Skip to content

Eli 546/create hashing secrets #479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Karthikeyannhs merged 17 commits into from
Nov 25, 2025
Merged

Eli 546/create hashing secrets #479

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
a7b6d36
ELI 546 - Create hashing secrets in aws secret manager
Karthikeyannhs Nov 21, 2025
9f488bc
ELI 546 - added initial secrets, added kms encryptions
Karthikeyannhs Nov 21, 2025
6252050
ELI 546 - adding string secret
Karthikeyannhs Nov 21, 2025
b72c226
ELI 546 - secret manager access to Lambda Role
Karthikeyannhs Nov 24, 2025
2cc40fd
ELI 546 - checkov suppressions
Karthikeyannhs Nov 24, 2025
b079096
ELI 546 - checkov suppressions
Karthikeyannhs Nov 24, 2025
e5e35bc
ELI 546 - firehose checkov suppressions
Karthikeyannhs Nov 24, 2025
fe2a886
ELI 546 -add more permissions in permission boundary
Karthikeyannhs Nov 24, 2025
95045b2
ELI 546 - ignore secret changes
Karthikeyannhs Nov 24, 2025
0383a12
ELI 546 - adding permissions to the role
Karthikeyannhs Nov 24, 2025
1ee0f8b
ELI 546 - adding permissions to the role - fix
Karthikeyannhs Nov 24, 2025
8c20259
ELI 546 - adding permissions to the role - fix
Karthikeyannhs Nov 24, 2025
bcee215
ELI 546 - adding permissions to the role - fix
Karthikeyannhs Nov 24, 2025
d200816
ELI 546 - adding permissions to the role - fix
Karthikeyannhs Nov 24, 2025
b4c6e02
ELI 546 - adding permissions to the role - fix
Karthikeyannhs Nov 24, 2025
9e2cb9a
ELI 546 - adding permissions to the role - fix
Karthikeyannhs Nov 24, 2025
475f4d1
ELI 546 - adding permissions to the role - fix
Karthikeyannhs Nov 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions infrastructure/modules/secrets_manager/data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
data "aws_caller_identity" "current" {}
1 change: 1 addition & 0 deletions infrastructure/modules/secrets_manager/default_variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../_shared/default_variables.tf
59 changes: 59 additions & 0 deletions infrastructure/modules/secrets_manager/kms.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# KMS CMK to encrypt/decrypt secrets
resource "aws_kms_key" "secrets_cmk" {
#checkov:skip=CKV_AWS_111: Root user needs full KMS key management
#checkov:skip=CKV_AWS_356: Root user needs full KMS key management
#checkov:skip=CKV_AWS_109: Root user needs full KMS key management
description = "CMK for Secrets Manager - ${var.project_name}-${var.environment}"
enable_key_rotation = true
deletion_window_in_days = 30
policy = jsonencode({
Version = "2012-10-17"
Statement = [
# Allow your account root full control
{
Sid = "AllowAccountAdminsFullAccess"
Effect = "Allow"
Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
Action = "kms:*"
Resource = "*"
},
# Allow Secrets Manager service to use the key
{
Sid = "AllowSecretsManagerServiceUse"
Effect = "Allow"
Principal = { Service = "secretsmanager.amazonaws.com" }
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
]
Resource = "*"
},
# Allow external role to decrypt for reading the secret
{
Sid = "AllowExternalRoleDecrypt"
Effect = "Allow"
Principal = { AWS = var.external_write_access_role_arn }
Action = [
"kms:Decrypt",
"kms:DescribeKey"
]
Resource = "*"
},
# Allow Lambda role to decrypt for reading the secret
{
Sid = "AllowLambdaRoleDecrypt"
Effect = "Allow"
Principal = { AWS = var.eligibility_lambda_role_arn }
Action = [
"kms:Decrypt",
"kms:DescribeKey"
]
Resource = "*"
}
]
})
tags = var.tags
}
52 changes: 52 additions & 0 deletions infrastructure/modules/secrets_manager/secrets_manager.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Secret definition in your account
resource "aws_secretsmanager_secret" "hashing_secret" {
#checkov:skip=CKV2_AWS_57: Secret rotations are handled manually
name = "${var.project_name}-${var.environment}/hashing_secret"
description = "cross account hashing secrets"
kms_key_id = aws_kms_key.secrets_cmk.arn
tags = {
Environment = var.environment
ManagedBy = "terraform"
}
}

