From ab02ddb11cdada61ad7134a3096106e57b4cc20c Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 16:54:33 +0100 Subject: [PATCH 01/28] firehose_kms_key_policy values --- infrastructure/modules/kinesis_firehose/kms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/modules/kinesis_firehose/kms.tf b/infrastructure/modules/kinesis_firehose/kms.tf index 8ba36b987..009628401 100644 --- a/infrastructure/modules/kinesis_firehose/kms.tf +++ b/infrastructure/modules/kinesis_firehose/kms.tf @@ -92,7 +92,7 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" { test = "StringEquals" variable = "kms:EncryptionContext:aws:logs:arn" values = [ - "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit" + "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit*" ] } } From 5589e608510507f7526e75d2649f181cc6fa12d4 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 19:27:19 +0100 Subject: [PATCH 02/28] addded dependency for resources --- .github/workflows/manual-terraform-apply.yaml | 2 +- infrastructure/modules/api_gateway/api_gateway.tf | 2 ++ .../kinesis_firehose/kinesis_firehose_delivery_stream.tf | 5 +++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/manual-terraform-apply.yaml b/.github/workflows/manual-terraform-apply.yaml index d81d2092e..463fa2eb8 100644 --- a/.github/workflows/manual-terraform-apply.yaml +++ b/.github/workflows/manual-terraform-apply.yaml @@ -57,7 +57,7 @@ jobs: - name: "Terraform Plan Stacks" env: ENVIRONMENT: ${{ inputs.environment }} - WORKSPACE: ${{ inputs.environment }} + WORKSPACE: "default" TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} diff --git a/infrastructure/modules/api_gateway/api_gateway.tf b/infrastructure/modules/api_gateway/api_gateway.tf index 8bcf52e93..3e9c5571e 100644 --- a/infrastructure/modules/api_gateway/api_gateway.tf +++ b/infrastructure/modules/api_gateway/api_gateway.tf @@ -8,6 +8,8 @@ resource "aws_api_gateway_rest_api" "api_gateway" { create_before_destroy = true } + depends_on = [aws_kms_key_policy.api_gateway] + tags = { Stack = var.stack_name } diff --git a/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf b/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf index a0937d692..397469bcf 100644 --- a/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf +++ b/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf @@ -25,5 +25,10 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli key_type = "CUSTOMER_MANAGED_CMK" } + depends_on = [ + aws_kms_key_policy.firehose_key_policy, + var.kinesis_cloud_watch_log_group_name + ] + tags = var.tags } From fe40d8faa8f2deca220045abe20848f4f88ac071 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 19:29:18 +0100 Subject: [PATCH 03/28] added dependency for resources --- .github/workflows/manual-terraform-apply.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/manual-terraform-apply.yaml b/.github/workflows/manual-terraform-apply.yaml index 463fa2eb8..2898b90ed 100644 --- a/.github/workflows/manual-terraform-apply.yaml +++ b/.github/workflows/manual-terraform-apply.yaml @@ -1,6 +1,8 @@ name: Manual Terraform Apply on: + pull_request: + types: [ opened, synchronize, reopened ] workflow_dispatch: inputs: environment: From 9b3988ebad5b8c6c369cc1083cd7dfbba5fe889f Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 19:42:24 +0100 Subject: [PATCH 04/28] policy log group --- infrastructure/modules/kinesis_firehose/kms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/modules/kinesis_firehose/kms.tf b/infrastructure/modules/kinesis_firehose/kms.tf index 009628401..5d4fc2d86 100644 --- a/infrastructure/modules/kinesis_firehose/kms.tf +++ b/infrastructure/modules/kinesis_firehose/kms.tf @@ -92,7 +92,7 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" { test = "StringEquals" variable = "kms:EncryptionContext:aws:logs:arn" values = [ - "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit*" + "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*" ] } } From 4aebc6264438aed915b5d9be50ac4370775a9176 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 19:49:42 +0100 Subject: [PATCH 05/28] add more actions --- infrastructure/modules/kinesis_firehose/kms.