Merge pull request #8576 from ministryofjustice/Update_061124_2

Update_061124_2
ministryofjustice · Nov 6, 2024 · d19f5b2 · d19f5b2
2 parents 16ae5f2 + 846cb58
commit d19f5b2
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 42 deletions.
diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf
@@ -159,7 +159,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda" {
        "logs:PutLogEvents"
      ],
      "Resource": [
-         "arn:aws:logs::${local.environment_management.account_ids["ppud-production"]}:*"
+         "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*"
      ]
     },
    {
@@ -169,7 +169,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda" {
         "ec2:Stop*"
       ],
       "Resource": [
-          "arn:aws:ec2::${local.environment_management.account_ids["ppud-production"]}:*"
+          "arn:aws:ec2:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*"
       ]
    },
    {
@@ -184,7 +184,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda" {
       "sqs:SendMessage"
       ],
     "Resource": [
-     "arn:aws:sqs::${local.environment_management.account_ids["ppud-production"]}:*"
+     "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*"
     ]
    }]
  })
@@ -237,7 +237,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_alarm_suppression" {
        "logs:PutLogEvents"
      ],
      "Resource": [
-         "arn:aws:logs::${local.environment_management.account_ids["ppud-production"]}:*"
+         "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*"
      ]
     },
    {
@@ -247,7 +247,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_alarm_suppression" {
         "cloudwatch:EnableAlarmActions"
       ],
       "Resource": [
-      "arn:aws:cloudwatch::${local.environment_management.account_ids["ppud-production"]}:alarm:*"
+      "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:alarm:*"
       ]
    },
    {
@@ -262,7 +262,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_alarm_suppression" {
       "sqs:SendMessage"
       ],
     "Resource": [
-     "arn:aws:sqs::${local.environment_management.account_ids["ppud-production"]}:*"
+     "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*"
     ]
    }]
  })
@@ -319,7 +319,9 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_invoke_lambda_dev" {
     {
         "Effect": "Allow",
         "Action": [ 
-           "ec2:DescribeInstances"
+           "ec2:DescribeInstances",
+           "ssm:SendCommand",
+				   "ssm:GetCommandInvocation"
         ],
         "Resource": [ 
            "arn:aws:ec2:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*"
@@ -400,26 +402,31 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_invoke_lambda_uat" {
           "ssm:GetCommandInvocation"
         ],
         "Resource": [ 
-          "arn:aws:ssm::${local.environment_management.account_ids["ppud-preproduction"]}:*"
+          "arn:aws:ssm:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*",
+          "arn:aws:ssm:eu-west-2::document/AWS-RunPowerShellScript"
         ] 
     },
     {
         "Effect": "Allow",
         "Action": [ 
-           "ec2:DescribeInstances"
+           "ec2:DescribeInstances",
+           "ssm:SendCommand",
+				   "ssm:GetCommandInvocation"
         ],
         "Resource": [ 
-           "arn:aws:ec2::${local.environment_management.account_ids["ppud-preproduction"]}:*"
+           "arn:aws:ec2:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*"
         ] 
     },
     {
         "Effect": "Allow",
         "Action": [ 
            "lambda:InvokeAsync",
-           "lambda:InvokeFunction"
+           "lambda:InvokeFunction",
+           "ssm:SendCommand",
+				   "ssm:GetCommandInvocation"
         ],
         "Resource": [ 
-           "arn:aws:lambda::${local.environment_management.account_ids["ppud-preproduction"]}:*"
+           "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*"
         ] 
     },
     {
@@ -434,7 +441,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_invoke_lambda_uat" {
            "sqs:SendMessage"
         ],
         "Resource": [  
-           "arn:aws:sqs::${local.environment_management.account_ids["ppud-preproduction"]}:*"
+           "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*"
         ] 
     }]
   })
@@ -484,26 +491,31 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_invoke_lambda_prod"
           "ssm:GetCommandInvocation"
         ],
         "Resource": [ 
-          "arn:aws:ssm::${local.environment_management.account_ids["ppud-production"]}:*"
+          "arn:aws:ssm:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*",
+          "arn:aws:ssm:eu-west-2::document/AWS-RunPowerShellScript"
         ] 
     },
     {
         "Effect": "Allow",
         "Action": [ 
-           "ec2:DescribeInstances"
+           "ec2:DescribeInstances",
+           "ssm:SendCommand",
+           "ssm:GetCommandInvocation"
         ],
         "Resource": [ 
-           "arn:aws:ec2::${local.environment_management.account_ids["ppud-production"]}:*"
+           "arn:aws:ec2:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*"
         ] 
     },
     {
         "Effect": "Allow",
         "Action": [ 
            "lambda:InvokeAsync",
-           "lambda:InvokeFunction"
+           "lambda:InvokeFunction",
+           "ssm:SendCommand",
+           "ssm:GetCommandInvocation"
         ],
         "Resource": [ 
