DSOS-2123: add oem secretmanager secrets

terraform/environments/hmpps-oem/locals.tf

@@ -19,6 +19,7 @@ locals {
     enable_ec2_self_provision                    = true
     enable_oracle_secure_web                     = true
     enable_ec2_put_parameter                     = true
+    enable_ec2_put_secret                        = true
     enable_shared_s3                             = true # adds permissions to ec2s to interact with devtest or prodpreprod buckets
     db_backup_s3                                 = true # adds db backup buckets
     enable_oracle_secure_web                     = true # allows db to list all buckets
@@ -54,7 +55,10 @@ locals {
     }
   }
 
-  baseline_secretsmanager_secrets = {}
+  baseline_secretsmanager_secrets = {
+    "/oracle/oem"            = local.oem_secretsmanager_secrets
+    "/oracle/database/EMREP" = local.oem_secretsmanager_secrets
+  }
 
   baseline_security_groups = {
     data-oem = local.security_groups.data_oem

terraform/environments/hmpps-oem/locals_oem.tf

@@ -25,6 +25,54 @@ locals {
     }
   }
 
+  oem_secret_policy_write = {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:DeleteResourcePolicy",
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:PutResourcePolicy",
+      "secretsmanager:UpdateSecret",
+    ]
+    principals = {
+      type = "AWS"
+      identifiers = [
+        "hmpps-oem-${local.environment}",
+      ]
+    }
+    resources = [
+      "arn:aws:secretsmanager:*:*:secret:*"
+    ]
+  }
+  oem_secret_policy_read = {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+    principals = {
+      type = "AWS"
+      identifiers = [
+        "corporate-staff-rostering-${local.environment}",
+        "hmpps-oem-${local.environment}",
+        "nomis-${local.environment}",
+        "nomis-combined-reporting-${local.environment}",
+        "oasys-${local.environment}",
+      ]
+    }
+    resources = [
+      "arn:aws:secretsmanager:*:*:secret:*"
+    ]
+  }
+  oem_secretsmanager_secrets = {
+    policy = [
+      local.oem_secret_policy_read,
+      local.oem_secret_policy_write,
+    ]
+    secrets = {
+      passwords = {}
+    }
+  }
+
   oem_ec2_default = {
 
     autoscaling_group = module.baseline_presets.ec2_autoscaling_group.default

terraform/environments/hmpps-oem/locals_test.tf

@@ -24,7 +24,7 @@ locals {
           })
         })
         tags = merge(local.oem_ec2_default.tags, {
-            oracle-sids = "EMREP TRCVCAT"
+          oracle-sids = "EMREP TRCVCAT"
         })
       })
     }

terraform/environments/nomis/locals.tf

@@ -18,7 +18,8 @@ locals {
     enable_ec2_cloud_watch_agent                 = true
     enable_ec2_self_provision                    = true
     enable_oracle_secure_web                     = true
-    enable_ec2_put_parameter                     = false
+    enable_ec2_get_parameter                     = false
+    enable_ec2_get_secret                        = false
     cloudwatch_metric_alarms_default_actions     = ["dso_pagerduty"]
     route53_resolver_rules = {
       outbound-data-and-private-subnets = ["azure-fixngo-domain"]

terraform/modules/baseline/iam_policies.tf

@@ -45,4 +45,8 @@ resource "aws_iam_policy" "this" {
   tags = merge(local.tags, {
     Name = each.key
   })
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }

terraform/modules/baseline/secretsmanager.tf

@@ -70,7 +70,7 @@ data "aws_iam_policy_document" "secretsmanager_secret_policy" {
     content {
       effect    = statement.value.effect
       actions   = statement.value.actions
-      resources = ["*"]
+      resources = statement.value.resources
       dynamic "principals" {
         for_each = statement.value.principals != null ? [statement.value.principals] : []
         content {

terraform/modules/baseline/variables.tf

@@ -822,8 +822,9 @@ variable "secretsmanager_secrets" {
     postfix    = optional(string, "/")
     kms_key_id = optional(string, "general")
     policy = optional(list(object({
-      effect  = string
-      actions = list(string)
+      effect    = string
+      actions   = list(string)
+      resources = list(string)
       principals = optional(object({
         type        = string
         identifiers = list(string)

