From b805b35628e1a64c990c478505f0b6e7b00d9780 Mon Sep 17 00:00:00 2001
From: TOEL2 <tom.eldridge1@nhs.net>
Date: Thu, 9 Apr 2026 12:18:36 +0100
Subject: [PATCH 1/5] [ELI-702] creating the resources and outputs

---
 infrastructure/modules/lambda/outputs.tf  |  4 ++++
 infrastructure/modules/lambda/signing.tf  | 25 +++++++++++++++++++++++
 infrastructure/stacks/api-layer/lambda.tf |  6 ++++++
 3 files changed, 35 insertions(+)
 create mode 100644 infrastructure/modules/lambda/signing.tf

diff --git a/infrastructure/modules/lambda/outputs.tf b/infrastructure/modules/lambda/outputs.tf
index 076115ed8..5b3e686a6 100644
--- a/infrastructure/modules/lambda/outputs.tf
+++ b/infrastructure/modules/lambda/outputs.tf
@@ -16,3 +16,7 @@ output "aws_lambda_invoke_arn" {
 output "lambda_cmk_arn" {
   value = aws_kms_key.lambda_cmk.arn
 }
+
+output "lambda_signing_profile_name" {
+  value = aws_signer_signing_profile.lambda_signing.name
+}
diff --git a/infrastructure/modules/lambda/signing.tf b/infrastructure/modules/lambda/signing.tf
new file mode 100644
index 000000000..93ad0d901
--- /dev/null
+++ b/infrastructure/modules/lambda/signing.tf
@@ -0,0 +1,25 @@
+resource "aws_signer_signing_profile" "lambda_signing" {
+  name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile"
+  #aws signer is strict with names, does not like hyphens or underscores
+
+  platform_id = "AWSLambda-SHA384-ECDSA"
+
+  signature_validity_period {
+    value = 365
+    type  = "DAYS"
+  }
+}
+
+resource "aws_lambda_code_signing_config" "signing_config" {
+  allowed_publishers {
+    signing_profile_version_arns = [
+      aws_signer_signing_profile.lambda_signing.version_arn
+    ]
+  }
+
+  policies {
+    untrusted_artifact_on_deployment = "Enforce"
+  }
+
+   description = "Only allow Lambda bundles signed by our trusted signer profile"
+}
diff --git a/infrastructure/stacks/api-layer/lambda.tf b/infrastructure/stacks/api-layer/lambda.tf
index dfb061ba2..b3eba1568 100644
--- a/infrastructure/stacks/api-layer/lambda.tf
+++ b/infrastructure/stacks/api-layer/lambda.tf
@@ -35,6 +35,12 @@ module "eligibility_signposting_lambda_function" {
   api_domain_name                           = local.api_domain_name
 }
 
+
+# Needed by github workflows to sign the lambda artifacts
+output "signing_profile_name" {
+  value = module.eligibility_signposting_lambda_function.lambda_signing_profile_name
+}
+
 # -----------------------------------------------------------------------------
 # Secret rotation lambdas
 # -----------------------------------------------------------------------------

From a68445349c9db10300a2e69ada2472e02db464c8 Mon Sep 17 00:00:00 2001
From: TOEL2 <tom.eldridge1@nhs.net>
Date: Thu, 9 Apr 2026 12:35:13 +0100
Subject: [PATCH 2/5] [ELI-702] create and attach policy doc

---
 .../github_actions_policies.tf                | 68 +++++++++++++++++++
 .../stacks/iams-developer-roles/locals.tf     |  2 +
 2 files changed, 70 insertions(+)

diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index 72c46e35a..e31a29c0b 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -809,6 +809,69 @@ resource "aws_iam_policy" "cloudwatch_management" {
   tags = merge(local.tags, { Name = "cloudwatch-management" })
 }
 
