Skip to content

Feature/add signing resources #633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TOEL2 merged 6 commits into from
Apr 10, 2026
Merged

Feature/add signing resources #633

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b805b35
[ELI-702] creating the resources and outputs
TOEL2 Apr 9, 2026
a684453
[ELI-702] create and attach policy doc
TOEL2 Apr 9, 2026
7c16734
[ELI-702] formatting
TOEL2 Apr 9, 2026
99b23a9
Merge branch 'main' into feature/add-signing-resources
TOEL2 Apr 10, 2026
5dd3b81
[ELI-702] narrowing scope for some permissions
TOEL2 Apr 10, 2026
17c63ba
[ELI-702] narrowing scope for some permissions
TOEL2 Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions infrastructure/modules/lambda/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,7 @@ output "aws_lambda_invoke_arn" {
output "lambda_cmk_arn" {
value = aws_kms_key.lambda_cmk.arn
}

output "lambda_signing_profile_name" {
value = aws_signer_signing_profile.lambda_signing.name
}
25 changes: 25 additions & 0 deletions infrastructure/modules/lambda/signing.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
resource "aws_signer_signing_profile" "lambda_signing" {
name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile"
#aws signer is strict with names, does not like hyphens or underscores
Comment thread
TOEL2 marked this conversation as resolved.

platform_id = "AWSLambda-SHA384-ECDSA"

signature_validity_period {
value = 365
type = "DAYS"
}
}

resource "aws_lambda_code_signing_config" "signing_config" {
allowed_publishers {
signing_profile_version_arns = [
aws_signer_signing_profile.lambda_signing.version_arn
]
}

policies {
untrusted_artifact_on_deployment = "Enforce"
}

description = "Only allow Lambda bundles signed by our trusted signer profile"
}
6 changes: 6 additions & 0 deletions infrastructure/stacks/api-layer/lambda.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,12 @@ module "eligibility_signposting_lambda_function" {
api_domain_name = local.api_domain_name
}


# Needed by github workflows to sign the lambda artifacts
output "signing_profile_name" {
value = module.eligibility_signposting_lambda_function.lambda_signing_profile_name
}

# -----------------------------------------------------------------------------
# Secret rotation lambdas
# -----------------------------------------------------------------------------
Expand Down
75 changes: 75 additions & 0 deletions infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -809,6 +809,76 @@ resource "aws_iam_policy" "cloudwatch_management" {
tags = merge(local.tags, { Name = "cloudwatch-management" })
}

resource "aws_iam_policy" "code_signing_management" {
#checkov:skip=CKV_AWS_290: Actions require wildcard resource for Lambda code signing configs and Signer jobs
#checkov:skip=CKV_AWS_235: Actions require wildcard resource for Lambda code signing configs and Signer jobs
#checkov:skip=CKV_AWS_355: Actions require wildcard resource for Lambda code signing configs and Signer jobs
name = "code-signing-management"
description = "Allow GitHub Actions to manage Lambda code signing and start Signer jobs"
path = "/service-policies/"

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Sid = "LambdaCodeSigningConfigManagement",
Effect = "Allow",
Action = [
"lambda:CreateCodeSigningConfig",
"lambda:UpdateCodeSigningConfig",
"lambda:DeleteCodeSigningConfig",
"lambda:GetCodeSigningConfig",
"lambda:ListCodeSigningConfigs",
"lambda:GetFunctionCodeSigningConfig",
"lambda:ListTags"
],
Resource = "*"
},
{
Sid = "LambdaFunctionSigningManagement",
Effect = "Allow",
Action = [
"lambda:DeleteFunctionCodeSigningConfig",
"lambda:PutFunctionCodeSigningConfig"
],
Resource = "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api"
},
{
Sid = "SignerProfileManagement"
Effect = "Allow"
Action = [
"signer:GetSigningProfile",
"signer:TagResource",
"signer:UntagResource",
"signer:ListTagsForResource"
]
Resource = local.lambda_signing_profile_arn
},
{
Sid = "SignerProfileCreateAndList"
Effect = "Allow"
Action = [
"signer:PutSigningProfile",
"signer:ListSigningProfiles"
]
Resource = "*"
},
{
Sid = "SignerJobUsage",
Effect = "Allow",
Action = [
"signer:StartSigningJob",
"signer:DescribeSigningJob",
"signer:ListSigningJobs"
],
Resource = "*"
},
]
})

tags = merge(local.tags, { Name = "code-signing-management" })
}

# Attach the policies to the role
resource "aws_iam_role_policy_attachment" "terraform_state" {
role = aws_iam_role.github_actions.name
Expand Down Expand Up @@ -859,3 +929,8 @@ resource "aws_iam_role_policy_attachment" "kinesis_management_attach" {
role = aws_iam_role.github_actions.name
policy_arn = aws_iam_policy.kinesis_management.arn
}

resource "aws_iam_role_policy_attachment" "code_signing_management" {
role = aws_iam_role.github_actions.name
policy_arn = aws_iam_policy.code_signing_management.arn
}
2 changes: 2 additions & 0 deletions infrastructure/stacks/iams-developer-roles/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
locals {
stack_name = "iams-developer-roles"
lambda_signing_profile_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile"
lambda_signing_profile_arn = "arn:aws:signer:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:/signing-profiles/${local.lambda_signing_profile_name}"
Comment thread
TOEL2 marked this conversation as resolved.
}
Loading