terraform/modules/baseline_presets/iam_policies.tf

@@ -6,7 +6,10 @@ locals {
     var.options.enable_ec2_cloud_watch_agent ? ["CloudWatchAgentServerReducedPolicy"] : [],
     var.options.enable_ec2_self_provision ? ["Ec2SelfProvisionPolicy"] : [],
     var.options.enable_shared_s3 ? ["Ec2AccessSharedS3Policy"] : [],
+    var.options.enable_ec2_get_parameter ? ["Ec2GetParameterPolicy"] : [],
+    var.options.enable_ec2_get_secret ? ["Ec2GetSecretPolicy"] : [],
     var.options.enable_ec2_put_parameter ? ["Ec2PutParameterPolicy"] : [],
+    var.options.enable_ec2_put_secret ? ["Ec2PutSecretPolicy"] : [],
     var.options.enable_oracle_secure_web ? ["S3ListAllBucketsAndGetLocationPolicy"] : [],
     var.options.iam_policies_filter,
   ])
@@ -16,7 +19,10 @@ locals {
     var.options.enable_ec2_cloud_watch_agent ? ["CloudWatchAgentServerReducedPolicy"] : [],
     var.options.enable_ec2_self_provision ? ["Ec2SelfProvisionPolicy"] : [],
     var.options.enable_shared_s3 ? ["Ec2AccessSharedS3Policy"] : [],
+    var.options.enable_ec2_get_parameter ? ["Ec2GetParameterPolicy"] : [],
+    var.options.enable_ec2_get_secret ? ["Ec2GetSecretPolicy"] : [],
     var.options.enable_ec2_put_parameter ? ["Ec2PutParameterPolicy"] : [],
+    var.options.enable_ec2_put_secret ? ["Ec2PutSecretPolicy"] : [],
     var.options.enable_oracle_secure_web ? ["S3ListAllBucketsAndGetLocationPolicy"] : [],
     var.options.iam_policies_ec2_default,
   ])
@@ -144,15 +150,56 @@ locals {
         ])
       }]
     }
+    Ec2GetParameterPolicy = {
+      # Not required if AmazonSSMManagedInstanceCore is being used
+      description = "Permissions to allow EC2 to get SSM parameter(s)"
+      statements = [{
+        effect = "Allow"
+        actions = [
+          "ssm:GetParameter",
+          "ssm:GetParameters",
+        ]
+        resources = [
+          "arn:aws:ssm:*:*:parameter:/*",
+          "arn:aws:ssm:*:*:parameter:cloud-watch-config-windows",
+          "arn:aws:ssm:*:*:parameter:modernisation_platform_account_id",
+        ]
+      }]
+    }
+    Ec2GetSecretPolicy = {
+      # This doesn't seem to be required.  EC2s can access secrets without
+      description = "Permissions to allow EC2 to get SecretManager Secrets"
+      statements = [{
+        effect = "Allow"
+        actions = [
+          "secretsmanager:GetSecret",
+        ]
+        resources = ["arn:aws:secretsmanager:*:*:secret:/*"]
+      }]
+    }
     Ec2PutParameterPolicy = {
       description = "Permissions to allow EC2 to put parameter(s) for retrieval"
       statements = [{
         effect = "Allow"
         actions = [
           "ssm:PutParameter",
-          "ssm:PutParameters"
+          "ssm:PutParameters",
+        ]
+        resources = ["arn:aws:ssm:*:*:parameter:/*"]
+      }]
+    }
+    Ec2PutSecretPolicy = {
+      description = "Permissions to allow EC2 to put SecretManager Secrets"
+      statements = [{
+        effect = "Allow"
+        actions = [
+          "secretsmanager:DeleteResourcePolicy",
+          "secretsmanager:DescribeSecret",
+          "secretsmanager:GetResourcePolicy",
+          "secretsmanager:PutResourcePolicy",
+          "secretsmanager:UpdateSecret",
         ]
-        resources = ["arn:aws:ssm:*:*:parameter/*"]
+        resources = ["arn:aws:secretsmanager:*:*:secret:/*"]
       }]
     }
 

terraform/modules/baseline_presets/variables.tf

@@ -19,7 +19,10 @@ variable "options" {
     enable_image_builder                         = optional(bool, false)
     enable_ec2_cloud_watch_agent                 = optional(bool, false)
     enable_ec2_self_provision                    = optional(bool, false)
+    enable_ec2_get_parameter                     = optional(bool, false)
+    enable_ec2_get_secret                        = optional(bool, false)
     enable_ec2_put_parameter                     = optional(bool, false)
+    enable_ec2_put_secret                        = optional(bool, false)
     enable_shared_s3                             = optional(bool, false)
     enable_oracle_secure_web                     = optional(bool, false)
     db_backup_s3                                 = optional(bool, false)