From c1dc9c4dfd6405ffb34a2b168716232af3038ca5 Mon Sep 17 00:00:00 2001 From: Robert Date: Thu, 17 Jul 2025 16:54:56 +0100 Subject: [PATCH 1/6] Added xray permissions policy for lambda --- .../stacks/api-layer/iam_policies.tf | 56 ++++++++++++------- 1 file changed, 37 insertions(+), 19 deletions(-) diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf index 00b5d914f..8af65233e 100644 --- a/infrastructure/stacks/api-layer/iam_policies.tf +++ b/infrastructure/stacks/api-layer/iam_policies.tf @@ -1,7 +1,7 @@ # Read-only policy for DynamoDB data "aws_iam_policy_document" "dynamodb_read_policy_doc" { statement { - actions = ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan"] + actions = ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan"] resources = [module.eligibility_status_table.arn] } } @@ -16,7 +16,7 @@ resource "aws_iam_role_policy" "lambda_dynamodb_read_policy" { # Write-only policy for DynamoDB data "aws_iam_policy_document" "dynamodb_write_policy_doc" { statement { - actions = ["dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem"] + actions = ["dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem"] resources = [module.eligibility_status_table.arn] } } @@ -37,7 +37,7 @@ data "aws_iam_policy_document" "dynamo_kms_access_policy_doc" { # Attach dynamoDB write policy to external write role resource "aws_iam_role_policy" "external_dynamodb_write_policy" { - count = length(aws_iam_role.write_access_role) + count = length(aws_iam_role.write_access_role) name = "DynamoDBWriteAccess" role = aws_iam_role.write_access_role[count.index].id policy = data.aws_iam_policy_document.dynamodb_write_policy_doc.json @@ -45,7 +45,7 @@ resource "aws_iam_role_policy" "external_dynamodb_write_policy" { # Attach dynamo KMS policy to external write role resource "aws_iam_role_policy" "external_kms_access_policy" { - count = length(aws_iam_role.write_access_role) + count = length(aws_iam_role.write_access_role) name = "KMSAccessForDynamoDB" role = aws_iam_role.write_access_role[count.index].id policy = data.aws_iam_policy_document.dynamo_kms_access_policy_doc.json @@ -65,7 +65,7 @@ data "aws_iam_policy_document" "s3_rules_bucket_policy" { ] condition { test = "Bool" - values = ["true"] + values = ["true"] variable = "aws:SecureTransport" } } @@ -90,7 +90,7 @@ data "aws_iam_policy_document" "rules_s3_bucket_policy" { "${module.s3_rules_bucket.storage_bucket_arn}/*", ] principals { - type = "*" + type = "*" identifiers = ["*"] } condition { @@ -121,7 +121,7 @@ data "aws_iam_policy_document" "audit_s3_bucket_policy" { "${module.s3_audit_bucket.storage_bucket_arn}/*", ] principals { - type = "*" + type = "*" identifiers = ["*"] } condition { @@ -192,7 +192,7 @@ resource "aws_iam_role_policy_attachment" "lambda_logs_policy_attachment" { # Policy doc for S3 Audit bucket data "aws_iam_policy_document" "s3_audit_bucket_policy" { statement { - sid = "AllowSSLRequestsOnly" + sid = "AllowSSLRequestsOnly" actions = ["s3:*"] resources = [ module.s3_audit_bucket.storage_bucket_arn, @@ -200,7 +200,7 @@ data "aws_iam_policy_document" "s3_audit_bucket_policy" { ] condition { test = "Bool" - values = ["true"] + values = ["true"] variable = "aws:SecureTransport" } } @@ -222,10 +222,10 @@ data "aws_iam_policy_document" "dynamodb_kms_key_policy" { sid = "EnableIamUserPermissions" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } - actions = ["kms:*"] + actions = ["kms:*"] resources = ["*"] } @@ -233,7 +233,7 @@ data "aws_iam_policy_document" "dynamodb_kms_key_policy" { sid = "AllowLambdaDecrypt" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = [aws_iam_role.eligibility_lambda_role.arn] } actions = [ @@ -260,10 +260,10 @@ data "aws_iam_policy_document" "s3_rules_kms_key_policy" { sid = "EnableIamUserPermissions" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } - actions = ["kms:*"] + actions = ["kms:*"] resources = ["*"] } @@ -271,10 +271,10 @@ data "aws_iam_policy_document" "s3_rules_kms_key_policy" { sid = "AllowLambdaDecrypt" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = [aws_iam_role.eligibility_lambda_role.arn] } - actions = ["kms:Decrypt"] + actions = ["kms:Decrypt"] resources = ["*"] } } @@ -293,17 +293,17 @@ data "aws_iam_policy_document" "s3_audit_kms_key_policy" { sid = "EnableIamUserPermissions" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] } - actions = ["kms:*"] + actions = ["kms:*"] resources = ["*"] } statement { sid = "AllowLambdaFullWrite" effect = "Allow" principals { - type = "AWS" + type = "AWS" identifiers = [aws_iam_role.eligibility_lambda_role.arn, aws_iam_role.eligibility_audit_firehose_role.arn] } actions = [ @@ -340,3 +340,21 @@ resource "aws_iam_role_policy" "lambda_firehose_policy" { role = aws_iam_role.eligibility_lambda_role.id policy = data.aws_iam_policy_document.lambda_firehose_write_policy.json } + +data "aws_iam_policy_document" "lambda_xray_tracing_permissions_policy" { + statement { + sid = "AllowLambdaToPutToXRay" + effect = "Allow" + actions = [ + "xray:PutTraceSegments", + "xray:PutTelemetryRecords" + ] + resources = ["*"] + } +} + +resource "aws_iam_role_policy" "lambda_xray_tracing_policy" { + name = "LambdaXRayWritePolicy" + role = aws_iam_role.eligibility_lambda_role.id + policy = data.aws_iam_policy_document.lambda_xray_tracing_permissions_policy.json +} From 78b41587eb030389e5d3717fcfa72f9b946422de Mon Sep 17 00:00:00 2001 From: Robert Date: Fri, 18 Jul 2025 10:44:27 +0100 Subject: [PATCH 2/6] Add xray vpc endpoint --- infrastructure/stacks/networking/locals.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/infrastructure/stacks/networking/locals.tf b/infrastructure/stacks/networking/locals.tf index 5acda7626..9114c1144 100644 --- a/infrastructure/stacks/networking/locals.tf +++ b/infrastructure/stacks/networking/locals.tf @@ -22,6 +22,8 @@ locals { sts = "com.amazonaws.${local.region}.sts" sqs = "com.amazonaws.${local.region}.sqs" kinesis-firehose = "com.amazonaws.${local.region}.kinesis-firehose" + xray = "com.amazonaws.${local.region}.xray" + } # VPC Gateway Endpoints From 4c4536108cb7dbfdd7a29fdd2a686b7854f1e0b4 Mon Sep 17 00:00:00 2001 From: Robert Date: Fri, 18 Jul 2025 16:11:13 +0100 Subject: [PATCH 3/6] Added xray to the permissions boundary --- .../stacks/iams-developer-roles/iams_permissions_boundary.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf index 27909c885..8d7940668 100644 --- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf +++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf @@ -33,7 +33,8 @@ data "aws_iam_policy_document" "permissions_boundary" { "support:*", "sqs:*", "tag:*", - "trustedadvisor:*" + "trustedadvisor:*", + "xray:*" ] resources = ["*"] From 3a2d35461ce2116b5bcef9f96783647e851a4295 Mon Sep 17 00:00:00 2001 From: Robert Date: Fri, 18 Jul 2025 16:22:21 +0100 Subject: [PATCH 4/6] Added xray to the assumed role permissions boundary --- .../stacks/api-layer/assumed_role_permissions_boundary.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf b/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf index 2fd4e8454..980bf8e61 100644 --- a/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf +++ b/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf @@ -33,7 +33,8 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" { "support:*", "sqs:*", "tag:*", - "trustedadvisor:*" + "trustedadvisor:*", + "xray:*" ] resources = ["*"] From aa2d0f8ca372e2b397891c77337f463c557b081f Mon Sep 17 00:00:00 2001 From: ayeshalshukri1-nhs <112615598+ayeshalshukri1-nhs@users.noreply.github.com> Date: Mon, 21 Jul 2025 15:20:09 +0100 Subject: [PATCH 5/6] Testing permission boundary. --- .../stacks/api-layer/assumed_role_permissions_boundary.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf b/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf index 980bf8e61..36762f4bf 100644 --- a/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf +++ b/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf @@ -34,7 +34,7 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" { "sqs:*", "tag:*", "trustedadvisor:*", - "xray:*" + ] resources = ["*"] From 36dc5048ee0eb111f2fb3741e99c5ab1837805d0 Mon Sep 17 00:00:00 2001 From: ayeshalshukri1-nhs <112615598+ayeshalshukri1-nhs@users.noreply.github.com> Date: Mon, 21 Jul 2025 15:26:35 +0100 Subject: [PATCH 6/6] testing perm bound. --- .../stacks/api-layer/assumed_role_permissions_boundary.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf b/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf index 36762f4bf..980bf8e61 100644 --- a/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf +++ b/infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf @@ -34,7 +34,7 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" { "sqs:*", "tag:*", "trustedadvisor:*", - + "xray:*" ] resources = ["*"]