Ddls 392b - add kms decrypts for secrets key on relevant roles (#1728)

* DDLS-392 add secrets decryption to all relevant roles
ministryofjustice · Nov 12, 2024 · a2b8b59 · a2b8b59
1 parent 9980dda
commit a2b8b59
Show file tree

Hide file tree

Showing 9 changed files with 96 additions and 13 deletions.
diff --git a/terraform/environment/region/ecs_iam_api.tf b/terraform/environment/region/ecs_iam_api.tf
@@ -44,6 +44,17 @@ data "aws_iam_policy_document" "api_permissions" {
     ]
   }
 
+  statement {
+    sid    = "DecryptSecretKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = [
+      data.aws_kms_alias.cloudwatch_application_secret_encryption.target_key_arn
+    ]
+  }
+
   statement {
     sid    = "ApiGetSiriusS3Bucket"
     effect = "Allow"

diff --git a/terraform/environment/region/ecs_iam_execution.tf b/terraform/environment/region/ecs_iam_execution.tf
@@ -125,6 +125,17 @@ data "aws_iam_policy_document" "execution_role_secrets" {
     ]
     actions = ["secretsmanager:GetSecretValue"]
   }
+
+  statement {
+    sid    = "DecryptSecretKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = [
+      data.aws_kms_alias.cloudwatch_application_secret_encryption.target_key_arn
+    ]
+  }
 }
 
 data "aws_iam_policy_document" "execution_role_secrets_db" {
@@ -139,4 +150,15 @@ data "aws_iam_policy_document" "execution_role_secrets_db" {
     ]
     actions = ["secretsmanager:GetSecretValue"]
   }
+
+  statement {
+    sid    = "DecryptSecretKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = [
+      data.aws_kms_alias.cloudwatch_application_secret_encryption.target_key_arn
+    ]
+  }
 }
diff --git a/terraform/environment/region/ecs_iam_front.tf b/terraform/environment/region/ecs_iam_front.tf
@@ -57,16 +57,16 @@ data "aws_iam_policy_document" "front_query_secretsmanager" {
     ]
   }
 
-  #  statement {
-  #    sid    = "DecryptSecretKMS"
-  #    effect = "Allow"
-  #    actions = [
-  #      "kms:Decrypt"
-  #    ]
-  #    resources = [
-  #      data.aws_kms_alias.cloudwatch_application_secret_encryption.target_key_arn
-  #    ]
-  #  }
+  statement {
+    sid    = "DecryptSecretKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = [
+      data.aws_kms_alias.cloudwatch_application_secret_encryption.target_key_arn
+    ]
+  }
 }
 
 resource "aws_iam_role_policy" "front_get_log_events" {

diff --git a/terraform/environment/region/ecs_task_resilience_tests.tf b/terraform/environment/region/ecs_task_resilience_tests.tf
@@ -30,6 +30,17 @@ data "aws_iam_policy_document" "resilience_tests" {
     ]
   }
 
+  statement {
+    sid    = "DecryptSecretKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = [
+      data.aws_kms_alias.cloudwatch_application_secret_encryption.target_key_arn
+    ]
+  }
+
   statement {
     sid    = "AllowFISRunExperiments"
     effect = "Allow"

diff --git a/terraform/environment/region/ecs_task_smoke_tests.tf b/terraform/environment/region/ecs_task_smoke_tests.tf
@@ -15,6 +15,17 @@ data "aws_iam_policy_document" "smoke_tests" {
       data.aws_secretsmanager_secret.smoke_tests_variables.arn
     ]
   }
+
+  statement {
+    sid    = "DecryptSecretKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = [
+      data.aws_kms_alias.cloudwatch_application_secret_encryption.target_key_arn
+    ]
+  }
 }
 
 resource "aws_iam_role_policy" "smoke_tests" {

diff --git a/terraform/environment/region/lambda_custom_sql_query.tf b/terraform/environment/region/lambda_custom_sql_query.tf
@@ -26,6 +26,7 @@ module "lamdba_custom_sql_query" {
   vpc_id                = data.aws_vpc.vpc.id
   secrets               = []
   logs_kms_key_arn      = data.aws_kms_alias.cloudwatch_application_logs_encryption.arn
+  secrets_kms_key_arn   = data.aws_kms_alias.cloudwatch_application_secret_encryption.target_key_arn
 }
 
 resource "aws_security_group_rule" "lambda_custom_sql_query_to_front" {
@@ -72,4 +73,15 @@ data "aws_iam_policy_document" "custom_sql_query_secretsmanager" {
       data.aws_secretsmanager_secret.custom_sql_db_password.arn
     ]
   }
+
+  statement {
+    sid    = "DecryptSecretKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = [
+      data.aws_kms_alias.cloudwatch_application_secret_encryption.target_key_arn
+    ]
+  }
 }
diff --git a/terraform/environment/region/modules/lambda/iam.tf b/terraform/environment/region/modules/lambda/iam.tf
@@ -74,6 +74,17 @@ data "aws_iam_policy_document" "lambda" {
       ]
     }
   }
+
+  statement {
+    sid    = "DecryptSecretKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = [
+      var.secrets_kms_key_arn
+    ]
+  }
 }
 
 resource "aws_iam_role_policy_attachment" "vpc_access_execution_role" {

diff --git a/terraform/environment/region/modules/lambda/variables.tf b/terraform/environment/region/modules/lambda/variables.tf
@@ -94,3 +94,8 @@ variable "logs_kms_key_arn" {
   description = "User managed KMS key for log encryption"
   type        = string
 }
+
+variable "secrets_kms_key_arn" {
+  description = "User managed KMS key for secrets encryption"
+  type        = string
+}
diff --git a/terraform/environment/region/secrets.tf b/terraform/environment/region/secrets.tf
@@ -59,6 +59,6 @@ data "aws_secretsmanager_secret" "anonymise-default-pw" {
 }
 
 ##### Shared Application KMS key for logs #####
-#data "aws_kms_alias" "cloudwatch_application_secret_encryption" {
-#  name = "alias/digideps_secret_encryption_key"
-#}
+data "aws_kms_alias" "cloudwatch_application_secret_encryption" {
+  name = "alias/digideps_secret_encryption_key"
+}