Merge pull request #470 from NHSDigital/feature/eja-eli-384-adding-WAF-for-API-gateway

eli-384 misc. permissions and changes for deployment

Author: eddalmond1

infrastructure/stacks/api-layer/waf.tf

@@ -170,7 +170,7 @@ resource "aws_wafv2_web_acl_association" "api_gateway" {
 # CloudWatch Log Group for WAF logs
 resource "aws_cloudwatch_log_group" "waf" {
   count             = local.waf_enabled ? 1 : 0
-  name              = "/aws/wafv2/${local.workspace}-eligibility-signposting-api"
+  name              = "aws-waf-logs-${local.workspace}-eligibility-signposting-api"
   retention_in_days = 365
   kms_key_id        = aws_kms_key.waf_logs[0].arn
 
@@ -188,6 +188,46 @@ resource "aws_cloudwatch_log_group" "waf" {
   ]
 }
 
+# CloudWatch Logs resource policy to allow WAF to write logs
+resource "aws_cloudwatch_log_resource_policy" "waf" {
+  count       = local.waf_enabled ? 1 : 0
+  policy_name = "${local.workspace}-waf-logging-policy"
+  policy_document = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AWSLogDeliveryWrite"
+        Effect = "Allow"
+        Principal = {
+          Service = "delivery.logs.amazonaws.com"
+        }
+        Action = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = "${aws_cloudwatch_log_group.waf[0].arn}:*"
+        Condition = {
+          StringEquals = {
+            "aws:SourceAccount" = data.aws_caller_identity.current.account_id
+          }
+          ArnLike = {
+            "aws:SourceArn" = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:*"
+          }
+        }
+      },
+      {
+        Sid    = "AWSLogDeliveryAclCheck"
+        Effect = "Allow"
+        Principal = {
+          Service = "delivery.logs.amazonaws.com"
+        }
+        Action   = "logs:GetLogDelivery"
+        Resource = "*"
+      }
+    ]
+  })
+}
+
 # KMS Key for WAF logs encryption
 resource "aws_kms_key" "waf_logs" {
   count                   = local.waf_enabled ? 1 : 0
@@ -272,7 +312,11 @@ data "aws_iam_policy_document" "waf_logs_kms" {
     condition {
       test     = "ArnLike"
       variable = "kms:EncryptionContext:aws:logs:arn"
-      values   = ["arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/wafv2/*"]
+      values = [
+        "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/wafv2/*",
+        "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-wafv2-logs-*",
+        "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-waf-logs-*"
+      ]
     }
   }
 }

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -240,7 +240,16 @@ resource "aws_iam_policy" "api_infrastructure" {
           "acm:ListCertificates",
           # WAF v2 list operations
           "wafv2:ListWebACLs",
-          "wafv2:ListTagsForResource"
+          "wafv2:ListTagsForResource",
+          # CloudWatch Logs resource policies (require wildcard)
+          "logs:PutResourcePolicy",
+          "logs:DeleteResourcePolicy",
+          "logs:DescribeResourcePolicies",
+          # CloudWatch Logs delivery for WAF
+          "logs:CreateLogDelivery",
+          "logs:DeleteLogDelivery",
+          # IAM service-linked role for WAF logging
+          "iam:CreateServiceLinkedRole"
 
         ],
         Resource = "*"
@@ -251,6 +260,7 @@ resource "aws_iam_policy" "api_infrastructure" {
         Action = [
           # CloudWatch Logs creation and management
           "logs:CreateLogGroup",
+          "logs:DeleteLogGroup",
           "logs:CreateLogStream",
           "logs:PutLogEvents",
           # CloudWatch Logs subscription filters for CSOC forwarding
@@ -266,7 +276,11 @@ resource "aws_iam_policy" "api_infrastructure" {
           # API Gateway logs
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*",
           # Kinesis Firehose logs
-          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*"
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*",
+          # WAF v2 logs (both naming conventions)
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/wafv2/*",
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-wafv2-logs-*",
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-waf-logs-*"
         ]
       },
       {
@@ -376,6 +390,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "wafv2:CreateWebACL",
           "wafv2:DeleteWebACL",
           "wafv2:GetWebACL",
+          "wafv2:GetWebACLForResource",
           "wafv2:UpdateWebACL",
           "wafv2:TagResource",
           "wafv2:UntagResource",
@@ -405,6 +420,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:acm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:certificate/*",
           "arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/cloudwatch-alarm-state-change-to-splunk*",
           "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/webacl/*",
+          "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/managedruleset/*",
         ]
       },
     ]
@@ -615,6 +631,7 @@ resource "aws_iam_policy" "cloudwatch_management" {
         Action = [
           "logs:ListTagsForResource",
           "logs:DescribeLogGroups",
+          "logs:DeleteLogGroup",
           "logs:PutRetentionPolicy",
           "logs:TagResource",
           "logs:UntagResource",
@@ -643,6 +660,8 @@ resource "aws_iam_policy" "cloudwatch_management" {
         Resource = [
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/wafv2/*",
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-wafv2-logs-*",
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-waf-logs-*",
           "arn:aws:cloudwatch:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:alarm:*",
           "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/default-eligibility-signposting-api*",

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -116,6 +116,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "iam:UntagPolicy",
       "iam:PassRole",
       "iam:TagPolicy",
+      "iam:CreateServiceLinkedRole",
 
       # KMS - encryption key management
       "kms:CreateKey",
@@ -170,21 +171,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "lambda:ListProvisionedConcurrencyConfigs",
 
       # CloudWatch Logs - log management
-      "logs:CreateLogGroup",
-      "logs:CreateLogStream",
-      "logs:PutLogEvents",
-      "logs:DescribeLogGroups",
-      "logs:DescribeLogStreams",
-      "logs:Describe*",
-      "logs:ListTagsForResource",
-      "logs:TagResource",
-      "logs:UntagResource",
-      "logs:PutRetentionPolicy",
-      "logs:AssociateKmsKey",
-      "logs:PutMetricFilter",
-      "logs:PutSubscriptionFilter",
-      "logs:DeleteSubscriptionFilter",
-      "logs:DescribeSubscriptionFilters",
+      "logs:*",
 
       # S3 - bucket and object management
       "s3:GetLifecycleConfiguration",
@@ -241,7 +228,23 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ssm:GetParameters",
       "ssm:ListTagsForResource",
       "ssm:PutParameter",
-      "ssm:AddTagsToResource"
+      "ssm:AddTagsToResource",
+
+      # WAFv2 - web application firewall management
+      "wafv2:CreateWebACL",
+      "wafv2:DeleteWebACL",
+      "wafv2:GetWebACL",
+      "wafv2:GetWebACLForResource",
+      "wafv2:UpdateWebACL",
+      "wafv2:ListWebACLs",
+      "wafv2:TagResource",
+      "wafv2:UntagResource",
+      "wafv2:ListTagsForResource",
+      "wafv2:AssociateWebACL",
+      "wafv2:DisassociateWebACL",
+      "wafv2:PutLoggingConfiguration",
+      "wafv2:GetLoggingConfiguration",
+      "wafv2:DeleteLoggingConfiguration"
     ]
 
     resources = ["*"]