feature/PI-383-use_external_id Added external ID to all assume role processes

Rohoolio · Rohoolio · commit d366275db7a7 · 2025-03-07T10:16:00.000Z
diff --git a/infrastructure/terraform/per_account/dev/parameters/main.tf b/infrastructure/terraform/per_account/dev/parameters/main.tf
@@ -66,3 +66,7 @@ resource "aws_secretsmanager_secret" "apigee-app-client-info" {
 resource "aws_secretsmanager_secret" "apigee-sds-app-key" {
   name = "${terraform.workspace}-apigee-sds-app-key"
 }
+
+resource "aws_secretsmanager_secret" "external-id" {
+  name = "${terraform.workspace}-external-id"
+}
diff --git a/infrastructure/terraform/per_account/dev/parameters/provider.tf b/infrastructure/terraform/per_account/dev/parameters/provider.tf
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {
diff --git a/infrastructure/terraform/per_account/dev/parameters/vars.tf b/infrastructure/terraform/per_account/dev/parameters/vars.tf
@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "deletion_protection_enabled" {
diff --git a/infrastructure/terraform/per_account/dev/provider.tf b/infrastructure/terraform/per_account/dev/provider.tf
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {
diff --git a/infrastructure/terraform/per_account/dev/vars.tf b/infrastructure/terraform/per_account/dev/vars.tf
@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "expiration_date" {
diff --git a/infrastructure/terraform/per_account/int/parameters/main.tf b/infrastructure/terraform/per_account/int/parameters/main.tf
@@ -61,3 +61,7 @@ resource "aws_secretsmanager_secret" "etl_notify_slack_webhook_url" {
 resource "aws_secretsmanager_secret" "apigee-sds-app-key" {
   name = "${terraform.workspace}-apigee-sds-app-key"
 }
+
+resource "aws_secretsmanager_secret" "external-id" {
+  name = "${terraform.workspace}-external-id"
+}
diff --git a/infrastructure/terraform/per_account/int/parameters/provider.tf b/infrastructure/terraform/per_account/int/parameters/provider.tf
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {
diff --git a/infrastructure/terraform/per_account/int/parameters/vars.tf b/infrastructure/terraform/per_account/int/parameters/vars.tf
@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "deletion_protection_enabled" {
diff --git a/infrastructure/terraform/per_account/int/provider.tf b/infrastructure/terraform/per_account/int/provider.tf
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {
diff --git a/infrastructure/terraform/per_account/int/vars.tf b/infrastructure/terraform/per_account/int/vars.tf
@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "expiration_date" {
diff --git a/infrastructure/terraform/per_account/prod/parameters/main.tf b/infrastructure/terraform/per_account/prod/parameters/main.tf
@@ -62,3 +62,7 @@ resource "aws_secretsmanager_secret" "etl_notify_slack_webhook_url" {
 resource "aws_secretsmanager_secret" "apigee-sds-app-key" {
   name = "${terraform.workspace}-apigee-sds-app-key"
 }
+
+resource "aws_secretsmanager_secret" "external-id" {
+  name = "${terraform.workspace}-external-id"
+}
diff --git a/infrastructure/terraform/per_account/prod/parameters/provider.tf b/infrastructure/terraform/per_account/prod/parameters/provider.tf
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {
diff --git a/infrastructure/terraform/per_account/prod/parameters/vars.tf b/infrastructure/terraform/per_account/prod/parameters/vars.tf
@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "deletion_protection_enabled" {
diff --git a/infrastructure/terraform/per_account/prod/provider.tf b/infrastructure/terraform/per_account/prod/provider.tf
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {
diff --git a/infrastructure/terraform/per_account/prod/vars.tf b/infrastructure/terraform/per_account/prod/vars.tf
@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "expiration_date" {
diff --git a/infrastructure/terraform/per_account/qa/parameters/main.tf b/infrastructure/terraform/per_account/qa/parameters/main.tf
@@ -62,3 +62,7 @@ resource "aws_secretsmanager_secret" "etl_notify_slack_webhook_url" {
 resource "aws_secretsmanager_secret" "apigee-sds-app-key" {
   name = "${terraform.workspace}-apigee-sds-app-key"
 }
+
+resource "aws_secretsmanager_secret" "external-id" {
+  name = "${terraform.workspace}-external-id"
+}
diff --git a/infrastructure/terraform/per_account/qa/parameters/provider.tf b/infrastructure/terraform/per_account/qa/parameters/provider.tf
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {
diff --git a/infrastructure/terraform/per_account/qa/parameters/vars.tf b/infrastructure/terraform/per_account/qa/parameters/vars.tf
@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "deletion_protection_enabled" {
diff --git a/infrastructure/terraform/per_account/qa/provider.tf b/infrastructure/terraform/per_account/qa/provider.tf
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {
diff --git a/infrastructure/terraform/per_account/qa/vars.tf b/infrastructure/terraform/per_account/qa/vars.tf
@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "expiration_date" {
diff --git a/infrastructure/terraform/per_account/ref/parameters/main.tf b/infrastructure/terraform/per_account/ref/parameters/main.tf
@@ -66,3 +66,7 @@ resource "aws_secretsmanager_secret" "apigee-app-client-info" {
 resource "aws_secretsmanager_secret" "apigee-sds-app-key" {
   name = "${terraform.workspace}-apigee-sds-app-key"
 }
+
+resource "aws_secretsmanager_secret" "external-id" {
+  name = "${terraform.workspace}-external-id"
+}
diff --git a/infrastructure/terraform/per_account/ref/parameters/provider.tf b/infrastructure/terraform/per_account/ref/parameters/provider.tf
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {
diff --git a/infrastructure/terraform/per_account/ref/parameters/vars.tf b/infrastructure/terraform/per_account/ref/parameters/vars.tf
@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "deletion_protection_enabled" {
diff --git a/infrastructure/terraform/per_account/ref/provider.tf b/infrastructure/terraform/per_account/ref/provider.tf
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {
diff --git a/infrastructure/terraform/per_account/ref/vars.tf b/infrastructure/terraform/per_account/ref/vars.tf
@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "expiration_date" {
diff --git a/infrastructure/terraform/per_workspace/provider.tf b/infrastructure/terraform/per_workspace/provider.tf
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {
diff --git a/infrastructure/terraform/per_workspace/vars.tf b/infrastructure/terraform/per_workspace/vars.tf
@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "deletion_protection_enabled" {
diff --git a/scripts/infrastructure/policies/role-trust-policy.json b/scripts/infrastructure/policies/role-trust-policy.json
@@ -7,7 +7,11 @@
         "AWS": "arn:aws:iam::${MGMT_ACCOUNT_ID}:root"
       },
       "Action": "sts:AssumeRole",
-      "Condition": {}
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${EXTERNAL_ID}"
+        }
+      }
     }
   ]
 }
diff --git a/scripts/infrastructure/roles.mk b/scripts/infrastructure/roles.mk
@@ -8,3 +8,6 @@ manage--non-mgmt-policies: aws--login ## Create or update IAM Policies
 