# Initial secrets
resource "aws_secretsmanager_secret_version" "hashing_secrets_test" {
secret_id = aws_secretsmanager_secret.hashing_secret.id
secret_string = "initial_secret"
lifecycle {
ignore_changes = [secret_string]
}
}

# Resource-based policy attached to the secret
resource "aws_secretsmanager_secret_policy" "hashing_secret_policy" {
secret_arn = aws_secretsmanager_secret.hashing_secret.arn

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Sid = "CrossAccountAccess",
Effect = "Allow",
Principal = { AWS = var.external_write_access_role_arn },
Action = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
Resource = "*"
},
{
Sid = "LambdaAccess",
Effect = "Allow",
Principal = { AWS = var.eligibility_lambda_role_arn },
Action = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
Resource = "*"
}
]
})
}

9 changes: 9 additions & 0 deletions infrastructure/modules/secrets_manager/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
variable "external_write_access_role_arn" {
description = "Arn of the external write access role to provide secret manager access"
type = string
}

variable "eligibility_lambda_role_arn" {
description = "Arn of the lambda role to provide secret manager access"
type = string
}
6 changes: 5 additions & 1 deletion infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,11 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" {

# X-Ray - Lambda tracing
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
"xray:PutTelemetryRecords",

# Secret Manager
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
]

resources = ["*"]
Expand Down
2 changes: 2 additions & 0 deletions infrastructure/stacks/api-layer/iam_policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,6 +291,8 @@ resource "aws_kms_key_policy" "s3_rules_kms_key" {
}

resource "aws_iam_role_policy" "splunk_firehose_policy" {
#checkov:skip=CKV_AWS_290: Firehose requires write access to dynamic log streams without static constraints
#checkov:skip=CKV_AWS_355: Firehose logging requires wildcard resource for CloudWatch log groups/streams
name = "splunk-firehose-policy"
role = aws_iam_role.splunk_firehose_assume_role.id

Expand Down
9 changes: 9 additions & 0 deletions infrastructure/stacks/api-layer/secrets_manager.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
module "secrets_manager" {
source = "../../modules/secrets_manager"
count = length(aws_iam_role.write_access_role)
external_write_access_role_arn = aws_iam_role.write_access_role[count.index].arn
environment = var.environment
stack_name = local.stack_name
workspace = terraform.workspace
eligibility_lambda_role_arn = aws_iam_role.eligibility_lambda_role.arn
}
20 changes: 20 additions & 0 deletions infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,26 @@ resource "aws_iam_policy" "dynamodb_management" {
Resource = [
"arn:aws:dynamodb:*:${data.aws_caller_identity.current.account_id}:table/*eligibility-signposting-api-${var.environment}-eligibility_datastore"
]
},

{
Effect = "Allow",
Action = [
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"secretsmanager:ListTagsOfResource",
"secretsmanager:DescribeSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:PutResourcePolicy",
"secretsmanager:DeleteResourcePolicy"
],
Resource = [
"arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:eligibility-signposting-api-${var.environment}/*"
]
}
],
# to create test users in preprod
Expand Down
15 changes: 14 additions & 1 deletion infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,20 @@ data "aws_iam_policy_document" "permissions_boundary" {
"wafv2:DisassociateWebACL",
"wafv2:PutLoggingConfiguration",
"wafv2:GetLoggingConfiguration",
"wafv2:DeleteLoggingConfiguration"
"wafv2:DeleteLoggingConfiguration",

# Secret Manager
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"secretsmanager:ListTagsOfResource",
"secretsmanager:DescribeSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:PutResourcePolicy",
"secretsmanager:DeleteResourcePolicy"
]

resources = ["*"]
Expand Down
Loading