Merge branch 'feature/PI-873-split_support_policy' into release/2025-04-02

megan-bower4 · megan-bower4 · commit e38f12b91f3f · 2025-04-02T14:13:03.000+01:00
diff --git a/scripts/infrastructure/policies/support-policy.json b/scripts/infrastructure/policies/support-policy.json
@@ -252,30 +252,6 @@
         "apigateway:POST"
       ],
       "Resource": ["arn:aws:apigateway:*::/*"]
-    },
-    {
-      "Sid": "CertificateSupportPermissions",
-      "Effect": "Allow",
-      "Action": ["acm:ListTagsForCertificate", "acm:DescribeCertificate"],
-      "Resource": ["arn:aws:acm:*:{$ACCOUNT_ID}:certificate*"]
-    },
-    {
-      "Sid": "BillingSupportPermissions",
-      "Effect": "Allow",
-      "Action": [
-        "ce:GetCostAndUsage",
-        "ce:GetCostForcast",
-        "ce:GetAnomalies",
-        "ce:GetTags",
-        "budgets:ViewBudget"
-      ],
-      "Resource": [
-        "arn:aws:ce:*:{$ACCOUNT_ID}:GetCostAndUsage",
-        "arn:aws:ce:*:{$ACCOUNT_ID}:GetCostForecast",
-        "arn:aws:ce:*:{$ACCOUNT_ID}:GetTags",
-        "arn:aws:ce:*:{$ACCOUNT_ID}:anomalymonitor/*",
-        "arn:aws:budgets::{$ACCOUNT_ID}:budget/*"
-      ]
     }
   ]
 }
diff --git a/scripts/infrastructure/policies/support1-policy.json b/scripts/infrastructure/policies/support1-policy.json
@@ -0,0 +1,257 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "IamSupportPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "iam:GetPolicyVersion",
+        "iam:ListRoleTags",
+        "iam:ListPolicyTags",
+        "iam:ListRolePolicies",
+        "iam:GetRole",
+        "iam:GetPolicy",
+        "iam:ListGroupPolicies",
+        "iam:ListPolicyVersions",
+        "iam:GetGroupPolicy",
+        "iam:GetRolePolicy",
+        "iam:ListPolicies",
+        "iam:ListRoles",
+        "iam:ListGroups",
+        "iam:ListUsers",
+        "iam:ListAttachedRolePolicies"
+      ],
+      "Resource": [
+        "arn:aws:iam::${ACCOUNT_ID}:role/*",
+        "arn:aws:iam::${ACCOUNT_ID}:group/*",
+        "arn:aws:iam::${ACCOUNT_ID}:policy/*"
+      ]
+    },
+    {
+      "Sid": "IamSupportPermissionsAll",
+      "Effect": "Allow",
+      "Action": ["iam:ListAccountAliases", "iam:GetAccountSummary"],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "DynamoDbSupportPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "dynamodb:BatchGetItem",
+        "dynamodb:UpdateTimeToLive",
+        "dynamodb:ConditionCheckItem",
+        "dynamodb:PutItem",
+        "dynamodb:DeleteItem",
+        "dynamodb:DescribeContributorInsights",
+        "dynamodb:Scan",
+        "dynamodb:ListTagsOfResource",
+        "dynamodb:Query",
+        "dynamodb:UpdateItem",
+        "dynamodb:CreateBackup",
+        "dynamodb:DescribeTimeToLive",
+        "dynamodb:PartiQLSelect",
+        "dynamodb:DescribeTable",
+        "dynamodb:GetItem",
+        "dynamodb:DescribeContinuousBackups",
+        "dynamodb:DescribeKinesisStreamingDestination",
+        "dynamodb:DescribeTableReplicaAutoScaling",
+        "dynamodb:ListContributorInsights",
+        "dynamodb:DescribeReservedCapacityOfferings",
+        "dynamodb:ListGlobalTables",
+        "dynamodb:ListTables",
+        "dynamodb:DescribeReservedCapacity",
+        "dynamodb:ListBackups",
+        "dynamodb:ListImports",
+        "dynamodb:DescribeLimits",
+        "dynamodb:DescribeEndpoints",
+        "dynamodb:ListExports",
+        "dynamodb:ListStreams"
+      ],
+      "Resource": [
+        "arn:aws:dynamodb:*:${ACCOUNT_ID}:table/*",
+        "arn:aws:dynamodb::${ACCOUNT_ID}:global-table/*"
+      ]
+    },
+    {
+      "Sid": "CloudFormationSupportPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "cloudformation:DescribeStacks",
+        "cloudformation:ListStackResources",
+        "cloudformation:ListStacks"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "TagSupportPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "tag:GetResources",
+        "tag:GetTagValues",
+        "tag:GetTagKeys",
+        "tag:GetComplianceSummary",
+        "tag:DescribeReportCreation"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "LambdaSupportPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "lambda:ListAliases",
+        "lambda:ListFunctionUrlConfigs",
+        "lambda:ListTags",
+        "lambda:ListVersionsByFunction",
+        "lambda:ListLayerVersions",
+        "lambda:GetAlias",