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/infrastructure/modules/kinesis_firehose/kms.tf b/infrastructure/modules/kinesis_firehose/kms.tf index 5d4fc2d86..8888a322d 100644 --- a/infrastructure/modules/kinesis_firehose/kms.tf +++ b/infrastructure/modules/kinesis_firehose/kms.tf @@ -85,11 +85,12 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" { "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", - "kms:DescribeKey" + "kms:DescribeKey", + "kms:CreateGrant" ] resources = [aws_kms_key.firehose_cmk.arn] condition { - test = "StringEquals" + test = "StringLike" variable = "kms:EncryptionContext:aws:logs:arn" values = [ "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*" From bf023886abd2dbf3596908665ffebeaaa125b7ef Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 19:53:45 +0100 Subject: [PATCH 06/28] add more actions --- infrastructure/modules/api_gateway/cloudwatch.tf | 2 ++ infrastructure/modules/api_gateway/kms.tf | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/infrastructure/modules/api_gateway/cloudwatch.tf b/infrastructure/modules/api_gateway/cloudwatch.tf index 272a1c465..1f244883f 100644 --- a/infrastructure/modules/api_gateway/cloudwatch.tf +++ b/infrastructure/modules/api_gateway/cloudwatch.tf @@ -7,4 +7,6 @@ resource "aws_cloudwatch_log_group" "api_gateway" { lifecycle { prevent_destroy = false } + + depends_on = [aws_kms_key_policy.api_gateway] } diff --git a/infrastructure/modules/api_gateway/kms.tf b/infrastructure/modules/api_gateway/kms.tf index 4994b9b40..8506fd9c8 100644 --- a/infrastructure/modules/api_gateway/kms.tf +++ b/infrastructure/modules/api_gateway/kms.tf @@ -23,17 +23,17 @@ data "aws_iam_policy_document" "api_gateway" { sid = "Enable IAM User Permissions for ${var.api_gateway_name} API Gateway" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } - actions = ["kms:*"] + actions = ["kms:*"] resources = [aws_kms_key.api_gateway.arn] } statement { sid = "APIGatewayCloudwatchKMSAccess" effect = "Allow" principals { - type = "Service" + type = "Service" identifiers = ["logs.${var.region}.amazonaws.com"] } actions = [ @@ -41,8 +41,16 @@ data "aws_iam_policy_document" "api_gateway" { "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", - "kms:Describe*" + "kms:Describe*", + "kms:CreateGrant" ] resources = [aws_kms_key.api_gateway.arn] + condition { + test = "StringLike" + variable = "kms:EncryptionContext:aws:logs:arn" + values = [ + "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*" + ] + } } } From d8562655ba63a9564376c85768b87759ddf58457 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 20:07:56 +0100 Subject: [PATCH 07/28] add more actions --- infrastructure/modules/api_gateway/iam.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infrastructure/modules/api_gateway/iam.tf b/infrastructure/modules/api_gateway/iam.tf index c59937a70..b7b92867d 100644 --- a/infrastructure/modules/api_gateway/iam.tf +++ b/infrastructure/modules/api_gateway/iam.tf @@ -44,7 +44,8 @@ data "aws_iam_policy_document" "api_gateway_logging" { "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents", - "logs:FilterLogEvents" + "logs:FilterLogEvents", + "logs:PutRetentionPolicy" ] resources = ["*"] } From a9eea909eeeca6019ad50466cb25f14c70c26fbf Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 20:17:36 +0100 Subject: [PATCH 08/28] firehose actions --- .../stacks/api-layer/iam_policies.tf | 38 ++++++++++--------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf index 09cfcf6fc..481516c4f 100644 --- a/infrastructure/stacks/api-layer/iam_policies.tf +++ b/infrastructure/stacks/api-layer/iam_policies.tf @@ -1,7 +1,7 @@ # Read-only policy for DynamoDB data "aws_iam_policy_document" "dynamodb_read_policy_doc" { statement { - actions = ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan"] + actions = ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan"] resources = [module.eligibility_status_table.arn] } } @@ -16,14 +16,14 @@ resource "aws_iam_role_policy" "lambda_dynamodb_read_policy" { # Write-only policy for DynamoDB data "aws_iam_policy_document" "dynamodb_write_policy_doc" { statement { - actions = ["dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem"] + actions = ["dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem"] resources = [module.eligibility_status_table.arn] } } # Attach dynamoDB write policy to external write role resource "aws_iam_role_policy" "external_dynamodb_write_policy" { - count = length(aws_iam_role.write_access_role) + count = length(aws_iam_role.write_access_role) name = "DynamoDBWriteAccess" role = aws_iam_role.write_access_role[count.index].id policy = data.aws_iam_policy_document.dynamodb_write_policy_doc.json @@ -43,7 +43,7 @@ data "aws_iam_policy_document" "s3_rules_bucket_policy" { ] condition { test = "Bool" - values = ["true"] + values = ["true"] variable = "aws:SecureTransport" } } @@ -106,7 +106,7 @@ resource "aws_iam_role_policy_attachment" "lambda_logs_policy_attachment" { # Policy doc for S3 Audit bucket data "aws_iam_policy_document" "s3_audit_bucket_policy" { statement { - sid = "AllowSSLRequestsOnly" + sid = "AllowSSLRequestsOnly" actions = ["s3:*"] resources = [ module.s3_audit_bucket.storage_bucket_arn, @@ -114,7 +114,7 @@ data "aws_iam_policy_document" "s3_audit_bucket_policy" { ] condition { test = "Bool" - values = ["true"] + values = ["true"] variable = "aws:SecureTransport" } } @@ -136,10 +136,10 @@ data "aws_iam_policy_document" "dynamodb_kms_key_policy" { sid = "EnableIamUserPermissions" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } - actions = ["kms:*"] + actions = ["kms:*"] resources = ["*"] } @@ -147,7 +147,7 @@ data "aws_iam_policy_document" "dynamodb_kms_key_policy" { sid = "AllowLambdaDecrypt" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = [aws_iam_role.eligibility_lambda_role.arn] } actions = [ @@ -174,10 +174,10 @@ data "aws_iam_policy_document" "s3_rules_kms_key_policy" { sid = "EnableIamUserPermissions" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } - actions = ["kms:*"] + actions = ["kms:*"] resources = ["*"] } @@ -185,10 +185,10 @@ data "aws_iam_policy_document" "s3_rules_kms_key_policy" { sid = "AllowLambdaDecrypt" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = [aws_iam_role.eligibility_lambda_role.arn] } - actions = ["kms:Decrypt"] + actions = ["kms:Decrypt"] resources = ["*"] } } @@ -207,10 +207,10 @@ data "aws_iam_policy_document" "s3_audit_kms_key_policy" { sid = "EnableIamUserPermissions" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } - actions = ["kms:*"] + actions = ["kms:*"] resources = ["*"] } @@ -218,7 +218,7 @@ data "aws_iam_policy_document" "s3_audit_kms_key_policy" { sid = "AllowLambdaFullWrite" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = [aws_iam_role.eligibility_lambda_role.arn, aws_iam_role.eligibility_audit_firehose_role.arn] } actions = [ @@ -241,8 +241,12 @@ data "aws_iam_policy_document" "lambda_firehose_write_policy" { sid = "AllowLambdaToPutToFirehose" effect = "Allow" actions = [ + "firehose:StartDeliveryStreamEncryption", + "firehose:StopDeliveryStreamEncryption", "firehose:PutRecord", - "firehose:PutRecordBatch" + "firehose:PutRecordBatch", + "firehose:DescribeDeliveryStream", + "firehose:ListDeliveryStreams" ] resources = [ "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/${module.eligibility_audit_firehose_delivery_stream.firehose_stream_name}" From 098cae49e8ca9ae3bb7315858352e3de35c64a4b Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 20:30:18 +0100 Subject: [PATCH 09/28] versioning s3 --- infrastructure/modules/s3/s3.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/modules/s3/s3.tf b/infrastructure/modules/s3/s3.tf index 0bd678d15..57fd77536 100644 --- a/infrastructure/modules/s3/s3.tf +++ b/infrastructure/modules/s3/s3.tf @@ -10,7 +10,7 @@ resource "aws_s3_bucket" "storage_bucket" { resource "aws_s3_bucket_versioning" "storage_bucket_versioning_config" { bucket = aws_s3_bucket.storage_bucket.id versioning_configuration { - status = "Enabled" + status = "Suspended" } } From 963b54835f5234d5b6311f981a5a138e27c88e61 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 20:34:10 +0100 Subject: [PATCH 10/28] Revert "versioning s3" This reverts commit 098cae49e8ca9ae3bb7315858352e3de35c64a4b. --- infrastructure/modules/s3/s3.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/modules/s3/s3.tf b/infrastructure/modules/s3/s3.tf index 57fd77536..0bd678d15 100644 --- a/infrastructure/modules/s3/s3.tf +++ b/infrastructure/modules/s3/s3.tf @@ -10,7 +10,7 @@ resource "aws_s3_bucket" "storage_bucket" { resource "aws_s3_bucket_versioning" "storage_bucket_versioning_config" { bucket = aws_s3_bucket.storage_bucket.id versioning_configuration { - status = "Suspended" + status = "Enabled" } } From 317793662226085bae071e5ebeb2688ad8a9d701 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 21:34:35 +0100 Subject: [PATCH 11/28] github actions --- .../stacks/iams-developer-roles/github_actions_policies.