 manage--non-mgmt-test-policies: aws--login ## Create or update IAM Policies
 	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-non-mgmt-aws-support-integration-policies.sh
+
+manage--non-mgmt-trust-policies: aws--login ## Create or update IAM Policies
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-non-mgmt-aws-trust-policy.sh
diff --git a/scripts/infrastructure/roles/manage-non-mgmt-aws-roles.sh b/scripts/infrastructure/roles/manage-non-mgmt-aws-roles.sh
@@ -32,11 +32,11 @@ else
   fi
 fi
 MGMT_ID_PARAMETER_STORE="nhse-cpm--${ENV}--mgmt-account-id-v1.0.0"
-
+EXTERNAL_ID_PARAMETER_STORE="${ENV}-external-id"
 if aws secretsmanager describe-secret --secret-id "$MGMT_ID_PARAMETER_STORE" --region "$AWS_REGION_NAME" &> /dev/null; then
   # Secret exists, retrieve its value
   MGMT_ACCOUNT_ID=$(aws secretsmanager get-secret-value --secret-id "$MGMT_ID_PARAMETER_STORE" --region "$AWS_REGION_NAME" --query 'SecretString' --output text)
-
+  EXTERNAL_ID=$(aws secretsmanager get-secret-value --secret-id "$EXTERNAL_ID_PARAMETER_STORE" --region "$AWS_REGION_NAME" --query 'SecretString' --output text)
   #
   # Create the NHSDeploymentRole that will be used for deployment and CI/CD in All Deployment environments
   #
diff --git a/scripts/infrastructure/roles/manage-non-mgmt-aws-trust-policy.sh b/scripts/infrastructure/roles/manage-non-mgmt-aws-trust-policy.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+function _substitute_environment_variables() {
+  eval "cat << EOF
+$(cat $1)
+EOF"
+}
+
+AWS_REGION_NAME="eu-west-2"
+ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account)
+
+ENV="dev"
+
+#
+# Check we're not running this against MGMT
+#
+. "./scripts/aws/helpers.sh"
+if _validate_current_account "MGMT"; then
+  echo "Please login to non-mgmt profile before running this script"
+  exit 1
+else
+  if _validate_current_account "PROD"; then
+    ENV="prod"
+  elif _validate_current_account "INT"; then
+    ENV="int"
+  elif _validate_current_account "QA"; then
+    ENV="qa"
+  elif _validate_current_account "INT"; then
+    ENV="int"
+  elif _validate_current_account "REF"; then
+    ENV="ref"
+  fi
+fi
+EXTERNAL_ID_PARAMETER_STORE="${ENV}-external-id"
+MGMT_ID_PARAMETER_STORE="nhse-cpm--${ENV}--mgmt-account-id-v1.0.0"
+
+EXTERNAL_ID=$(aws secretsmanager get-secret-value --secret-id "$EXTERNAL_ID_PARAMETER_STORE" --region "$AWS_REGION_NAME" --query 'SecretString' --output text)
+MGMT_ACCOUNT_ID=$(aws secretsmanager get-secret-value --secret-id "$MGMT_ID_PARAMETER_STORE" --region "$AWS_REGION_NAME" --query 'SecretString' --output text)
+
+tf_assume_role_policy=$(_substitute_environment_variables ./scripts/infrastructure/policies/role-trust-policy.json)
+aws iam update-assume-role-policy --role-name NHSDeploymentRole --policy-document "${tf_assume_role_policy}"
+aws iam update-assume-role-policy --role-name NHSSmokeTestRole --policy-document "${tf_assume_role_policy}"
+
+if [ "$ENV" != "PROD" ]; then
+  aws iam update-assume-role-policy --role-name NHSDevelopmentRole --policy-document "${tf_assume_role_policy}"
+  aws iam update-assume-role-policy --role-name NHSTestCIRole --policy-document "${tf_assume_role_policy}"
+fi
diff --git a/scripts/infrastructure/terraform/terraform-commands.sh b/scripts/infrastructure/terraform/terraform-commands.sh
@@ -22,6 +22,7 @@ function _terraform() {
   account=$(_get_account_name "$AWS_ACCOUNT") || return 1
   workspace=$(_get_workspace_name "$account" "$lowercase_string") || return 1
   aws_account_id=$(_get_aws_account_id "$account" "$PROFILE_PREFIX" "$VERSION") || return 1
+  external_id=$(_get_external_id "$account")
 