+resource "aws_iam_policy" "code_signing_management" {
+  #checkov:skip=CKV_AWS_290: Actions require wildcard resource for Lambda code signing configs and Signer jobs
+  #checkov:skip=CKV_AWS_235: Actions require wildcard resource for Lambda code signing configs and Signer jobs
+  #checkov:skip=CKV_AWS_355: Actions require wildcard resource for Lambda code signing configs and Signer jobs
+  name        = "code-signing-management"
+  description = "Allow GitHub Actions to manage Lambda code signing and start Signer jobs"
+  path        = "/service-policies/"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "LambdaCodeSigningConfigManagement",
+        Effect = "Allow",
+        Action = [
+          "lambda:CreateCodeSigningConfig",
+          "lambda:UpdateCodeSigningConfig",
+          "lambda:DeleteCodeSigningConfig",
+          "lambda:GetCodeSigningConfig",
+          "lambda:ListCodeSigningConfigs",
+          "lambda:GetFunctionCodeSigningConfig",
+          "lambda:ListTags",
+          "lambda:DeleteFunctionCodeSigningConfig",
+          "lambda:PutFunctionCodeSigningConfig"
+        ],
+        Resource = "*"
+      },
+      {
+        Sid    = "SignerProfileManagement"
+        Effect = "Allow"
+        Action = [
+          "signer:GetSigningProfile",
+          "signer:TagResource",
+          "signer:UntagResource",
+          "signer:ListTagsForResource"
+        ]
+        Resource = local.lambda_signing_profile_arn
+      },
+      {
+        Sid    = "SignerProfileCreateAndList"
+        Effect = "Allow"
+        Action = [
+          "signer:PutSigningProfile",
+          "signer:ListSigningProfiles"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid    = "SignerJobUsage",
+        Effect = "Allow",
+        Action = [
+          "signer:StartSigningJob",
+          "signer:DescribeSigningJob",
+          "signer:ListSigningJobs"
+        ],
+        Resource = "*"
+      },
+    ]
+  })
+
+   tags = merge(local.tags, { Name = "code-signing-management" })
+}
+
 # Attach the policies to the role
 resource "aws_iam_role_policy_attachment" "terraform_state" {
   role       = aws_iam_role.github_actions.name
@@ -859,3 +922,8 @@ resource "aws_iam_role_policy_attachment" "kinesis_management_attach" {
   role       = aws_iam_role.github_actions.name
   policy_arn = aws_iam_policy.kinesis_management.arn
 }
+
+resource "aws_iam_role_policy_attachment" "code_signing_management" {
+  role       = aws_iam_role.github_actions.name
+  policy_arn = aws_iam_policy.code_signing_management.arn
+}
diff --git a/infrastructure/stacks/iams-developer-roles/locals.tf b/infrastructure/stacks/iams-developer-roles/locals.tf
index 1696637cb..5a43a0307 100644
--- a/infrastructure/stacks/iams-developer-roles/locals.tf
+++ b/infrastructure/stacks/iams-developer-roles/locals.tf
@@ -1,3 +1,5 @@
 locals {
   stack_name = "iams-developer-roles"
+  lambda_signing_profile_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile"
+  lambda_signing_profile_arn  = "arn:aws:signer:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:/signing-profiles/${local.lambda_signing_profile_name}"
 }

From 7c16734f34ba51ddbb82f636d548af74f00bfbc6 Mon Sep 17 00:00:00 2001
From: TOEL2 <tom.eldridge1@nhs.net>
Date: Thu, 9 Apr 2026 12:41:35 +0100
Subject: [PATCH 3/5] [ELI-702] formatting

---
 infrastructure/modules/lambda/signing.tf                        | 2 +-
 .../stacks/iams-developer-roles/github_actions_policies.tf      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/infrastructure/modules/lambda/signing.tf b/infrastructure/modules/lambda/signing.tf
index 93ad0d901..0392a4317 100644
--- a/infrastructure/modules/lambda/signing.tf
+++ b/infrastructure/modules/lambda/signing.tf
@@ -21,5 +21,5 @@ resource "aws_lambda_code_signing_config" "signing_config" {
     untrusted_artifact_on_deployment = "Enforce"
   }
 
-   description = "Only allow Lambda bundles signed by our trusted signer profile"
+  description = "Only allow Lambda bundles signed by our trusted signer profile"
 }
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index e31a29c0b..124b6cf63 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -869,7 +869,7 @@ resource "aws_iam_policy" "code_signing_management" {
     ]
   })
 
-   tags = merge(local.tags, { Name = "code-signing-management" })
+  tags = merge(local.tags, { Name = "code-signing-management" })
 }
 
 # Attach the policies to the role

From 5dd3b8195c16c409c26865fa006d4b2dc4bcc395 Mon Sep 17 00:00:00 2001
From: TOEL2 <tom.eldridge1@nhs.net>
Date: Fri, 10 Apr 2026 10:02:01 +0100
Subject: [PATCH 4/5] [ELI-702] narrowing scope for some permissions

---
 .../iams-developer-roles/github_actions_policies.tf      | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index 124b6cf63..25a1dcaa1 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -836,6 +836,15 @@ resource "aws_iam_policy" "code_signing_management" {
         ],
         Resource = "*"
       },
+      {
+        Sid    = "LambdaFunctionSigningManagement",
+        Effect = "Allow",
+        Action = [
+          "lambda:DeleteFunctionCodeSigningConfig",
+          "lambda:PutFunctionCodeSigningConfig"
+        ],
+        Resource = "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api"
+      },
       {
         Sid    = "SignerProfileManagement"
         Effect = "Allow"

From 17c63bae1a614e784af33c55bf84328eeb606d23 Mon Sep 17 00:00:00 2001
From: TOEL2 <tom.eldridge1@nhs.net>
Date: Fri, 10 Apr 2026 10:05:40 +0100
Subject: [PATCH 5/5] [ELI-702] narrowing scope for some permissions

---
 .../stacks/iams-developer-roles/github_actions_policies.tf    | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index 25a1dcaa1..4740ac9e8 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -830,9 +830,7 @@ resource "aws_iam_policy" "code_signing_management" {
           "lambda:GetCodeSigningConfig",
           "lambda:ListCodeSigningConfigs",
           "lambda:GetFunctionCodeSigningConfig",
-          "lambda:ListTags",
-          "lambda:DeleteFunctionCodeSigningConfig",
-          "lambda:PutFunctionCodeSigningConfig"
+          "lambda:ListTags"
         ],
         Resource = "*"
       },