Merge pull request #413 from NHSDigital/bugfix/eja-fixing-tagging-permissions

eli-413 adding tagging permissions and workaround for limit to s3 tags

Author: eddalmond1

infrastructure/stacks/api-layer/truststore_s3_bucket.tf

@@ -13,14 +13,14 @@ resource "aws_s3_bucket_policy" "truststore" {
 }
 
 data "aws_iam_policy_document" "truststore_api_gateway" {
-    # Deny non-SSL
-    statement {
-      sid = "AllowSslRequestsOnly"
-      actions = ["s3:*"]
-      effect  = "Deny"
-      resources = [
-        module.s3_truststore_bucket.storage_bucket_arn,
-        "${module.s3_truststore_bucket.storage_bucket_arn}/*"
+  # Deny non-SSL
+  statement {
+    sid     = "AllowSslRequestsOnly"
+    actions = ["s3:*"]
+    effect  = "Deny"
+    resources = [
+      module.s3_truststore_bucket.storage_bucket_arn,
+      "${module.s3_truststore_bucket.storage_bucket_arn}/*"
     ]
     principals {
       type        = "*"
@@ -55,4 +55,11 @@ resource "aws_s3_object" "pem_file" {
   content = local.pem_file_content
 
   acl = "private"
+
+  # Explicitly set empty tags to override default_tags due to S3 object 10-tag limit
+  tags = {}
+
+  lifecycle {
+    ignore_changes = [tags_all]
+  }
 }

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -104,6 +104,7 @@ resource "aws_iam_policy" "dynamodb_management" {
             "dynamodb:DeleteTable",
             "dynamodb:CreateTable",
             "dynamodb:TagResource",
+            "dynamodb:UntagResource",
             "dynamodb:ListTagsOfResource",
             "dynamodb:UpdateTable",
           ],
@@ -178,7 +179,8 @@ resource "aws_iam_policy" "s3_management" {
           "s3:PutBucketLogging",
           "s3:GetObjectTagging",
           "s3:PutObjectTagging",
-          "s3:GetObjectVersion"
+          "s3:GetObjectVersion",
+          "s3:PutBucketTagging",
         ],
         Resource = [
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-rules",
@@ -299,9 +301,11 @@ resource "aws_iam_policy" "api_infrastructure" {
           "logs:AssociateKmsKey",
           "logs:CreateLogGroup",
           "logs:PutMetricFilter",
+          "logs:TagResource",
 
           # EC2 permissions
           "ec2:CreateTags",
+          "ec2:DeleteTags",
           "ec2:CreateNetworkAclEntry",
           "ec2:CreateNetworkAcl",
           "ec2:AssociateRouteTable",
@@ -357,6 +361,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/vpc/*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*",
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/eligibility-signposting-api-${var.environment}-audit/*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:NHSDAudit_trail_log_group*",
           "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*",
           "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/splunk/*",
@@ -411,6 +416,7 @@ resource "aws_iam_policy" "kms_creation" {
           "kms:UpdateKeyDescription",
           "kms:CreateGrant",
           "kms:TagResource",
+          "kms:UntagResource",
           "kms:EnableKeyRotation",
           "kms:ScheduleKeyDeletion",
           "kms:PutKeyPolicy",
@@ -459,6 +465,7 @@ resource "aws_iam_policy" "iam_management" {
           "iam:TagRole",
           "iam:PassRole",
           "iam:TagPolicy",
+          "iam:UntagPolicy",
         ],
         Resource = [
           # Lambda role
@@ -564,6 +571,8 @@ resource "aws_iam_policy" "cloudwatch_management" {
           "logs:ListTagsForResource",
           "logs:DescribeLogGroups",
           "logs:PutRetentionPolicy",
+          "logs:TagResource",
+          "logs:UntagResource",
 
           "cloudwatch:PutMetricAlarm",
           "cloudwatch:DeleteAlarms",
@@ -589,7 +598,8 @@ resource "aws_iam_policy" "cloudwatch_management" {
         Resource = [
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*",
           "arn:aws:cloudwatch:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:alarm:*",
-          "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*"
+          "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*",
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/default-eligibility-signposting-api*",
         ]
       }
     ]

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -35,13 +35,15 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "dynamodb:DeleteTable",
       "dynamodb:CreateTable",
       "dynamodb:TagResource",
+      "dynamodb:UntagResource",
       "dynamodb:ListTagsOfResource",
       "dynamodb:UpdateTable",
 
       # EC2 - networking infrastructure
       "ec2:Describe*",
       "ec2:ModifyVpcBlockPublicAccessOptions",
       "ec2:CreateTags",
+      "ec2:DeleteTags",
       "ec2:CreateNetworkAclEntry",
       "ec2:CreateNetworkAcl",
       "ec2:AssociateRouteTable",
@@ -105,6 +107,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "iam:CreatePolicy",
       "iam:CreatePolicyVersion",
       "iam:TagRole",
+      "iam:UntagPolicy",
       "iam:PassRole",
       "iam:TagPolicy",
 
@@ -123,6 +126,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "kms:UpdateKeyDescription",
       "kms:CreateGrant",
       "kms:TagResource",
+      "kms:UntagResource",
       "kms:EnableKeyRotation",
       "kms:ScheduleKeyDeletion",
       "kms:PutKeyPolicy",
@@ -167,6 +171,8 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "logs:DescribeLogStreams",
       "logs:Describe*",
       "logs:ListTagsForResource",
+      "logs:TagResource",
+      "logs:UntagResource",
       "logs:PutRetentionPolicy",
       "logs:AssociateKmsKey",
       "logs:PutMetricFilter",
@@ -204,6 +210,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "s3:GetObjectTagging",
       "s3:PutObjectTagging",
       "s3:GetObjectVersion",
+      "s3:PutBucketTagging",
 
       # SNS - notification management
       "sns:CreateTopic",