Skip to content

Commit 9bf8b61

Browse files
TOEL2TOEL2
authored
Merge branch 'main' into feature/ELI-702-code-signing
2 parents cbba2ef + dbb0ec3 commit 9bf8b61

File tree

2 files changed

+39
-5
lines changed

2 files changed

+39
-5
lines changed

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

Lines changed: 36 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -235,6 +235,10 @@ resource "aws_iam_policy" "s3_management" {
235235
"arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics/*",
236236
"arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics-access-logs",
237237
"arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics-access-logs/*",
238+
"arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs",
239+
"arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs/*",
240+
"arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs-access-logs",
241+
"arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-cloudwatch-logs-access-logs/*",
238242
]
239243
}
240244
]
@@ -259,6 +263,12 @@ resource "aws_iam_policy" "api_infrastructure" {
259263
Effect = "Allow",
260264
Action = [
261265
"logs:Describe*",
266+
"cloudtrail:DescribeTrails",
267+
"cloudtrail:GetEventSelectors",
268+
"cloudtrail:GetTrail",
269+
"cloudtrail:GetTrailStatus",
270+
"cloudtrail:ListTags",
271+
"cloudtrail:ListTrails",
262272
"ssm:DescribeParameters",
263273
"ec2:Describe*",
264274
"ec2:DescribeVpcs",
@@ -315,7 +325,10 @@ resource "aws_iam_policy" "api_infrastructure" {
315325
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/wafv2/*",
316326
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-wafv2-logs-*",
317327
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-waf-logs-*",
318-
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/stepfunctions/*"
328+
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/stepfunctions/*",
329+
# CloudTrail log group
330+
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:*elid-aws-cloudtrail-logs",
331+
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:*elid-aws-cloudtrail-logs:*"
319332
]
320333
},
321334
{
@@ -348,7 +361,9 @@ resource "aws_iam_policy" "api_infrastructure" {
348361
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*firehose*role*",
349362
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/splunk-firehose-assume-role*",
350363
# CSOC CloudWatch Logs subscription role
351-
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*-CWLogsSubscriptionRole"
364+
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*-CWLogsSubscriptionRole",
365+
# CloudTrail to CloudWatch Logs role
366+
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/cloudtrail-cloudwatch-role"
352367
],
353368
Condition = {
354369
StringEquals = {
@@ -358,7 +373,8 @@ resource "aws_iam_policy" "api_infrastructure" {
358373
"vpc-flow-logs.amazonaws.com",
359374
"events.amazonaws.com",
360375
"firehose.amazonaws.com",
361-
"logs.amazonaws.com"
376+
"logs.amazonaws.com",
377+
"cloudtrail.amazonaws.com"
362378
]
363379
}
364380
}
@@ -374,6 +390,16 @@ resource "aws_iam_policy" "api_infrastructure" {
374390
"logs:PutMetricFilter",
375391
"logs:TagResource",
376392

393+
# CloudTrail
394+
"cloudtrail:AddTags",
395+
"cloudtrail:CreateTrail",
396+
"cloudtrail:DeleteTrail",
397+
"cloudtrail:PutEventSelectors",
398+
"cloudtrail:RemoveTags",
399+
"cloudtrail:StartLogging",
400+
"cloudtrail:StopLogging",
401+
"cloudtrail:UpdateTrail",
402+
377403
# EC2 permissions
378404
"ec2:CreateTags",
379405
"ec2:DeleteTags",
@@ -460,6 +486,8 @@ resource "aws_iam_policy" "api_infrastructure" {
460486
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*",
461487
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/eligibility-signposting-api-${var.environment}-audit/*",
462488
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:NHSDAudit_trail_log_group*",
489+
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:*elid-aws-cloudtrail-logs",
490+
"arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:*elid-aws-cloudtrail-logs:*",
463491
"arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*",
464492
"arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/splunk/*",
465493
"arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/ptl/*",
@@ -469,7 +497,8 @@ resource "aws_iam_policy" "api_infrastructure" {
469497
"arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/webacl/*",
470498
"arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/managedruleset/*",
471499
"arn:aws:states:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:stateMachine:*",
472-
"arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/*"
500+
"arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/*",
501+
"arn:aws:cloudtrail:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:trail/${var.project_name}-${var.environment}-*"
473502
]
474503
},
475504
]
@@ -605,7 +634,9 @@ resource "aws_iam_policy" "iam_management" {
605634
# Eventbridge invoke step functions role
606635
"arn:aws:iam::*:role/eventbridge_invoke_sfn_role",
607636
"arn:aws:iam::*:role/secret_rotation_lambda_role",
608-
"arn:aws:iam::*:role/secret_rotation_workflow_role"
637+
"arn:aws:iam::*:role/secret_rotation_workflow_role",
638+
# CloudTrail to CloudWatch Logs role
639+
"arn:aws:iam::*:role/cloudtrail-cloudwatch-role"
609640
]
610641
}
611642
]

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,9 @@ data "aws_iam_policy_document" "permissions_boundary" {
2828
"cloudwatch:GetDashboard",
2929
"cloudwatch:GetMetricWidgetImage",
3030

31+
# CloudTrail - trail management
32+
"cloudtrail:*",
33+
3134
# DynamoDB - table management
3235
"dynamodb:Describe*",
3336
"dynamodb:ListTables",

0 commit comments

Comments
 (0)