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 6ea409dad..2cf94cf87 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -456,7 +456,9 @@ resource "aws_iam_policy" "firehose_readonly" { "firehose:PutRecordBatch", "firehose:TagDeliveryStream", "firehose:ListTagsForDeliveryStream", - "firehose:UntagDeliveryStream" + "firehose:UntagDeliveryStream", + "firehose:StartDeliveryStreamEncryption", + "firehose:StopDeliveryStreamEncryption" ] Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*" } From 15f90e0d408c4d237664e8706253c9232b5c6e21 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 21:49:31 +0100 Subject: [PATCH 12/28] checkov issue --- infrastructure/modules/kinesis_firehose/kms.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/modules/kinesis_firehose/kms.tf b/infrastructure/modules/kinesis_firehose/kms.tf index 8888a322d..43824c81f 100644 --- a/infrastructure/modules/kinesis_firehose/kms.tf +++ b/infrastructure/modules/kinesis_firehose/kms.tf @@ -90,10 +90,10 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" { ] resources = [aws_kms_key.firehose_cmk.arn] condition { - test = "StringLike" + test = "StringEquals" variable = "kms:EncryptionContext:aws:logs:arn" values = [ - "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*" + "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit" ] } } From b3185c3c1c4307dde4e030c360930cbd9afc5d08 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 21:58:25 +0100 Subject: [PATCH 13/28] checkov issue --- infrastructure/modules/api_gateway/iam.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/infrastructure/modules/api_gateway/iam.tf b/infrastructure/modules/api_gateway/iam.tf index b7b92867d..e0b80749e 100644 --- a/infrastructure/modules/api_gateway/iam.tf +++ b/infrastructure/modules/api_gateway/iam.tf @@ -16,6 +16,7 @@ resource "aws_iam_role" "api_gateway" { data "aws_iam_policy_document" "api_gateway_logging" { #checkov:skip=CKV_AWS_356: Wildcard permissions needed for global log event reads + #checkov:skip=CKV_AWS_111: Ensure IAM policies does not allow write access without constraints statement { sid = "AllowCreateLogGroup" effect = "Allow" From 57596607729e69c79c2c90a40a04b05d7ffd16a4 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 23:02:30 +0100 Subject: [PATCH 14/28] trust store --- .../stacks/api-layer/truststore_s3_bucket.tf | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index d78ad6f9c..f68451262 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -7,11 +7,6 @@ module "s3_truststore_bucket" { workspace = terraform.workspace } -resource "aws_s3_bucket_policy" "truststore" { - bucket = module.s3_truststore_bucket.storage_bucket_id - policy = data.aws_iam_policy_document.truststore_api_gateway.json -} - data "aws_iam_policy_document" "truststore_api_gateway" { statement { sid = "Enable S3 access permissions for API Gateway" @@ -31,9 +26,16 @@ data "aws_iam_policy_document" "truststore_api_gateway" { } resource "aws_s3_object" "pem_file" { - bucket = module.s3_truststore_bucket.storage_bucket_name + bucket = module.s3_truststore_bucket.storage_bucket_id key = "truststore.pem" content = local.pem_file_content acl = "private" } + +resource "aws_s3_bucket_policy" "truststore" { + bucket = module.s3_truststore_bucket.storage_bucket_id + policy = data.aws_iam_policy_document.truststore_api_gateway.json + + depends_on = [aws_s3_object.pem_file] +} From cc82530ae58cd9a2db1fbfbe74a5bd5e8c9a4bd6 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 23:12:01 +0100 Subject: [PATCH 15/28] Revert "trust store" This reverts commit 57596607729e69c79c2c90a40a04b05d7ffd16a4. --- .../stacks/api-layer/truststore_s3_bucket.tf | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index f68451262..d78ad6f9c 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -7,6 +7,11 @@ module "s3_truststore_bucket" { workspace = terraform.workspace } +resource "aws_s3_bucket_policy" "truststore" { + bucket = module.s3_truststore_bucket.storage_bucket_id + policy = data.aws_iam_policy_document.truststore_api_gateway.json +} + data "aws_iam_policy_document" "truststore_api_gateway" { statement { sid = "Enable S3 access permissions for API Gateway" @@ -26,16 +31,9 @@ data "aws_iam_policy_document" "truststore_api_gateway" { } resource "aws_s3_object" "pem_file" { - bucket = module.s3_truststore_bucket.storage_bucket_id + bucket = module.s3_truststore_bucket.storage_bucket_name key = "truststore.pem" content = local.pem_file_content acl = "private" } - -resource "aws_s3_bucket_policy" "truststore" { - bucket = module.s3_truststore_bucket.storage_bucket_id - policy = data.aws_iam_policy_document.truststore_api_gateway.json - - depends_on = [aws_s3_object.pem_file] -} From abec4e124c83626f1faa5a09f05b8aee9f5caf90 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 23:39:34 +0100 Subject: [PATCH 16/28] trust store dependency --- infrastructure/modules/s3/outputs.tf | 4 ++++ infrastructure/stacks/api-layer/truststore_s3_bucket.tf | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/infrastructure/modules/s3/outputs.tf b/infrastructure/modules/s3/outputs.tf index 407876513..dc2636e21 100644 --- a/infrastructure/modules/s3/outputs.tf +++ b/infrastructure/modules/s3/outputs.tf @@ -21,3 +21,7 @@ output "storage_bucket_id" { output "storage_bucket_kms_key_arn" { value = aws_kms_key.storage_bucket_cmk.arn } + +output "storage_bucket_versioning_config" { + value = aws_s3_bucket_versioning.storage_bucket_versioning_config +} diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index d78ad6f9c..a4fd9a978 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -34,6 +34,7 @@ resource "aws_s3_object" "pem_file" { bucket = module.s3_truststore_bucket.storage_bucket_name key = "truststore.pem" content = local.pem_file_content + acl = "private" - acl = "private" + depends_on = [module.s3_truststore_bucket.storage_bucket_versioning_config] } From 6bedeeff0f8031ce36fa45379388a624b6b8914a Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 2 Jul 2025 00:18:54 +0100 Subject: [PATCH 17/28] decrypt to apigateway --- infrastructure/modules/api_gateway/kms.tf | 18 ++++++++++++++++++ .../modules/api_gateway/variables.tf | 6 ++++++ infrastructure/stacks/api-layer/api_gateway.tf | 1 + 3 files changed, 25 insertions(+) diff --git a/infrastructure/modules/api_gateway/kms.tf b/infrastructure/modules/api_gateway/kms.tf index 8506fd9c8..d1567f70a 100644 --- a/infrastructure/modules/api_gateway/kms.tf +++ b/infrastructure/modules/api_gateway/kms.tf @@ -53,4 +53,22 @@ data "aws_iam_policy_document" "api_gateway" { ] } } + + statement { + sid = "APIGatewayS3TruststoreDecrypt" + effect = "Allow" + principals { + type = "Service" + identifiers = ["apigateway.amazonaws.com"] + } + actions = ["kms:Decrypt"] + resources = [aws_kms_key.api_gateway.arn] + condition { + test = "StringEquals" + variable = "kms:EncryptionContext:aws:s3:arn" + values = [ + "${var.trust_store_pem_arn}/truststore.pem" + ] + } + } } diff --git a/infrastructure/modules/api_gateway/variables.tf b/infrastructure/modules/api_gateway/variables.tf index a871aa488..d75237e76 100644 --- a/infrastructure/modules/api_gateway/variables.tf +++ b/infrastructure/modules/api_gateway/variables.tf @@ -7,3 +7,9 @@ variable "disable_default_endpoint" { type = bool description = "Indicates whether the default endpoint the API Gateway generates should be disabled. If true, the API will need to be called from a Custom Domain Name" } + +variable "trust_store_pem_arn" { + type = string + description = "the trust store pem arn, for providing decrypt permission ot api gateway" + +} diff --git a/infrastructure/stacks/api-layer/api_gateway.tf b/infrastructure/stacks/api-layer/api_gateway.tf index 285d2d089..22c6d1f2d 100644 --- a/infrastructure/stacks/api-layer/api_gateway.tf +++ b/infrastructure/stacks/api-layer/api_gateway.tf @@ -2,6 +2,7 @@ module "eligibility_signposting_api_gateway" { source = "../../modules/api_gateway" api_gateway_name = "eligibility-signposting-api" disable_default_endpoint = var.environment == "dev" && local.workspace != "default" ? false : true + trust_store_pem_arn = module.s3_truststore_bucket.storage_bucket_arn workspace = local.workspace stack_name = local.stack_name environment = var.environment From 3e2e40c23ad76c46ae2f4fae5f4f946e7d00083b Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 2 Jul 2025 00:44:39 +0100 Subject: [PATCH 18/28] decrypt to apigateway --- infrastructure/modules/api_gateway/kms.tf | 18 ----------- .../modules/api_gateway/variables.tf | 6 ---- infrastructure/modules/s3/outputs.tf | 4 +++ .../stacks/api-layer/api_gateway.tf | 1 - .../stacks/api-layer/truststore_s3_bucket.tf | 32 ++++++++++++++++++- 5 files changed, 35 insertions(+), 26 deletions(-) diff --git a/infrastructure/modules/api_gateway/kms.tf b/infrastructure/modules/api_gateway/kms.tf index d1567f70a..8506fd9c8 100644 --- a/infrastructure/modules/api_gateway/kms.tf +++ b/infrastructure/modules/api_gateway/kms.tf @@ -53,22 +53,4 @@ data "aws_iam_policy_document" "api_gateway" { ] } } - - statement { - sid = "APIGatewayS3TruststoreDecrypt" - effect = "Allow" - principals { - type = "Service" - identifiers = ["apigateway.amazonaws.com"] - } - actions = ["kms:Decrypt"] - resources = [aws_kms_key.api_gateway.arn] - condition { - test = "StringEquals" - variable = "kms:EncryptionContext:aws:s3:arn" - values = [ - "${var.trust_store_pem_arn}/truststore.pem" - ] - } - } } diff --git a/infrastructure/modules/api_gateway/variables.tf b/infrastructure/modules/api_gateway/variables.tf index d75237e76..a871aa488 100644 --- a/infrastructure/modules/api_gateway/variables.tf +++ b/infrastructure/modules/api_gateway/variables.tf @@ -7,9 +7,3 @@ variable "disable_default_endpoint" { type = bool description = "Indicates whether the default endpoint the API Gateway generates should be disabled. If true, the API will need to be called from a Custom Domain Name" } - -variable "trust_store_pem_arn" { - type = string - description = "the trust store pem arn, for providing decrypt permission ot api gateway" - -} diff --git a/infrastructure/modules/s3/outputs.tf b/infrastructure/modules/s3/outputs.tf index dc2636e21..62de5bf85 100644 --- a/infrastructure/modules/s3/outputs.tf +++ b/infrastructure/modules/s3/outputs.tf @@ -18,6 +18,10 @@ output "storage_bucket_id" { value = aws_s3_bucket.storage_bucket.id } +output "storage_bucket_kms_key_id" { + value = aws_kms_key.storage_bucket_cmk.id +} + output "storage_bucket_kms_key_arn" { value = aws_kms_key.storage_bucket_cmk.arn } diff --git a/infrastructure/stacks/api-layer/api_gateway.tf b/infrastructure/stacks/api-layer/api_gateway.tf index 22c6d1f2d..285d2d089 100644 --- a/infrastructure/stacks/api-layer/api_gateway.tf +++ b/infrastructure/stacks/api-layer/api_gateway.tf @@ -2,7 +2,6 @@ module "eligibility_signposting_api_gateway" { source = "../../modules/api_gateway" api_gateway_name = "eligibility-signposting-api" disable_default_endpoint = var.environment == "dev" && local.workspace != "default" ? false : true - trust_store_pem_arn = module.s3_truststore_bucket.storage_bucket_arn workspace = local.workspace stack_name = local.stack_name environment = var.environment diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index a4fd9a978..fb41955c5 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -18,7 +18,7 @@ data "aws_iam_policy_document" "truststore_api_gateway" { effect = "Allow" principals { - type = "Service" + type = "Service" identifiers = ["apigateway.amazonaws.com"] } @@ -38,3 +38,33 @@ resource "aws_s3_object" "pem_file" { depends_on = [module.s3_truststore_bucket.storage_bucket_versioning_config] } + + +resource "aws_kms_key_policy" "storage_bucket_cmk" { + key_id = module.s3_truststore_bucket.storage_bucket_id + policy = data.aws_iam_policy_document.trust_store_kms_policy.json +} + +data "aws_iam_policy_document" "trust_store_kms_policy" { + statement { + sid = "APIGatewayS3TruststoreDecrypt" + effect = "Allow" + principals { + type = "Service" + identifiers = [ + "apigateway.amazonaws.com", + "apigateway.${var.default_aws_region}.amazonaws.com" + ] + } + actions = ["kms:Decrypt"] + resources = [module.eligibility_signposting_api_gateway.kms_key_arn] + condition { + test = "StringEquals" + variable = "kms:EncryptionContext:aws:s3:arn" + values = [ + "${module.s3_truststore_bucket.storage_bucket_arn}/truststore.pem" + ] + } + } +} + From ece7ad8e2aeab86ea656e30df530f5f1630098a7 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 2 Jul 2025 00:52:55 +0100 Subject: [PATCH 19/28] decrypt to apigateway --- infrastructure/stacks/api-layer/truststore_s3_bucket.