f21b0 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 09:18:06 +0100 Subject: [PATCH 9/9] added feature to git deploy by commitsha --- .github/workflows/cicd-4-test.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cicd-4-test.yaml b/.github/workflows/cicd-4-test.yaml index 1ada7d21c..45aca9d26 100644 --- a/.github/workflows/cicd-4-test.yaml +++ b/.github/workflows/cicd-4-test.yaml @@ -8,6 +8,9 @@ on: required: true type: choice options: [dev, test, preprod] + revision: + description: Git revision (commit SHA or tag) + required: false jobs: listS3: @@ -18,8 +21,10 @@ jobs: contents: read steps: - - name: Checkout + - name: Checkout code uses: actions/checkout@v4 + with: + ref: ${{ inputs.revision || 'main' }} - name: Set up Python uses: actions/setup-python@v5