diff --git a/terraform/github/aws.tf b/terraform/github/aws.tf index 64cd8f4fa..ef478f2fb 100644 --- a/terraform/github/aws.tf +++ b/terraform/github/aws.tf @@ -8,18 +8,8 @@ data "aws_secretsmanager_secret_version" "environment_management" { secret_id = data.aws_secretsmanager_secret.environment_management.id } -# This gets the AWS access keys for Testing CI/CD from AWS Secrets Manager to set as repository secrets. -data "aws_secretsmanager_secret" "testing_ci_iam_user_keys" { - provider = aws.testing-test - name = "testing_ci_iam_user_keys" -} - -data "aws_secretsmanager_secret_version" "testing_ci_iam_user_keys" { - provider = aws.testing-test - secret_id = data.aws_secretsmanager_secret.testing_ci_iam_user_keys.id -} locals { - testing_ci_iam_user_keys = jsondecode(data.aws_secretsmanager_secret_version.testing_ci_iam_user_keys.secret_string) + testing_ci_iam_user_keys = jsondecode(aws_secretsmanager_secret_version.testing_ci_iam_user_keys.secret_string) } # Get the slack webhook url diff --git a/terraform/github/data.tf b/terraform/github/data.tf index a3f187dc3..38fd710a4 100644 --- a/terraform/github/data.tf +++ b/terraform/github/data.tf @@ -1,4 +1,29 @@ data "github_repositories" "modernisation-platform-repositories" { query = "org:ministryofjustice archived:false modernisation-platform" sort = "stars" +} + +data "aws_caller_identity" "testing_test" { + provider = aws.testing-test + +} + +data "aws_caller_identity" "modernisation_platform" { + +} + +data "aws_kms_key" "s3_state_bucket" { + key_id = "alias/s3-state-bucket" +} + +data "aws_kms_key" "dynamodb_state_lock" { + key_id = "alias/dynamodb-state-lock" +} + +data "aws_kms_key" "environment_management" { + key_id = "alias/environment-management" +} + +data "aws_kms_key" "pagerduty" { + key_id = "alias/pagerduty-secret" } \ No newline at end of file diff --git a/terraform/github/locals.tf b/terraform/github/locals.tf index 4111823aa..c7df470f5 100644 --- a/terraform/github/locals.tf +++ b/terraform/github/locals.tf @@ -68,4 +68,7 @@ locals { modernisation_platform_repositories = [ for s in data.github_repositories.modernisation-platform-repositories.names : s if startswith(s, "modernisation-platform-") ] -} + + + tags = { "source-code" = "https://github.com/ministryofjustice/modernisation-platform" } +} \ No newline at end of file diff --git a/terraform/github/providers.tf b/terraform/github/providers.tf index f55347b62..6598c025e 100644 --- a/terraform/github/providers.tf +++ b/terraform/github/providers.tf @@ -11,6 +11,6 @@ provider "aws" { region = "eu-west-2" alias = "testing-test" assume_role { - role_arn = "arn:aws:iam::${local.environment_management.account_ids["testing-test"]}:role/MemberInfrastructureAccess" + role_arn = "arn:aws:iam::${local.environment_management.account_ids["testing-test"]}:role/ModernisationPlatformAccess" } } diff --git a/terraform/environments/testing/iam.tf b/terraform/github/testing-ci.tf similarity index 85% rename from terraform/environments/testing/iam.tf rename to terraform/github/testing-ci.tf index ce3633488..f30ae4d1b 100644 --- a/terraform/environments/testing/iam.tf +++ b/terraform/github/testing-ci.tf @@ -2,8 +2,9 @@ # Create a testing CI user #tfsec:ignore:aws-iam-no-user-attached-policies resource "aws_iam_user" "testing_ci" { - name = "testing-ci" - tags = local.tags + provider = aws.testing-test + name = "testing-ci" + tags = local.tags } # Add policy directly to the testing user @@ -76,6 +77,7 @@ data "aws_iam_policy_document" "testing_ci_policy" { } resource "aws_iam_policy" "testing_ci_policy" { + provider = aws.testing-test name = "TestingCiActions" description = "Allowed actions for the testing_ci user" policy = data.aws_iam_policy_document.testing_ci_policy.json @@ -83,12 +85,14 @@ resource "aws_iam_policy" "testing_ci_policy" { resource "aws_iam_user_policy_attachment" "testing_ci_attach" { # checkov:skip=CKV_AWS_40: "policy is only used for this user" + provider = aws.testing-test user = aws_iam_user.testing_ci.name policy_arn = aws_iam_policy.testing_ci_policy.arn } resource "aws_iam_user_policy_attachment" "testing_ci_read_only" { # checkov:skip=CKV_AWS_40: "policy is only used for this user" + provider = aws.testing-test user = aws_iam_user.testing_ci.name policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } @@ -96,16 +100,35 @@ resource "aws_iam_user_policy_attachment" "testing_ci_read_only" { # Create access keys for the CI user # NOTE: These are extremely sensitive keys. Do not output these anywhere publicly accessible. resource "aws_iam_access_key" "testing_ci" { - user = aws_iam_user.testing_ci.name + provider = aws.testing-test + user = aws_iam_user.testing_ci.name # Setting the meta lifecycle argument allows us to periodically run `terraform taint aws_iam_access_key.ci`, and run # terraform apply to create new keys before these ones are destroyed. lifecycle { create_before_destroy = true + replace_triggered_by = [ + time_static.key_rotate_period + ] } } +# create a rotation period for the access keys + +resource "time_rotating" "key_rotate_period" { + rotation_minutes = 30 +} + +# When rotate period of time_rotate expires, it is removed from the state, and terraform treats it as a new resource. +# Deletion/creation doesn't trigger replace_triggered_by https://github.com/hashicorp/terraform-provider-time/issues/118 +# Thus a secondary dependent time_static resource is needed to actually trigger the recreation of the keys. + +resource "time_static" "key_rotate_period" { + rfc3339 = time_rotating.key_rotate_period.rfc3339 +} + resource "aws_secretsmanager_secret" "testing_ci_iam_user_keys" { + provider = aws.testing-test name = "testing_ci_iam_user_keys" policy = data.aws_iam_policy_document.testing_ci_iam_user_secrets_manager_policy.json kms_key_id = aws_kms_key.testing_ci_iam_user_kms_key.id @@ -114,6 +137,7 @@ resource "aws_secretsmanager_secret" "testing_ci_iam_user_keys" { } resource "aws_secretsmanager_secret_version" "testing_ci_iam_user_keys" { + provider = aws.testing-test secret_id = aws_secretsmanager_secret.testing_ci_iam_user_keys.id secret_string = jsonencode({ AWS_ACCESS_KEY_ID = aws_iam_access_key.testing_ci.id @@ -123,6 +147,7 @@ resource "aws_secretsmanager_secret_version" "testing_ci_iam_user_keys" { # KMS Source resource "aws_kms_key" "testing_ci_iam_user_kms_key" { + provider = aws.testing-test description = "testing-ci-user-access-key" policy = data.aws_iam_policy_document.testing_ci_iam_user_kms_key_policy.json enable_key_rotation = true @@ -130,6 +155,7 @@ resource "aws_kms_key" "testing_ci_iam_user_kms_key" { } resource "aws_kms_alias" "testing_ci_iam_user_kms_key" { + provider = aws.testing-test name = "alias/testing-ci-user-access-key" target_key_id = aws_kms_key.testing_ci_iam_user_kms_key.id } @@ -151,7 +177,7 @@ data "aws_iam_policy_document" "testing_ci_iam_user_kms_key_policy" { principals { type = "AWS" identifiers = [ - data.aws_caller_identity.current.account_id + data.aws_caller_identity.testing_test.account_id ] } } @@ -190,7 +216,7 @@ data "aws_iam_policy_document" "testing_ci_iam_user_secrets_manager_policy" { principals { type = "AWS" identifiers = [ - data.aws_caller_identity.current.account_id + data.aws_caller_identity.testing_test.account_id ] } } @@ -211,3 +237,4 @@ data "aws_iam_policy_document" "testing_ci_iam_user_secrets_manager_policy" { } } } + diff --git a/terraform/github/versions.tf b/terraform/github/versions.tf index 59159c0e0..15fb23240 100644 --- a/terraform/github/versions.tf +++ b/terraform/github/versions.tf @@ -9,5 +9,9 @@ terraform { version = "~> 5.2" source = "integrations/github" } + time = { + version = "~> 0.9" + source = "hashicorp/time" + } } }