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index fb41955c5..ddb6fffa3 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -41,7 +41,7 @@ resource "aws_s3_object" "pem_file" { resource "aws_kms_key_policy" "storage_bucket_cmk" { - key_id = module.s3_truststore_bucket.storage_bucket_id + key_id = module.s3_truststore_bucket.storage_bucket_kms_key_id policy = data.aws_iam_policy_document.trust_store_kms_policy.json } From 26238802ca7fc609230043c95f37801a42af6e05 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 2 Jul 2025 01:01:42 +0100 Subject: [PATCH 20/28] trust store root access --- .../stacks/api-layer/truststore_s3_bucket.tf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index ddb6fffa3..fb9aa9eee 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -46,6 +46,23 @@ resource "aws_kms_key_policy" "storage_bucket_cmk" { } data "aws_iam_policy_document" "trust_store_kms_policy" { + # 1. Retain admin control + statement { + sid = "AllowRootAccountFullAccess" + effect = "Allow" + + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + ] + } + + actions = ["kms:*"] + resources = ["*"] + } + + # 2. Allow API Gateway to decrypt truststore statement { sid = "APIGatewayS3TruststoreDecrypt" effect = "Allow" From bdd1a882a6342904600faf65cc0b856f040a6257 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 2 Jul 2025 01:03:49 +0100 Subject: [PATCH 21/28] checkov --- infrastructure/stacks/api-layer/truststore_s3_bucket.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index fb9aa9eee..5ac9a21c8 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -46,7 +46,9 @@ resource "aws_kms_key_policy" "storage_bucket_cmk" { } data "aws_iam_policy_document" "trust_store_kms_policy" { - # 1. Retain admin control + #checkov:skip=CKV_AWS_111: Root user needs full KMS key management + #checkov:skip=CKV_AWS_356: Root user needs full KMS key management + #checkov:skip=CKV_AWS_109: Root user needs full KMS key management statement { sid = "AllowRootAccountFullAccess" effect = "Allow" From bc6980e6e256e0273a87ee5fbd467e26475eafb4 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 2 Jul 2025 01:10:40 +0100 Subject: [PATCH 22/28] fix --- infrastructure/stacks/api-layer/truststore_s3_bucket.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index 5ac9a21c8..5be872ed8 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -76,7 +76,7 @@ data "aws_iam_policy_document" "trust_store_kms_policy" { ] } actions = ["kms:Decrypt"] - resources = [module.eligibility_signposting_api_gateway.kms_key_arn] + resources = ["*"] condition { test = "StringEquals" variable = "kms:EncryptionContext:aws:s3:arn" From 152cd4a4e6395300e2ceb0cf54fb701dfa82e6df Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 2 Jul 2025 01:26:39 +0100 Subject: [PATCH 23/28] timeout --- .github/workflows/manual-terraform-apply.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/manual-terraform-apply.yaml b/.github/workflows/manual-terraform-apply.yaml index 2898b90ed..3b7c03fd9 100644 --- a/.github/workflows/manual-terraform-apply.yaml +++ b/.github/workflows/manual-terraform-apply.yaml @@ -12,13 +12,13 @@ on: options: [dev, test, preprod] jobs: - plan-stacks: + apply-stacks: runs-on: ubuntu-latest environment: ${{ inputs.environment }} permissions: id-token: write contents: read - + timeout-minutes: 30 steps: - name: "Setup Terraform" uses: hashicorp/setup-terraform@v3 From 09cac20f82b075c7fe3e58203953715557552ae6 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 2 Jul 2025 01:38:44 +0100 Subject: [PATCH 24/28] timeout --- infrastructure/stacks/api-layer/truststore_s3_bucket.