-           "arn:aws:lambda::${local.environment_management.account_ids["ppud-production"]}:*"
+           "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*"
         ] 
     },
     {
@@ -518,7 +530,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_invoke_lambda_prod"
            "sqs:SendMessage"
         ],
         "Resource": [  
-           "arn:aws:sqs::${local.environment_management.account_ids["ppud-production"]}:*"
+           "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*"
         ] 
     }]
   })
@@ -566,7 +578,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_dev" {
             "Sid":"LambdaCertificateExpiryPolicy1",
             "Effect": "Allow",
             "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs::${local.environment_management.account_ids["ppud-development"]}:*"
+            "Resource": "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*"
         },
         {
             "Sid":"LambdaCertificateExpiryPolicy2",
@@ -576,7 +588,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_dev" {
                 "logs:PutLogEvents"
             ],
             "Resource": [
-                "arn:aws:logs::${local.environment_management.account_ids["ppud-development"]}:log-group:/aws/lambda/handle-expiring-certificates:*"
+                "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:log-group:/aws/lambda/handle-expiring-certificates:*"
             ]
         },
         {
@@ -589,23 +601,23 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_dev" {
                 "acm:ListTagsForCertificate"
             ],
             "Resource": [
-                "arn:aws:acm::${local.environment_management.account_ids["ppud-development"]}:certificate/*"
+                "arn:aws:acm:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:certificate/*"
             ]
         },
         {
             "Sid":"LambdaCertificateExpiryPolicy4",
             "Effect": "Allow",
             "Action": "SNS:Publish",
             "Resource": [
-                "arn:aws:sns::${local.environment_management.account_ids["ppud-development"]}:*"
+                "arn:aws:sns:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*"
             ]
         },
                {
             "Sid": "LambdaCertificateExpiryPolicy5",
             "Effect": "Allow",
             "Action": "cloudwatch:ListMetrics",
             "Resource": [
-                "arn:aws:cloudwatch::${local.environment_management.account_ids["ppud-development"]}:*"
+                "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*"
             ]
         },
                {
@@ -621,7 +633,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_dev" {
                 "sqs:SendMessage"
               ],
             "Resource": [
-                "arn:aws:sqs::${local.environment_management.account_ids["ppud-development"]}:*"
+                "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*"
             ]
         }]
 })
@@ -669,7 +681,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_uat" {
             "Sid":"LambdaCertificateExpiryPolicy1",
             "Effect": "Allow",
             "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs::${local.environment_management.account_ids["ppud-preproduction"]}:*"
+            "Resource": "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*"
         },
         {
             "Sid":"LambdaCertificateExpiryPolicy2",
@@ -679,7 +691,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_uat" {
                 "logs:PutLogEvents"
             ],
             "Resource": [
-                "arn:aws:logs::${local.environment_management.account_ids["ppud-preproduction"]}:log-group:/aws/lambda/handle-expiring-certificates:*"
+                "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:log-group:/aws/lambda/handle-expiring-certificates:*"
             ]
         },
         {
@@ -692,23 +704,23 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_uat" {
                 "acm:ListTagsForCertificate"
             ],
             "Resource": [
-                 "arn:aws:acm::${local.environment_management.account_ids["ppud-preproduction"]}:certificate/*"
+                 "arn:aws:acm:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:certificate/*"
             ]
         },
         {
             "Sid":"LambdaCertificateExpiryPolicy4",
             "Effect": "Allow",
             "Action": "SNS:Publish",
             "Resource": [
-                "arn:aws:sns::${local.environment_management.account_ids["ppud-preproduction"]}:*"
+                "arn:aws:sns:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*"
             ]
         },
                {
             "Sid": "LambdaCertificateExpiryPolicy5",
             "Effect": "Allow",
             "Action": "cloudwatch:ListMetrics",
             "Resource": [
-                "arn:aws:cloudwatch::${local.environment_management.account_ids["ppud-preproduction"]}:*"
+                "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*"
             ]
         },
            {
@@ -724,7 +736,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_uat" {
                 "sqs:SendMessage"
               ],
             "Resource": [
-            "arn:aws:sqs::${local.environment_management.account_ids["ppud-preproduction"]}:*"
+            "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*"
