UML-3808: allow api ecs access to secretsmanager

terraform/account/locals.tf

@@ -14,6 +14,7 @@ locals {
 
   optional_tags = {
     infrastructure-support = "OPG Webops: [email protected]"
+    account-name           = local.account_name
   }
 
   default_tags = merge(local.mandatory_moj_tags, local.optional_tags)

terraform/account/region.tf

@@ -8,6 +8,7 @@ module "eu_west_1" {
   environment_name         = local.environment
   lambda_container_version = var.lambda_container_version
   vpc_flow_logs_iam_role   = aws_iam_role.vpc_flow_logs
+  region                   = "eu-west-1"
 
   depends_on = [
     module.cloudwatch_mrk,
@@ -35,6 +36,7 @@ module "eu_west_2" {
   environment_name         = local.environment
   lambda_container_version = var.lambda_container_version
   vpc_flow_logs_iam_role   = aws_iam_role.vpc_flow_logs
+  region                   = "eu-west-2"
 
   depends_on = [
     module.cloudwatch_mrk,

terraform/account/region/s3_lb_access_logs.tf

@@ -163,14 +163,14 @@ resource "aws_s3_bucket_public_access_block" "access_log" {
 # Old version of the access log bucket. The new version is suffixed with the region name. We're keeping this around for a while to ensure we don't lose any logs.
 # TODO: Remove all of these resources after 400 days (the retention period for the logs)
 resource "aws_s3_bucket" "old_access_log" {
-  count  = data.aws_region.current.name == "eu-west-1" ? 1 : 0
+  count  = var.region == "eu-west-1" ? 1 : 0
   bucket = "opg-ual-${var.environment_name}-lb-access-logs"
 
   provider = aws.region
 }
 
 resource "aws_s3_bucket_public_access_block" "old_access_log" {
-  count = data.aws_region.current.name == "eu-west-1" ? 1 : 0
+  count = var.region == "eu-west-1" ? 1 : 0
 
   bucket                  = aws_s3_bucket.old_access_log[0].id
   block_public_acls       = true
@@ -182,7 +182,7 @@ resource "aws_s3_bucket_public_access_block" "old_access_log" {
 }
 
 resource "aws_s3_bucket_ownership_controls" "old_access_log" {
-  count = data.aws_region.current.name == "eu-west-1" ? 1 : 0
+  count = var.region == "eu-west-1" ? 1 : 0
 
   bucket = aws_s3_bucket.old_access_log[0].id
 
@@ -194,7 +194,7 @@ resource "aws_s3_bucket_ownership_controls" "old_access_log" {
 }
 
 resource "aws_s3_bucket_acl" "old_access_log" {
-  count = data.aws_region.current.name == "eu-west-1" ? 1 : 0
+  count = var.region == "eu-west-1" ? 1 : 0
 
   bucket = aws_s3_bucket.old_access_log[0].id
   acl    = "private"

terraform/account/region/variables.tf

@@ -27,6 +27,11 @@ variable "account" {
   })
 }
 
+variable "region" {
+  description = "The region"
+  type        = string
+}
+
 variable "account_name" {
   description = "The account name"
   type        = string

terraform/account/region/vpc_flowlogs.tf

@@ -18,7 +18,7 @@ resource "aws_cloudwatch_log_group" "vpc_flow_logs" {
 # Kept around to avoid losing logs after switching to region-specific flow logs group.
 # This can be deleted 400 days after the creation of aws_cloudwatch_log_group.vpc_flow_logs.
 resource "aws_cloudwatch_log_group" "old_vpc_flow_logs" {
-  count             = data.aws_region.current.name == "eu-west-1" ? 1 : 0
+  count             = var.region == "eu-west-1" ? 1 : 0
   name              = "vpc_flow_logs"
   retention_in_days = 400
   kms_key_id        = data.aws_kms_alias.cloudwatch_mrk.arn

terraform/environment/locals.tf

@@ -14,6 +14,7 @@ locals {
 
   optional_tags = {
     infrastructure-support = "OPG Webops: [email protected]"
+    account-name           = local.environment.account_name
   }
 
   mock_onelogin_version = "latest"

terraform/environment/region/api_ecs.tf

@@ -281,6 +281,34 @@ data "aws_iam_policy_document" "api_permissions_role" {
     ]
   }
 
+  statement {
+    sid    = "${local.policy_region_prefix}LpaStoreKmsAccess"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+    ]
+
+    resources = [
+      data.aws_kms_alias.jwt_key.target_key_arn,
+    ]
+  }
+
+  statement {
+    sid    = "${local.policy_region_prefix}LpaStoreSecretAccess"
+    effect = "Allow"
+
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+    ]
+
+    resources = [
+      data.aws_secretsmanager_secret.lpa_store_jwt_key.arn,
+    ]
+  }
+
   statement {
     sid    = "${local.policy_region_prefix}KMSAccess"
     effect = "Allow"
@@ -475,6 +503,10 @@ locals {
         {
           name      = "ONE_LOGIN_CLIENT_ID"
           valueFrom = data.aws_secretsmanager_secret.gov_uk_onelogin_client_id.arn
+        },
+        {
+          name      = "LPA_STORE_JWT_SECRET",
+          valueFrom = data.aws_secretsmanager_secret.lpa_store_jwt_key.arn
         }
       ],
       environment = [
@@ -561,7 +593,7 @@ locals {
         {
           name  = "ENVIRONMENT_NAME",
           value = var.environment_name
-        },
+        }
       ]
   })
 }

terraform/environment/region/data_sources.tf

@@ -144,6 +144,16 @@ data "aws_secretsmanager_secret" "lpa_data_store_secret" {
   provider = aws.region
 }
 
+data "aws_kms_alias" "jwt_key" {
+  name     = "alias/opg-data-lpa-store/${data.aws_default_tags.current.tags.account-name}/jwt-key"
+  provider = aws.management
+}
+
+data "aws_secretsmanager_secret" "lpa_store_jwt_key" {
+  name     = "opg-data-lpa-store/${data.aws_default_tags.current.tags.account-name}/jwt-key"
+  provider = aws.management
+}
+
 data "aws_ip_ranges" "route53_healthchecks" {
   services = ["route53_healthchecks"]
   regions  = ["GLOBAL"]