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index 5be872ed8..9a8212c4d 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -77,13 +77,6 @@ data "aws_iam_policy_document" "trust_store_kms_policy" { } actions = ["kms:Decrypt"] resources = ["*"] - condition { - test = "StringEquals" - variable = "kms:EncryptionContext:aws:s3:arn" - values = [ - "${module.s3_truststore_bucket.storage_bucket_arn}/truststore.pem" - ] - } } } From a92c3d01224e9f9d83c6d1b1295a1ba6b9a1a432 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 2 Jul 2025 09:18:37 +0100 Subject: [PATCH 25/28] pem file --- .../stacks/api-layer/truststore_s3_bucket.tf | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index 9a8212c4d..f0f6ce056 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -31,10 +31,11 @@ data "aws_iam_policy_document" "truststore_api_gateway" { } resource "aws_s3_object" "pem_file" { - bucket = module.s3_truststore_bucket.storage_bucket_name - key = "truststore.pem" - content = local.pem_file_content - acl = "private" + bucket = module.s3_truststore_bucket.storage_bucket_name + key = "truststore.pem" + content = local.pem_file_content + acl = "private" + kms_key_id = module.s3_truststore_bucket.storage_bucket_kms_key_id depends_on = [module.s3_truststore_bucket.storage_bucket_versioning_config] } @@ -50,17 +51,17 @@ data "aws_iam_policy_document" "trust_store_kms_policy" { #checkov:skip=CKV_AWS_356: Root user needs full KMS key management #checkov:skip=CKV_AWS_109: Root user needs full KMS key management statement { - sid = "AllowRootAccountFullAccess" + sid = "AllowRootAccountFullAccess" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = [ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" ] } - actions = ["kms:*"] + actions = ["kms:*"] resources = ["*"] } From 88c288ba3dcfe92f08d9a589ef772ddf04810f0a Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 2 Jul 2025 09:59:01 +0100 Subject: [PATCH 26/28] resource pem file fix --- infrastructure/stacks/api-layer/truststore_s3_bucket.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index f0f6ce056..4e6bc5ccf 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -35,7 +35,7 @@ resource "aws_s3_object" "pem_file" { key = "truststore.pem" content = local.pem_file_content acl = "private" - kms_key_id = module.s3_truststore_bucket.storage_bucket_kms_key_id + kms_key_id = module.s3_truststore_bucket.storage_bucket_kms_key_arn depends_on = [module.s3_truststore_bucket.storage_bucket_versioning_config] } From d5a4f1314a11b04172b6500af9bd5d2daa834227 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 2 Jul 2025 10:34:29 +0100 Subject: [PATCH 27/28] test --- infrastructure/stacks/api-layer/api_gateway.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/infrastructure/stacks/api-layer/api_gateway.tf b/infrastructure/stacks/api-layer/api_gateway.tf index 285d2d089..004497780 100644 --- a/infrastructure/stacks/api-layer/api_gateway.tf +++ b/infrastructure/stacks/api-layer/api_gateway.tf @@ -85,10 +85,10 @@ resource "aws_api_gateway_domain_name" "check_eligibility" { regional_certificate_arn = data.aws_acm_certificate.imported_cert.arn ownership_verification_certificate_arn = data.aws_acm_certificate.validation_cert.arn - mutual_tls_authentication { - truststore_uri = "s3://${module.s3_truststore_bucket.storage_bucket_name}/truststore.pem" - truststore_version = aws_s3_object.pem_file.version_id - } + # mutual_tls_authentication { + # truststore_uri = "s3://${module.s3_truststore_bucket.storage_bucket_name}/truststore.pem" + # truststore_version = aws_s3_object.pem_file.version_id + # } security_policy = "TLS_1_2" From 075ebaf6fd6d488fa64dfd733d2572f930cac94e Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Wed, 2 Jul 2025 11:11:57 +0100 Subject: [PATCH 28/28] Revert "test" This reverts commit d5a4f1314a11b04172b6500af9bd5d2daa834227. --- infrastructure/stacks/api-layer/api_gateway.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/infrastructure/stacks/api-layer/api_gateway.tf b/infrastructure/stacks/api-layer/api_gateway.tf index 004497780..285d2d089 100644 --- a/infrastructure/stacks/api-layer/api_gateway.tf +++ b/infrastructure/stacks/api-layer/api_gateway.tf @@ -85,10 +85,10 @@ resource "aws_api_gateway_domain_name" "check_eligibility" { regional_certificate_arn = data.aws_acm_certificate.imported_cert.arn ownership_verification_certificate_arn = data.aws_acm_certificate.validation_cert.arn - # mutual_tls_authentication { - # truststore_uri = "s3://${module.s3_truststore_bucket.storage_bucket_name}/truststore.pem" - # truststore_version = aws_s3_object.pem_file.version_id - # } + mutual_tls_authentication { + truststore_uri = "s3://${module.s3_truststore_bucket.storage_bucket_name}/truststore.pem" + truststore_version = aws_s3_object.pem_file.version_id + } security_policy = "TLS_1_2"