prod conditions and github roles

Author: Karthikeyannhs

infrastructure/modules/lambda/data.tf

@@ -1,5 +1,5 @@
 data "aws_caller_identity" "current" {}
 
 data "aws_lambda_function" "existing" {
-  function_name = aws_lambda_function.eligibility_signposting_lambda.function_name
+  function_name = var.lambda_func_name
 }

infrastructure/modules/lambda/lambda.tf

@@ -47,10 +47,11 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
 
 # lambda alias required for provisioning concurrency
 resource "aws_lambda_alias" "campaign_alias" {
+  count            = var.environment == "prod" ? 1 : 0
   name             = "live"
   function_name    = coalesce(
     aws_lambda_function.eligibility_signposting_lambda.function_name,
-    data.aws_lambda_function.existing.version
+    data.aws_lambda_function.existing.function_name
   )
   function_version = coalesce(
     aws_lambda_function.eligibility_signposting_lambda.version,
@@ -61,7 +62,7 @@ resource "aws_lambda_alias" "campaign_alias" {
 # provisioned concurrency - number of pre-warmed lambda containers
 resource "aws_lambda_provisioned_concurrency_config" "campaign_pc" {
   count                             = var.environment == "prod" ? 1 : 0
-  function_name                     = aws_lambda_function.eligibility_signposting_lambda.function_name
-  qualifier                         = aws_lambda_alias.campaign_alias.name
+  function_name                     = var.lambda_func_name
+  qualifier                         = aws_lambda_alias.campaign_alias[0].name
   provisioned_concurrent_executions = var.provisioned_concurrency_count
 }

infrastructure/stacks/api-layer/iam_policies.tf

@@ -191,7 +191,6 @@ resource "aws_iam_role_policy_attachment" "lambda_logs_policy_attachment" {
 
 #Attach CloudWatchLambdaInsightsExecutionRolePolicy to lambda for enhanced monitoring
 resource "aws_iam_role_policy_attachment" "lambda_insights_policy" {
-  count      = var.environment == "prod" ? 1 : 0
   role       = aws_iam_role.eligibility_lambda_role.name
   policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
 }

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -62,10 +62,14 @@ resource "aws_iam_policy" "lambda_management" {
           "lambda:ListAliases",
           "lambda:AddPermission",
           "lambda:RemovePermission",
-          "lambda:GetPolicy"
+          "lambda:GetPolicy",
+          "lambda:GetAlias",
+          "lambda:GetFunction",
+          "lambda:GetProvisionedConcurrencyConfig"
         ],
         Resource = [
-          "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*eligibility_signposting_api"
+          "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api",
+          "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api:*"
         ]
       }
     ]
@@ -465,29 +469,6 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
   }
 }
 
-resource "aws_iam_policy" "cloudwatch_logging" {
-  name        = "cloudwatch-logging-management"
-  description = "Allow access to logging resources"
-  path        = "/service-policies/"
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "logs:ListTagsForResource",
-          "logs:DescribeLogGroups",
-          "logs:PutRetentionPolicy"
-        ],
-        Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*"
-      }
-    ]
-  })
-
-  tags = merge(local.tags, { Name = "cloudwatch-logging-management" })
-}
-
 resource "aws_iam_policy" "firehose_readonly" {
   name        = "firehose-describe-access"
   description = "Allow GitHub Actions to describe Firehose delivery stream"
@@ -518,9 +499,9 @@ resource "aws_iam_policy" "firehose_readonly" {
   tags = merge(local.tags, { Name = "firehose-describe-access" })
 }
 
