Merge pull request #311 from NHSDigital/bugfix/eja-github-secrets-uppercase

eddalmond1 · web-flow · commit 8df72f43276a · 2025-08-27T13:43:47.000+01:00
eli-375 bugfix - casing on github variables and adding permissions for github actions
diff --git a/infrastructure/stacks/api-layer/ssm.tf b/infrastructure/stacks/api-layer/ssm.tf
@@ -58,7 +58,7 @@ resource "aws_ssm_parameter" "splunk_hec_token" {
   description = "Splunk HEC token"
   type        = "SecureString"
   key_id      = aws_kms_key.splunk_hec_kms.id # Will migrate to customer key after initial creation
-  value       = var.splunk_hec_token
+  value       = var.SPLUNK_HEC_TOKEN
   tier        = "Advanced"
 
   tags = {
@@ -78,7 +78,7 @@ resource "aws_ssm_parameter" "splunk_hec_endpoint" {
   description = "Splunk HEC endpoint"
   type        = "SecureString"
   key_id      = aws_kms_key.splunk_hec_kms.id
-  value       = var.splunk_hec_endpoint
+  value       = var.SPLUNK_HEC_ENDPOINT
   tier        = "Advanced"
 
   tags = {
diff --git a/infrastructure/stacks/api-layer/variables.tf b/infrastructure/stacks/api-layer/variables.tf
@@ -1,9 +1,9 @@
-variable "splunk_hec_token" {
+variable "SPLUNK_HEC_TOKEN" {
   type        = string
   description = "The HEC token for ITOC splunk"
   sensitive   = true
 }
-variable "splunk_hec_endpoint" {
+variable "SPLUNK_HEC_ENDPOINT" {
   type        = string
   description = "The HEC endpoint url for ITOC splunk"
   sensitive   = true
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -170,8 +170,10 @@ resource "aws_iam_policy" "s3_management" {
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-truststore/*",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-truststore-access-logs",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-truststore-access-logs/*",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk-backup",
-          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk-backup/*"
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk/*",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk-access-logs",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk-access-logs/*"
         ]
       }
     ]
@@ -304,6 +306,16 @@ resource "aws_iam_policy" "api_infrastructure" {
           "acm:RequestCertificate",
           "acm:AddTagsToCertificate",
           "acm:ImportCertificate",
+
+          # eventbridge
+          "events:TagResource",
+          "events:PutRule",
+          "events:PutTargets",
+          "events:DescribeRule",
+          "events:ListTagsForResource",
+          "events:DeleteRule",
+          "events:ListTargetsByRule",
+          "events:RemoveTargets"
         ],
 
 
@@ -320,7 +332,9 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:NHSDAudit_trail_log_group*",
           "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*",
+          "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/splunk/*",
           "arn:aws:acm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:certificate/*",
+          "arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/cloudwatch-alarm-state-change-to-splunk*",
         ]
       },
     ]
@@ -436,7 +450,11 @@ resource "aws_iam_policy" "iam_management" {
           # API role
           "arn:aws:iam::*:role/*eligibility-signposting-api-role",
           # Kinesis firehose role
-          "arn:aws:iam::*:role/eligibility_audit_firehose-role*"
+          "arn:aws:iam::*:role/eligibility_audit_firehose-role*",
+          # Eventbridge to firehose role
+          "arn:aws:iam::*:role/*-eventbridge-to-firehose-role*",
+          # Firehose splunk role
+          "arn:aws:iam::*:role/splunk-firehose-role"
         ]
       }
     ]
@@ -495,7 +513,10 @@ resource "aws_iam_policy" "firehose_readonly" {
           "firehose:StartDeliveryStreamEncryption",
           "firehose:StopDeliveryStreamEncryption"
         ]
-        Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*"
+        Resource = [
+            "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*",
+            "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/splunk-alarm-events*"
+        ]
       }
     ]
   })
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -69,6 +69,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "events:ListTargetsByRule",
       "events:TagResource",
       "events:UntagResource",
+      "events:ListTagsForResource",
 
