From 52ff144859f8c75ad4a2c7479077cd186b007e09 Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Mon, 8 Jul 2024 20:30:39 +0100 Subject: [PATCH 1/2] NRL-846 Use the auth store policy for lambdas --- .../account-wide-infrastructure/dev/vars.tf | 2 +- .../modules/permissions-store-bucket/iam.tf | 3 +- terraform/infrastructure/data.tf | 5 +++ terraform/infrastructure/lambda.tf | 39 ++++++++++++------- terraform/infrastructure/locals.tf | 5 ++- .../modules/permissions-store-bucket/iam.tf | 3 +- terraform/infrastructure/s3.tf | 35 ----------------- 7 files changed, 39 insertions(+), 53 deletions(-) delete mode 100644 terraform/infrastructure/s3.tf diff --git a/terraform/account-wide-infrastructure/dev/vars.tf b/terraform/account-wide-infrastructure/dev/vars.tf index 6548da7c..24afb780 100644 --- a/terraform/account-wide-infrastructure/dev/vars.tf +++ b/terraform/account-wide-infrastructure/dev/vars.tf @@ -10,6 +10,6 @@ variable "dev_api_domain_name" { } variable "devsandbox_api_domain_name" { - description = "The internal DNS name of the API Gateway for the dev environment" + description = "The internal DNS name of the API Gateway for the dev sandbox environment" default = "dev-sandbox.api.record-locator.dev.national.nhs.uk" } diff --git a/terraform/account-wide-infrastructure/modules/permissions-store-bucket/iam.tf b/terraform/account-wide-infrastructure/modules/permissions-store-bucket/iam.tf index 258cc438..621807ba 100644 --- a/terraform/account-wide-infrastructure/modules/permissions-store-bucket/iam.tf +++ b/terraform/account-wide-infrastructure/modules/permissions-store-bucket/iam.tf @@ -11,7 +11,8 @@ resource "aws_iam_policy" "read-s3-authorization-store" { ] Effect = "Allow" Resource = [ - aws_s3_bucket.authorization-store.arn + aws_s3_bucket.authorization-store.arn, + "${aws_s3_bucket.authorization-store.arn}/*", ] }, ] diff --git a/terraform/infrastructure/data.tf b/terraform/infrastructure/data.tf index 4ae99c7b..8a44ecb8 100644 --- a/terraform/infrastructure/data.tf +++ b/terraform/infrastructure/data.tf @@ -10,6 +10,11 @@ data "aws_s3_bucket" "authorization-store" { bucket = "${local.shared_prefix}-authorization-store" } +data "aws_iam_policy" "auth-store-read-policy" { + count = var.use_shared_resources ? 1 : 0 + name = "${local.shared_prefix}-read-s3-authorization-store" +} + data "aws_dynamodb_table" "pointers-table" { count = var.use_shared_resources ? 1 : 0 name = "${local.shared_prefix}-pointers-table" diff --git a/terraform/infrastructure/lambda.tf b/terraform/infrastructure/lambda.tf index b5632ec9..c6feea13 100644 --- a/terraform/infrastructure/lambda.tf +++ b/terraform/infrastructure/lambda.tf @@ -17,7 +17,8 @@ module "consumer__readDocumentReference" { } additional_policies = [ local.pointers_table_read_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription @@ -44,7 +45,8 @@ module "consumer__countDocumentReference" { } additional_policies = [ local.pointers_table_read_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription @@ -71,7 +73,8 @@ module "consumer__searchDocumentReference" { } additional_policies = [ local.pointers_table_read_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription @@ -98,7 +101,8 @@ module "consumer__searchPostDocumentReference" { } additional_policies = [ local.pointers_table_read_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription @@ -126,7 +130,8 @@ module "producer__createDocumentReference" { additional_policies = [ local.pointers_table_write_policy_arn, local.pointers_table_read_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription @@ -154,7 +159,8 @@ module "producer__deleteDocumentReference" { additional_policies = [ local.pointers_table_write_policy_arn, local.pointers_table_read_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription @@ -181,7 +187,8 @@ module "producer__readDocumentReference" { } additional_policies = [ local.pointers_table_read_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription @@ -208,7 +215,8 @@ module "producer__searchDocumentReference" { } additional_policies = [ local.pointers_table_read_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription @@ -235,7 +243,8 @@ module "producer__searchPostDocumentReference" { } additional_policies = [ local.pointers_table_read_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription @@ -263,7 +272,8 @@ module "producer__updateDocumentReference" { additional_policies = [ local.pointers_table_read_policy_arn, local.pointers_table_write_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription @@ -291,7 +301,8 @@ module "producer__upsertDocumentReference" { additional_policies = [ local.pointers_table_write_policy_arn, local.pointers_table_read_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription @@ -319,7 +330,8 @@ module "consumer__status" { } additional_policies = [ local.pointers_table_read_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription @@ -348,7 +360,8 @@ module "producer__status" { } additional_policies = [ local.pointers_table_read_policy_arn, - local.pointers_kms_read_write_arn + local.pointers_kms_read_write_arn, + local.auth_store_read_policy_arn ] firehose_subscriptions = [ module.firehose__processor.firehose_subscription diff --git a/terraform/infrastructure/locals.tf b/terraform/infrastructure/locals.tf index ee87c624..da13dc55 100644 --- a/terraform/infrastructure/locals.tf +++ b/terraform/infrastructure/locals.tf @@ -35,8 +35,9 @@ locals { aws_account_id = data.aws_caller_identity.current.account_id - auth_store_id = var.use_shared_resources ? data.aws_s3_bucket.authorization-store[0].id : module.ephemeral-s3-permission-store[0].bucket_id - auth_store_arn = var.use_shared_resources ? data.aws_s3_bucket.authorization-store[0].arn : module.ephemeral-s3-permission-store[0].bucket_arn + auth_store_id = var.use_shared_resources ? data.aws_s3_bucket.authorization-store[0].id : module.ephemeral-s3-permission-store[0].bucket_id + auth_store_arn = var.use_shared_resources ? data.aws_s3_bucket.authorization-store[0].arn : module.ephemeral-s3-permission-store[0].bucket_arn + auth_store_read_policy_arn = var.use_shared_resources ? data.aws_iam_policy.auth-store-read-policy[0].arn : module.ephemeral-s3-permission-store[0].bucket_read_policy_arn pointers_table_name = var.use_shared_resources ? data.aws_dynamodb_table.pointers-table[0].name : module.ephemeral-pointers-table[0].table_name pointers_table_read_policy_arn = var.use_shared_resources ? data.aws_iam_policy.pointers-table-read[0].arn : module.ephemeral-pointers-table[0].read_policy_arn diff --git a/terraform/infrastructure/modules/permissions-store-bucket/iam.tf b/terraform/infrastructure/modules/permissions-store-bucket/iam.tf index 258cc438..621807ba 100644 --- a/terraform/infrastructure/modules/permissions-store-bucket/iam.tf +++ b/terraform/infrastructure/modules/permissions-store-bucket/iam.tf @@ -11,7 +11,8 @@ resource "aws_iam_policy" "read-s3-authorization-store" { ] Effect = "Allow" Resource = [ - aws_s3_bucket.authorization-store.arn + aws_s3_bucket.authorization-store.arn, + "${aws_s3_bucket.authorization-store.arn}/*", ] }, ] diff --git a/terraform/infrastructure/s3.tf b/terraform/infrastructure/s3.tf deleted file mode 100644 index 3b33ed87..00000000 --- a/terraform/infrastructure/s3.tf +++ /dev/null @@ -1,35 +0,0 @@ -resource "aws_s3_bucket_policy" "allow-lambda-to-read" { - bucket = local.auth_store_id - policy = data.aws_iam_policy_document.allow-authorizer-lambda-to-read.json -} - -data "aws_iam_policy_document" "allow-authorizer-lambda-to-read" { - statement { - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${local.aws_account_id}:role/${module.consumer__readDocumentReference.lambda_role_name}", - "arn:aws:iam::${local.aws_account_id}:role/${module.consumer__countDocumentReference.lambda_role_name}", - "arn:aws:iam::${local.aws_account_id}:role/${module.consumer__searchDocumentReference.lambda_role_name}", - "arn:aws:iam::${local.aws_account_id}:role/${module.consumer__searchPostDocumentReference.lambda_role_name}", - "arn:aws:iam::${local.aws_account_id}:role/${module.producer__createDocumentReference.lambda_role_name}", - "arn:aws:iam::${local.aws_account_id}:role/${module.producer__deleteDocumentReference.lambda_role_name}", - "arn:aws:iam::${local.aws_account_id}:role/${module.producer__readDocumentReference.lambda_role_name}", - "arn:aws:iam::${local.aws_account_id}:role/${module.producer__searchDocumentReference.lambda_role_name}", - "arn:aws:iam::${local.aws_account_id}:role/${module.producer__searchPostDocumentReference.lambda_role_name}", - "arn:aws:iam::${local.aws_account_id}:role/${module.producer__updateDocumentReference.lambda_role_name}", - "arn:aws:iam::${local.aws_account_id}:role/${module.producer__upsertDocumentReference.lambda_role_name}", - ] - } - - actions = [ - "s3:GetObject", - "s3:ListBucket", - ] - - resources = [ - local.auth_store_arn, - "${local.auth_store_arn}/*", - ] - } -} From 99709e9ce28124586db519f1c2a1298f3da3d573 Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Mon, 8 Jul 2024 21:02:09 +0100 Subject: [PATCH 2/2] NRL-846 Remove unused local --- terraform/infrastructure/locals.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/infrastructure/locals.tf b/terraform/infrastructure/locals.tf index da13dc55..998bd8ed 100644 --- a/terraform/infrastructure/locals.tf +++ b/terraform/infrastructure/locals.tf @@ -36,7 +36,6 @@ locals { aws_account_id = data.aws_caller_identity.current.account_id auth_store_id = var.use_shared_resources ? data.aws_s3_bucket.authorization-store[0].id : module.ephemeral-s3-permission-store[0].bucket_id - auth_store_arn = var.use_shared_resources ? data.aws_s3_bucket.authorization-store[0].arn : module.ephemeral-s3-permission-store[0].bucket_arn auth_store_read_policy_arn = var.use_shared_resources ? data.aws_iam_policy.auth-store-read-policy[0].arn : module.ephemeral-s3-permission-store[0].bucket_read_policy_arn pointers_table_name = var.use_shared_resources ? data.aws_dynamodb_table.pointers-table[0].name : module.ephemeral-pointers-table[0].table_name