   var_file=$(_get_workspace_vars_file "$account") || return 1
   scope=$(_get_terraform_scope "$TERRAFORM_SCOPE") || return 1
@@ -116,6 +117,7 @@ function _terraform_plan() {
       -var-file="$var_file" \
       -var "assume_account=${aws_account_id}" \
       -var "assume_role=${terraform_role_name}" \
+      -var "external_id=${external_id}" \
       -var "updated_date=${current_date}" \
       -var "expiration_date=${expiration_date}" \
       -var "lambdas=${lambdas}" \
@@ -128,6 +130,7 @@ function _terraform_plan() {
       -var-file="$var_file" \
       -var "assume_account=${aws_account_id}" \
       -var "assume_role=${terraform_role_name}" \
+      -var "external_id=${external_id}" \
       -var "updated_date=${current_date}" \
       -var "expiration_date=${expiration_date}" || return 1
   fi
@@ -157,6 +160,7 @@ function _terraform_destroy() {
     -var-file="$var_file" \
     -var "assume_account=${aws_account_id}" \
     -var "assume_role=${terraform_role_name}" \
+    -var "external_id=${external_id}" \
     -var "workspace_type=${workspace_type}" \
     -var "lambdas=${lambdas}" \
     -var "layers=${layers}" \
diff --git a/scripts/infrastructure/terraform/terraform-utils.sh b/scripts/infrastructure/terraform/terraform-utils.sh
@@ -78,6 +78,21 @@ function _get_aws_account_id() {
       --output text
 }
 
+function _get_external_id() {
+  local env=$1
+
+  if [[ -z "$env" ]]; then
+    env="dev"
+  fi
+
+  external_id_name="nhse-cpm--mgmt--${env}-external-id"
+
+  aws secretsmanager get-secret-value \
+    --secret-id "$external_id_name" \
+    --query SecretString \
+    --output text
+}
+
 function _get_workspace_vars_file() {
     local dir=$(pwd)
     local account=$1
diff --git a/src/test_helpers/aws_session.py b/src/test_helpers/aws_session.py

Original file line number	Diff line number	Diff line change
`@@ -66,3 +66,7 @@ resource "aws_secretsmanager_secret" "apigee-app-client-info" {`
`66`	`66`	`resource "aws_secretsmanager_secret" "apigee-sds-app-key" {`
`67`	`67`	`name = "${terraform.workspace}-apigee-sds-app-key"`
`68`	`68`	`}`
	`69`	`+`
	`70`	`+resource "aws_secretsmanager_secret" "external-id" {`
	`71`	`+ name = "${terraform.workspace}-external-id"`
	`72`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,8 @@ provider "aws" {`
`2`	`2`	`region = local.region`
`3`	`3`
`4`	`4`	`assume_role {`
`5`		`- role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"`
	`5`	`+ role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"`
	`6`	`+ external_id = var.external_id`
`6`	`7`	`}`
`7`	`8`
`8`	`9`	`default_tags {`
Original file line number	Diff line number	Diff line change
`@@ -61,3 +61,7 @@ resource "aws_secretsmanager_secret" "etl_notify_slack_webhook_url" {`
`61`	`61`	`resource "aws_secretsmanager_secret" "apigee-sds-app-key" {`
`62`	`62`	`name = "${terraform.workspace}-apigee-sds-app-key"`
`63`	`63`	`}`
	`64`	`+`
	`65`	`+resource "aws_secretsmanager_secret" "external-id" {`
	`66`	`+ name = "${terraform.workspace}-external-id"`
	`67`	`+}`