+        "lambda:GetFunction",
+        "lambda:GetLayerVersion",
+        "lambda:GetFunctionEventInvokeConfig",
+        "lambda:ListProvisionedConcurrencyConfigs",
+        "lambda:GetFunctionUrlConfig"
+      ],
+      "Resource": [
+        "arn:aws:lambda:*:${ACCOUNT_ID}:function:*",
+        "arn:aws:lambda:*:${ACCOUNT_ID}:layer:*:*"
+      ]
+    },
+    {
+      "Sid": "LambdaSupportAllPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "lambda:ListFunctions",
+        "lambda:ListLayers",
+        "lambda:GetAccountSettings"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "ResourceGroupSupportPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "resource-groups:GetAccountSettings",
+        "resource-groups:GetGroupQuery",
+        "resource-groups:GetTags",
+        "resource-groups:GetGroup",
+        "resource-groups:GetGroupConfiguration",
+        "resource-groups:ListGroupResources",
+        "resource-groups:SearchResources",
+        "resource-groups:ListGroups"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "CloudwatchSupportPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:ListTagsForResource",
+        "cloudwatch:ListMetrics",
+        "cloudwatch:ListMetricStreams",
+        "cloudwatch:DescribeAlarmHistory",
+        "cloudwatch:DescribeAlarms",
+        "cloudwatch:DescribeAlarmsForMetric",
+        "cloudwatch:DescribeAnomalyDetectors",
+        "cloudwatch:DescribeInsightRules",
+        "cloudwatch:GetDashboard",
+        "cloudwatch:GetInsightRuleReport",
+        "cloudwatch:GetMetricData",
+        "cloudwatch:GetMetricWidgetImage",
+        "cloudwatch:GetMetricStream",
+        "cloudwatch:GetMetricStatistics",
+        "cloudwatch:GenerateQuery",
+        "cloudwatch:ListManagedInsightRules",
+        "cloudwatch:ListDashboards"
+      ],
+      "Resource": [
+        "arn:aws:cloudwatch:*:${ACCOUNT_ID}:alarm:*",
+        "arn:aws:cloudwatch::${ACCOUNT_ID}:dashboard/*",
+        "arn:aws:cloudwatch:*:${ACCOUNT_ID}:insight-rule/*",
+        "arn:aws:cloudwatch:*:${ACCOUNT_ID}:metric-stream/*"
+      ]
+    },
+    {
+      "Sid": "LogSupportPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "logs:ListAnomalies",
+        "logs:GetDelivery",
+        "logs:GetDeliverySource",
+        "logs:GetLogEvents",
+        "logs:GetDeliveryDestinationPolicy",
+        "logs:GetDeliveryDestination",
+        "logs:GetLogAnomalyDetector",
+        "logs:ListTagsForResource",
+        "logs:GetLogDelivery",
+        "logs:ListLogDeliveries",
+        "logs:StartLiveTail",
+        "logs:StopLiveTail",
+        "logs:DescribeQueryDefinitions",
+        "logs:DescribeResourcePolicies",
+        "logs:DescribeDestinations",
+        "logs:DescribeQueries",
+        "logs:DescribeLogGroups",
+        "logs:DescribeAccountPolicies",
+        "logs:DescribeDeliverySources",
+        "logs:StopQuery",
+        "logs:TestMetricFilter",
+        "logs:DescribeDeliveryDestinations",
+        "logs:DescribeExportTasks",
+        "logs:DescribeDeliveries",
+        "logs:GetDataProtectionPolicy",
+        "logs:GetLogRecord",
+        "logs:DescribeSubscriptionFilters",
+        "logs:StartQuery",
+        "logs:DescribeMetricFilters",
+        "logs:FilterLogEvents",
+        "logs:Unmask",
+        "logs:ListTagsForResource",
+        "logs:GetQueryResults",
+        "logs:ListTagsLogGroup",
+        "logs:DescribeLogStreams",
+        "logs:ListLogAnomalyDetectors",
+        "logs:GetLogGroupFields"
+      ],
+      "Resource": [
+        "arn:aws:logs:*:${ACCOUNT_ID}:anomaly-detector:*",
+        "arn:aws:logs:*:${ACCOUNT_ID}:delivery:*",
+        "arn:aws:logs:*:${ACCOUNT_ID}:delivery-destination:*",
+        "arn:aws:logs:*:${ACCOUNT_ID}:delivery-source:*",
+        "arn:aws:logs:*:${ACCOUNT_ID}:destination:*",
+        "arn:aws:logs:*:${ACCOUNT_ID}:log-group:*",
+        "arn:aws:logs:*:${ACCOUNT_ID}:log-group:*:log-stream:*"
+      ]
+    },
+    {
+      "Sid": "KMSSupportPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "kms:DescribeKey",
+        "kms:Decrypt",
+        "kms:DisableKey",
+        "kms:DisableKeyRotation",
+        "kms:EnableKey",
+        "kms:EnableKeyRotation",
+        "kms:GetKeyPolicy",
+        "kms:GetKeyRotationStatus",
+        "kms:ListAliases",
+        "kms:ListResourceTags",
+        "kms:ScheduleKeyDeletion",
+        "kms:UpdateAlias",
