eli- 546 create hashing secrets (#479)

* ELI 546 - Create hashing secrets in aws secret manager

* ELI 546 - added initial secrets, added kms encryptions

* ELI 546 - adding string secret

* ELI 546 - secret manager access to Lambda Role

* ELI 546 - checkov suppressions

* ELI 546 - checkov suppressions

* ELI 546 - firehose checkov suppressions

* ELI 546 -add more permissions in permission boundary

* ELI 546 - ignore secret changes

* ELI 546 - adding permissions to the role

* ELI 546 - adding permissions to the role - fix

* ELI 546 - adding permissions to the role - fix

* ELI 546 - adding permissions to the role - fix

* ELI 546 - adding permissions to the role - fix

* ELI 546 - adding permissions to the role - fix

* ELI 546 - adding permissions to the role - fix

* ELI 546 - adding permissions to the role - fix

Author: Karthikeyannhs

infrastructure/modules/secrets_manager/data.tf

@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}

infrastructure/modules/secrets_manager/default_variables.tf

@@ -0,0 +1 @@
+../_shared/default_variables.tf

infrastructure/modules/secrets_manager/kms.tf

@@ -0,0 +1,59 @@
+# KMS CMK to encrypt/decrypt secrets
+resource "aws_kms_key" "secrets_cmk" {
+  #checkov:skip=CKV_AWS_111: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_356: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_109: Root user needs full KMS key management
+  description             = "CMK for Secrets Manager - ${var.project_name}-${var.environment}"
+  enable_key_rotation     = true
+  deletion_window_in_days = 30
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      # Allow your account root full control
+      {
+        Sid    = "AllowAccountAdminsFullAccess"
+        Effect = "Allow"
+        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      # Allow Secrets Manager service to use the key
+      {
+        Sid    = "AllowSecretsManagerServiceUse"
+        Effect = "Allow"
+        Principal = { Service = "secretsmanager.amazonaws.com" }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:GenerateDataKey",
+          "kms:GenerateDataKeyWithoutPlaintext",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      },
+      # Allow external role to decrypt for reading the secret
+      {
+        Sid    = "AllowExternalRoleDecrypt"
+        Effect = "Allow"
+        Principal = { AWS = var.external_write_access_role_arn }
+        Action = [
+          "kms:Decrypt",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      },
+      # Allow Lambda role to decrypt for reading the secret
+      {
+        Sid    = "AllowLambdaRoleDecrypt"
+        Effect = "Allow"
+        Principal = { AWS = var.eligibility_lambda_role_arn }
+        Action = [
+          "kms:Decrypt",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+  tags = var.tags
+}

infrastructure/modules/secrets_manager/secrets_manager.tf

@@ -0,0 +1,52 @@
+# Secret definition in your account
+resource "aws_secretsmanager_secret" "hashing_secret" {
+  #checkov:skip=CKV2_AWS_57: Secret rotations are handled manually
+  name        = "${var.project_name}-${var.environment}/hashing_secret"
+  description = "cross account hashing secrets"
+  kms_key_id  = aws_kms_key.secrets_cmk.arn
+  tags = {
+    Environment = var.environment
+    ManagedBy   = "terraform"
+  }
+}
+
+# Initial secrets
+resource "aws_secretsmanager_secret_version" "hashing_secrets_test" {
+  secret_id = aws_secretsmanager_secret.hashing_secret.id
+  secret_string = "initial_secret"
+  lifecycle {
+    ignore_changes = [secret_string]
+  }
+}
+
+# Resource-based policy attached to the secret
+resource "aws_secretsmanager_secret_policy" "hashing_secret_policy" {
+  secret_arn = aws_secretsmanager_secret.hashing_secret.arn
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "CrossAccountAccess",
+        Effect = "Allow",
+        Principal = { AWS = var.external_write_access_role_arn },
+        Action = [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret"
+        ],
+        Resource = "*"
+      },
+      {
+        Sid    = "LambdaAccess",
+        Effect = "Allow",
+        Principal = { AWS = var.eligibility_lambda_role_arn },
+        Action = [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+

infrastructure/modules/secrets_manager/variables.tf

@@ -0,0 +1,9 @@
+variable "external_write_access_role_arn" {
+  description = "Arn of the external write access role to provide secret manager access"
+  type        = string
+}
+
+variable "eligibility_lambda_role_arn" {
+  description = "Arn of the lambda role to provide secret manager access"
+  type        = string
+}

infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf

@@ -56,7 +56,11 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" {
 
       # X-Ray - Lambda tracing
       "xray:PutTraceSegments",
-      "xray:PutTelemetryRecords"
+      "xray:PutTelemetryRecords",
+
+      # Secret Manager
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret"
     ]
 
     resources = ["*"]

infrastructure/stacks/api-layer/iam_policies.tf

@@ -291,6 +291,8 @@ resource "aws_kms_key_policy" "s3_rules_kms_key" {
 }
 
 resource "aws_iam_role_policy" "splunk_firehose_policy" {
+  #checkov:skip=CKV_AWS_290: Firehose requires write access to dynamic log streams without static constraints
+  #checkov:skip=CKV_AWS_355: Firehose logging requires wildcard resource for CloudWatch log groups/streams
   name = "splunk-firehose-policy"
   role = aws_iam_role.splunk_firehose_assume_role.id
 

infrastructure/stacks/api-layer/secrets_manager.tf

@@ -0,0 +1,9 @@
+module "secrets_manager" {
+  source = "../../modules/secrets_manager"
+  count = length(aws_iam_role.write_access_role)
+  external_write_access_role_arn = aws_iam_role.write_access_role[count.index].arn
+  environment  = var.environment
+  stack_name   = local.stack_name
+  workspace    = terraform.workspace
+  eligibility_lambda_role_arn = aws_iam_role.eligibility_lambda_role.arn
+}

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -112,6 +112,26 @@ resource "aws_iam_policy" "dynamodb_management" {
           Resource = [
             "arn:aws:dynamodb:*:${data.aws_caller_identity.current.account_id}:table/*eligibility-signposting-api-${var.environment}-eligibility_datastore"
           ]
+        },
+
+        {
+          Effect = "Allow",
+          Action = [
+            "secretsmanager:CreateSecret",
+            "secretsmanager:DeleteSecret",
+            "secretsmanager:GetSecretValue",
+            "secretsmanager:PutSecretValue",
+            "secretsmanager:TagResource",
+            "secretsmanager:UntagResource",
+            "secretsmanager:ListTagsOfResource",
+            "secretsmanager:DescribeSecret",
+            "secretsmanager:GetResourcePolicy",
+            "secretsmanager:PutResourcePolicy",
+            "secretsmanager:DeleteResourcePolicy"
+          ],
+          Resource = [
+            "arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:eligibility-signposting-api-${var.environment}/*"
+          ]
         }
       ],
       # to create test users in preprod

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -244,7 +244,20 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "wafv2:DisassociateWebACL",
       "wafv2:PutLoggingConfiguration",
       "wafv2:GetLoggingConfiguration",
-      "wafv2:DeleteLoggingConfiguration"
+      "wafv2:DeleteLoggingConfiguration",
+
+      # Secret Manager
+      "secretsmanager:CreateSecret",
+      "secretsmanager:DeleteSecret",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:PutSecretValue",
+      "secretsmanager:TagResource",
+      "secretsmanager:UntagResource",
+      "secretsmanager:ListTagsOfResource",
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:PutResourcePolicy",
+      "secretsmanager:DeleteResourcePolicy"
     ]
 
     resources = ["*"]