       # Kinesis Firehose - log streaming
       "firehose:CreateDeliveryStream",

Original file line number	Diff line number	Diff line change
`@@ -170,8 +170,10 @@ resource "aws_iam_policy" "s3_management" {`
`170`	`170`	`"arn:aws:s3:::eligibility-signposting-api-${var.environment}-truststore/",`
`171`	`171`	`"arn:aws:s3:::*eligibility-signposting-api-${var.environment}-truststore-access-logs",`
`172`	`172`	`"arn:aws:s3:::eligibility-signposting-api-${var.environment}-truststore-access-logs/",`
`173`		`- "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk-backup",`
`174`		`- "arn:aws:s3:::eligibility-signposting-api-${var.environment}-eli-splunk-backup/"`
	`173`	`+ "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk",`
	`174`	`+ "arn:aws:s3:::eligibility-signposting-api-${var.environment}-eli-splunk/",`
	`175`	`+ "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-splunk-access-logs",`
	`176`	`+ "arn:aws:s3:::eligibility-signposting-api-${var.environment}-eli-splunk-access-logs/"`
`175`	`177`	`]`
`176`	`178`	`}`
`177`	`179`	`]`
`@@ -304,6 +306,16 @@ resource "aws_iam_policy" "api_infrastructure" {`
`304`	`306`	`"acm:RequestCertificate",`
`305`	`307`	`"acm:AddTagsToCertificate",`
`306`	`308`	`"acm:ImportCertificate",`
	`309`	`+`
	`310`	`+ # eventbridge`
	`311`	`+ "events:TagResource",`
	`312`	`+ "events:PutRule",`
	`313`	`+ "events:PutTargets",`
	`314`	`+ "events:DescribeRule",`
	`315`	`+ "events:ListTagsForResource",`
	`316`	`+ "events:DeleteRule",`
	`317`	`+ "events:ListTargetsByRule",`
	`318`	`+ "events:RemoveTargets"`
`307`	`319`	`],`
`308`	`320`
`309`	`321`
`@@ -320,7 +332,9 @@ resource "aws_iam_policy" "api_infrastructure" {`
`320`	`332`	`"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*",`
`321`	`333`	`"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:NHSDAudit_trail_log_group*",`
`322`	`334`	`"arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*",`
	`335`	`+ "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/splunk/*",`
`323`	`336`	`"arn:aws:acm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:certificate/*",`
	`337`	`+ "arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/cloudwatch-alarm-state-change-to-splunk*",`
`324`	`338`	`]`
`325`	`339`	`},`
`326`	`340`	`]`
`@@ -436,7 +450,11 @@ resource "aws_iam_policy" "iam_management" {`
`436`	`450`	`# API role`
`437`	`451`	`"arn:aws:iam:::role/eligibility-signposting-api-role",`
`438`	`452`	`# Kinesis firehose role`
`439`		`- "arn:aws:iam:::role/eligibility_audit_firehose-role"`
	`453`	`+ "arn:aws:iam:::role/eligibility_audit_firehose-role",`
	`454`	`+ # Eventbridge to firehose role`
	`455`	`+ "arn:aws:iam:::role/-eventbridge-to-firehose-role*",`
	`456`	`+ # Firehose splunk role`
	`457`	`+ "arn:aws:iam::*:role/splunk-firehose-role"`
`440`	`458`	`]`
`441`	`459`	`}`
`442`	`460`	`]`
`@@ -495,7 +513,10 @@ resource "aws_iam_policy" "firehose_readonly" {`
`495`	`513`	`"firehose:StartDeliveryStreamEncryption",`
`496`	`514`	`"firehose:StopDeliveryStreamEncryption"`
`497`	`515`	`]`
`498`		`- Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*"`
	`516`	`+ Resource = [`
	`517`	`+ "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*",`
	`518`	`+ "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/splunk-alarm-events*"`
	`519`	`+ ]`
`499`	`520`	`}`
`500`	`521`	`]`
`501`	`522`	`})`