DSOS-2406: allow different policy per secret (#4173)

ministryofjustice · Nov 28, 2023 · 9785556 · 9785556
1 parent 3c3c8dd
commit 9785556
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 11 deletions.
diff --git a/terraform/environments/hmpps-oem/locals_oem.tf b/terraform/environments/hmpps-oem/locals_oem.tf
@@ -38,12 +38,18 @@ locals {
     resources = ["*"]
   }
   oem_secretsmanager_secrets = {
-    policy = [
-      local.oem_secret_policy_read,
-      local.oem_secret_policy_write,
-    ]
     secrets = {
-      passwords = {}
+      passwords = {
+        description = "passwords only accessible by OEM EC2"
+        # policy = []  # TODO" comment in once secrets have been updated
+      }
+      shared-passwords = {
+        description = "passwords shared with other accounts"
+        policy = [
+          local.oem_secret_policy_read,
+          local.oem_secret_policy_write,
+        ]
+      }
     }
   }
 

diff --git a/terraform/modules/baseline/secretsmanager.tf b/terraform/modules/baseline/secretsmanager.tf
@@ -6,14 +6,39 @@
 # any secret value
 
 locals {
+
+  # Policies can be defined at top-level, e.g. same for all secrets,
+  # or specific to an individual secret. This code pulls out all these
+  # policies into a single map.
+  secretsmanager_secret_policies_top_level_list = [
+    for sm_key, sm_value in var.secretsmanager_secrets : {
+      key   = sm_key
+      value = sm_value.policy
+    } if sm_value.policy != null
+  ]
+  secretsmanager_secret_policies_secret_level_list = flatten([
+    for sm_key, sm_value in var.secretsmanager_secrets : [
+      for secret_name, secret_value in sm_value.secrets : {
+        key   = "${sm_key}/${secret_name}"
+        value = secret_value.policy
+      } if secret_value.policy != null
+    ]
+  ])
+  secretsmanager_secret_policies = {
+    for item in concat(
+      local.secretsmanager_secret_policies_top_level_list,
+      local.secretsmanager_secret_policies_secret_level_list
+    ) : item.key => item.value
+  }
+
   secretsmanager_secrets_list = flatten([
     for sm_key, sm_value in var.secretsmanager_secrets : [
       for secret_name, secret_value in sm_value.secrets : {
         key = "${sm_value.prefix}${sm_key}${sm_value.postfix}${secret_name}"
         value = merge(
           {
-            policy_key              = sm_key,
-            policy                  = sm_value.policy,
+            policy_key              = secret_value.policy != null ? "${sm_key}/${secret_name}" : sm_key
+            policy                  = secret_value.policy != null ? secret_value.policy : sm_value.policy
             recovery_window_in_days = sm_value.recovery_window_in_days
           },
           secret_value,
@@ -64,12 +89,10 @@ resource "random_password" "secrets" {
 }
 
 data "aws_iam_policy_document" "secretsmanager_secret_policy" {
-  for_each = {
-    for key, value in var.secretsmanager_secrets : key => value if value.policy != null
-  }
+  for_each = local.secretsmanager_secret_policies
 
   dynamic "statement" {
-    for_each = each.value.policy
+    for_each = each.value
     content {
       effect    = statement.value.effect
       actions   = statement.value.actions

diff --git a/terraform/modules/baseline/variables.tf b/terraform/modules/baseline/variables.tf
@@ -883,6 +883,20 @@ variable "secretsmanager_secrets" {
       description = optional(string)
       file        = optional(string)
       kms_key_id  = optional(string)
+      policy = optional(list(object({
+        effect    = string
+        actions   = list(string)
+        resources = list(string)
+        principals = optional(object({
+          type        = string
+          identifiers = list(string)
+        }))
+        conditions = optional(list(object({
+          test     = string
+          variable = string
+          values   = list(string)
+        })), [])
+      })))
       random = optional(object({
         length  = number
         special = optional(bool)