             ]
         }]
 })
@@ -773,7 +785,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_prod" {
             "Sid":"LambdaCertificateExpiryPolicy1",
             "Effect": "Allow",
             "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs::${local.environment_management.account_ids["ppud-production"]}:*"
+            "Resource": "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*"
         },
         {
             "Sid":"LambdaCertificateExpiryPolicy2",
@@ -783,7 +795,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_prod" {
                 "logs:PutLogEvents"
             ],
             "Resource": [
-                "arn:aws:logs::${local.environment_management.account_ids["ppud-production"]}:log-group:/aws/lambda/handle-expiring-certificates:*"
+                "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:log-group:/aws/lambda/handle-expiring-certificates:*"
             ]
         },
         {
@@ -796,23 +808,23 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_prod" {
                 "acm:ListTagsForCertificate"
             ],
             "Resource": [
-                 "arn:aws:acm::${local.environment_management.account_ids["ppud-production"]}:certificate/*"
+                 "arn:aws:acm:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:certificate/*"
             ]
         },
         {
             "Sid":"LambdaCertificateExpiryPolicy4",
             "Effect": "Allow",
             "Action": "SNS:Publish",
             "Resource": [
-                "arn:aws:sns::${local.environment_management.account_ids["ppud-production"]}:*"
+                "arn:aws:sns:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*"
             ]
         },
                {
             "Sid": "LambdaCertificateExpiryPolicy5",
             "Effect": "Allow",
             "Action": "cloudwatch:ListMetrics",
             "Resource": [
-                "arn:aws:cloudwatch::${local.environment_management.account_ids["ppud-production"]}:*"
+                "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*"
             ]
         },
            {
@@ -828,7 +840,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_prod" {
                 "sqs:SendMessage"
               ],
             "Resource": [
-            "arn:aws:sqs::${local.environment_management.account_ids["ppud-production"]}:Lambda-Queue-Production"
+            "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:Lambda-Queue-Production"
             ]
         }
     ]
@@ -974,7 +986,7 @@ resource "aws_iam_policy" "aws_signer_policy_prod" {
           "lambda:PutFunctionCodeSigningConfig",
           "lambda:InvokeFunction"
         ],
-        Resource = "arn:aws:lambda::${local.environment_management.account_ids["ppud-production"]}:function:*" # Grant access to all Lambda functions in the account
+        Resource = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:function:*" # Grant access to all Lambda functions in the account
       },
       {
         Effect = "Allow",
@@ -1035,7 +1047,7 @@ resource "aws_iam_policy" "aws_signer_policy_uat" {
           "lambda:PutFunctionCodeSigningConfig",
           "lambda:InvokeFunction"
         ],
-        Resource = "arn:aws:lambda::${local.environment_management.account_ids["ppud-preproduction"]}:function:*" # Grant access to all Lambda functions in the account
+        Resource = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:function:*" # Grant access to all Lambda functions in the account
       },
       {
         Effect = "Allow",
@@ -1096,7 +1108,7 @@ resource "aws_iam_policy" "aws_signer_policy_dev" {
           "lambda:PutFunctionCodeSigningConfig",
           "lambda:InvokeFunction"
         ],
-        Resource = "arn:aws:lambda::${local.environment_management.account_ids["ppud-development"]}:function:*" # Grant access to all Lambda functions in the account
+        Resource = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:function:*" # Grant access to all Lambda functions in the account
       },
       {
         Effect = "Allow",

diff --git a/terraform/environments/ppud/lambda.tf b/terraform/environments/ppud/lambda.tf
@@ -254,7 +254,7 @@ resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_dev"
   timeout                        = 300
   depends_on                     = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev]
   reserved_concurrent_executions = 5
-  # code_signing_config_arn        = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:code-signing-config:csc-0c7136ccff2de748f"
+  code_signing_config_arn        = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:code-signing-config:csc-0c7136ccff2de748f"
   dead_letter_config {
     target_arn = aws_sqs_queue.lambda_queue_dev[0].arn
   }
@@ -380,7 +380,7 @@ resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_dev"
   timeout                        = 300
   depends_on                     = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev]
   reserved_concurrent_executions = 5
-  # code_signing_config_arn        = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:code-signing-config:csc-0c7136ccff2de748f"
+  code_signing_config_arn        = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:code-signing-config:csc-0c7136ccff2de748f"
   dead_letter_config {
     target_arn = aws_sqs_queue.lambda_queue_dev[0].arn
   }