+        "kms:UpdateKeyDescription"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "APIGatewaySupportPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "apigateway:DELETE",
+        "apigateway:GET",
+        "apigateway:PATCH",
+        "apigateway:PUT",
+        "apigateway:POST"
+      ],
+      "Resource": ["arn:aws:apigateway:*::/*"]
+    }
+  ]
+}
diff --git a/scripts/infrastructure/policies/support2-policy.json b/scripts/infrastructure/policies/support2-policy.json
@@ -0,0 +1,28 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "CertificateSupportPermissions",
+      "Effect": "Allow",
+      "Action": ["acm:ListTagsForCertificate", "acm:DescribeCertificate"],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "BudgetSupportPermissions",
+      "Effect": "Allow",
+      "Action": ["budgets:ViewBudget"],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "BillingSupportPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "ce:GetCostAndUsage",
+        "ce:GetCostForecast",
+        "ce:GetAnomalies",
+        "ce:GetTags"
+      ],
+      "Resource": ["*"]
+    }
+  ]
+}
diff --git a/scripts/infrastructure/roles.mk b/scripts/infrastructure/roles.mk
@@ -12,6 +12,12 @@ manage--non-mgmt-development-policies: aws--login ## Create or update IAM Polici
 manage--mgmt-development-policies: aws--login ## Create or update IAM Policies
 	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-mgmt-aws-development-policies.sh
 
+manage--non-mgmt-support-policies: aws--login ## Create or update IAM Policies
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-non-mgmt-aws-support-policies.sh
+
+manage--mgmt-support-policies: aws--login ## Create or update IAM Policies
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-mgmt-aws-support-policies.sh
+
 manage--non-mgmt-test-policies: aws--login ## Create or update IAM Policies
 	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-non-mgmt-aws-support-integration-policies.sh
 
diff --git a/scripts/infrastructure/roles/manage-mgmt-aws-support-policies.sh b/scripts/infrastructure/roles/manage-mgmt-aws-support-policies.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+function _substitute_environment_variables() {
+  eval "cat << EOF
+$(cat $1)
+EOF"
+}
+
+AWS_REGION_NAME="eu-west-2"
+
+ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account)
+
+#
+# Check we're running this against MGMT
+#
+. "./scripts/aws/helpers.sh"
+if ! _validate_current_account "MGMT"; then
+  echo "Please login to mgmt profile before running this script"
+  exit 1
+fi
+
+#
+# Create the NHSDevelopmentPolicy that will be used for Developer access and
+# NHSDevelopmentRole. This policy is split into 2 as the file size was too large.
+#
+
+policy_name="NHSSupportPolicy"
+
+for policy_number in "1" "2"; do
+  tf_policy=$(_substitute_environment_variables ./scripts/infrastructure/policies/support${policy_number}-policy.json)
+  aws iam get-policy --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${policy_name}${policy_number}" &>/dev/null
+  if [ $? != 0 ]; then
+    aws iam create-policy \
+      --policy-name "${policy_name}${policy_number}" \
+      --policy-document "${tf_policy}" \
+      --region "${AWS_REGION_NAME}" ||
+      exit 1
+  fi
+  # We update the version because this updates all roles and we don't have to detach and delete.
+  versions=$(aws iam list-policy-versions --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${policy_name}${policy_number}" --region "${AWS_REGION_NAME}")
+  num_versions=$(echo "$versions" | jq -r '.Versions | length')
+  # There has got to be at least 2 versions.
+  if [ "$num_versions" -ge 2 ]; then
+    # Extract the oldest version using jq
+    oldest_version=$(echo "$versions" | jq -r '.Versions | sort_by(.CreateDate) | .[0].VersionId')
+
+    aws iam delete-policy-version \
+      --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${policy_name}${policy_number}" \
+      --version-id "${oldest_version}" ||
+      exit 1
+  fi
+
+  aws iam create-policy-version \
+    --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${policy_name}${policy_number}" \
+    --policy-document "${tf_policy}" \
+    --set-as-default \
+    --region "${AWS_REGION_NAME}" ||
+    exit 1
+done
diff --git a/scripts/infrastructure/roles/manage-non-mgmt-aws-support-policies.sh b/scripts/infrastructure/roles/manage-non-mgmt-aws-support-policies.sh