-resource "aws_iam_policy" "cloudwatch_alarms" {
-  name        = "cloudwatch-alarms-management"
-  description = "Allow GitHub Actions to manage CloudWatch alarms and SNS topics"
+resource "aws_iam_policy" "cloudwatch_management" {
+  name        = "cloudwatch-management"
+  description = "Allow GitHub Actions to manage CloudWatch logs, alarms, and SNS topics"
   path        = "/service-policies/"
 
   policy = jsonencode({
@@ -529,15 +510,18 @@ resource "aws_iam_policy" "cloudwatch_alarms" {
       {
         Effect = "Allow",
         Action = [
-          # CloudWatch Alarms management
+          "logs:ListTagsForResource",
+          "logs:DescribeLogGroups",
+          "logs:PutRetentionPolicy",
+
           "cloudwatch:PutMetricAlarm",
           "cloudwatch:DeleteAlarms",
           "cloudwatch:DescribeAlarms",
           "cloudwatch:DescribeAlarmsForMetric",
           "cloudwatch:ListTagsForResource",
           "cloudwatch:TagResource",
           "cloudwatch:UntagResource",
-          # SNS Topic management for alarm notifications
+
           "sns:CreateTopic",
           "sns:DeleteTopic",
           "sns:GetTopicAttributes",
@@ -552,14 +536,40 @@ resource "aws_iam_policy" "cloudwatch_alarms" {
           "sns:ListSubscriptionsByTopic"
         ],
         Resource = [
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*",
           "arn:aws:cloudwatch:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:alarm:*",
           "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*"
         ]
       }
     ]
   })
 
-  tags = merge(local.tags, { Name = "cloudwatch-alarms-management" })
+  tags = merge(local.tags, { Name = "cloudwatch-management" })
+}
+
+# SQS Management Policy for GetQueueAttributes
+resource "aws_iam_policy" "sqs_management" {
+  name        = "sqs-management"
+  description = "Policy granting permissions to get SQS queue attributes"
+  path        = "/service-policies/"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "sqs:GetQueueAttributes",
+          "sqs:listqueuetags"
+        ],
+        Resource = [
+          "arn:aws:sqs:eu-west-2:${data.aws_caller_identity.current.account_id}:*"
+        ]
+      }
+    ]
+  })
+
+  tags = merge(local.tags, { Name = "sqs-management" })
 }
 
 # Attach the policies to the role
@@ -598,17 +608,18 @@ resource "aws_iam_role_policy_attachment" "iam_management" {
   policy_arn = aws_iam_policy.iam_management.arn
 }
 
-resource "aws_iam_role_policy_attachment" "cloudwatch_logging" {
+resource "aws_iam_role_policy_attachment" "firehose_readonly_attach" {
   role       = aws_iam_role.github_actions.name
-  policy_arn = aws_iam_policy.cloudwatch_logging.arn
+  policy_arn = aws_iam_policy.firehose_readonly.arn
 }
 
-resource "aws_iam_role_policy_attachment" "firehose_readonly_attach" {
+resource "aws_iam_role_policy_attachment" "cloudwatch_management" {
   role       = aws_iam_role.github_actions.name
-  policy_arn = aws_iam_policy.firehose_readonly.arn
+  policy_arn = aws_iam_policy.cloudwatch_management.arn
 }
 
-resource "aws_iam_role_policy_attachment" "cloudwatch_alarms" {
+resource "aws_iam_role_policy_attachment" "sqs_management" {
   role       = aws_iam_role.github_actions.name
-  policy_arn = aws_iam_policy.cloudwatch_alarms.arn
+  policy_arn = aws_iam_policy.sqs_management.arn
 }
+

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -150,6 +150,8 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "lambda:AddPermission",
       "lambda:RemovePermission",
       "lambda:GetPolicy",
+      "lambda:GetAlias",
+      "lambda:GetProvisionedConcurrencyConfig",
 
       # CloudWatch Logs - log management
       "logs:CreateLogGroup",
@@ -220,7 +222,9 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ssm:AddTagsToResource",
 
       #SQS - message management
-      "sqs:SendMessage"
+      "sqs:SendMessage",
+      "sqs:GetQueueAttributes",
+      "sqs:listqueuetags"
     ]
 
     resources = ["*"]