Chore: [AEA-5803] - move secret creation into psu repo (#2406)

tstephen-nhs · web-flow · commit a2571bb98418 · 2025-11-14T12:14:49.000Z
## Summary

- 🤖 Operational or Infrastructure Change

### Details

Rename secrets and bring them back from account resources
One benefit of the secrets being in the same repo as the consuming code
is that we don't need to feed the secret names into the SAM templates
but can instead use outputs of the secret template.
diff --git a/SAMtemplates/functions/main.yaml b/SAMtemplates/functions/main.yaml
@@ -431,9 +431,12 @@ Resources:
           LOG_LEVEL: !Ref LogLevel
           NHS_NOTIFY_PRESCRIPTIONS_SQS_QUEUE_URL: !Ref NHSNotifyPrescriptionsSQSQueueUrl
           TABLE_NAME: !Ref PrescriptionNotificationStatesTableName
-          API_KEY_SECRET: secrets-PSU-Notify-API-Key
-          PRIVATE_KEY_SECRET: secrets-PSU-Notify-PrivateKey
-          KID_SECRET: secrets-PSU-Notify-Application-KID
+          API_KEY_SECRET:
+            Fn::ImportValue: !Sub ${StackName}-PSU-Notify-API-Key
+          PRIVATE_KEY_SECRET:
+            Fn::ImportValue: !Sub ${StackName}-PSU-Notify-PrivateKey
+          KID_SECRET:
+            Fn::ImportValue: !Sub ${StackName}-PSU-Notify-KID
           NHS_NOTIFY_ROUTING_ID_PARAM: !Ref NotifyRoutingPlanIDParam
           NOTIFY_API_BASE_URL_PARAM: !Ref NotifyAPIBaseURLParam
           MAKE_REAL_NOTIFY_REQUESTS_PARAM: !Ref EnableNotificationsExternalParam
@@ -483,6 +486,8 @@ Resources:
             - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionNotificationStatesTableName}:TableWritePolicyArn
             - Fn::ImportValue: !Sub ${StackName}:tables:UsePrescriptionNotificationStatesKMSKeyPolicyArn
             - Fn::ImportValue: !Sub ${StackName}-GetNotificationsParameterPolicy
+            - Fn::ImportValue: !Sub ${StackName}-GetPSUSecretPolicy
+            - Fn::ImportValue: !Sub ${StackName}-UsePSUSecretsKMSKeyPolicyArn
 
   NHSNotifyUpdateCallback:
     Type: AWS::Serverless::Function
@@ -495,8 +500,10 @@ Resources:
         Variables:
           LOG_LEVEL: !Ref LogLevel
           TABLE_NAME: !Ref PrescriptionNotificationStatesTableName
-          APP_ID_SECRET: secrets-PSU-Notify-Application-ID
-          API_KEY_SECRET: secrets-PSU-Notify-API-Key
+          APP_ID_SECRET:
+            Fn::ImportValue: !Sub ${StackName}-PSU-Notify-Application-ID
+          API_KEY_SECRET:
+            Fn::ImportValue: !Sub ${StackName}-PSU-Notify-API-Key
     Metadata:
       BuildMethod: esbuild
       guard:
@@ -527,6 +534,8 @@ Resources:
           - - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionNotificationStatesTableName}:TableReadPolicyArn
             - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionNotificationStatesTableName}:TableWritePolicyArn
             - Fn::ImportValue: !Sub ${StackName}:tables:UsePrescriptionNotificationStatesKMSKeyPolicyArn
+            - Fn::ImportValue: !Sub ${StackName}-GetPSUSecretPolicy
+            - Fn::ImportValue: !Sub ${StackName}-UsePSUSecretsKMSKeyPolicyArn
         LogRetentionInDays: !Ref LogRetentionInDays
         CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
         EnableSplunk: !Ref EnableSplunk
diff --git a/SAMtemplates/secrets/main.yaml b/SAMtemplates/secrets/main.yaml
@@ -6,6 +6,55 @@ Parameters:
     Default: none
 
 Resources:
+  PSUSecretsKMSKey:
+    Type: AWS::KMS::Key
+    Properties:
+      EnableKeyRotation: true
+      KeyPolicy:
+        Version: 2012-10-17
+        Id: PSUSecretsKeyPolicy
+        Statement:
+          - Sid: EnableIAMUserPermissions
+            Effect: Allow
+            Principal:
+              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
+            Action: kms:*
+            Resource: "*"
+          - Sid: Enable read only decrypt
+            Effect: Allow
+            Principal:
+              AWS: "*"
+            Action:
+              - kms:DescribeKey
+              - kms:Decrypt
+            Resource: "*"
+            Condition:
+              ArnLike:
+                aws:PrincipalArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/AWSReservedSSO_ReadOnly*"
+
+  PSUSecretsKMSKeyAlias:
+    Type: AWS::KMS::Alias
+    Properties:
+      AliasName: !Sub alias/${StackName}-PSUSecretsKMSKey
+      TargetKeyId: !Ref PSUSecretsKMSKey
+
+  UsePSUSecretsKMSKeyPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: !Sub ${StackName}-UsePSUSecretsKMSKey
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: AllowKmsForSecretsEncryption
+            Effect: Allow
+            Action:
+              - kms:DescribeKey
+              - kms:GenerateDataKey*
+              - kms:Encrypt
+              - kms:ReEncrypt*
+              - kms:Decrypt
+            Resource: !GetAtt PSUSecretsKMSKey.Arn
+
   SQSSaltSecret:
     Type: AWS::SecretsManager::Secret
     Properties:
@@ -17,6 +66,34 @@ Resources:
         PasswordLength: 32
         ExcludePunctuation: true
 
+  PSUNotifyKIDSecret:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: !Sub ${StackName}-PSU-Notify-KID
+      Description: The id of the key (KID) used to sign JWT to NHS Notify and sent in the header
+      KmsKeyId: !Ref PSUSecretsKMSKey
+
+  PSUNotifyPrivateKeySecret:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: !Sub ${StackName}-PSU-Notify-PrivateKey
+      Description: RSA private key (PEM) for signing JWT to NHS Notify
+      KmsKeyId: !Ref PSUSecretsKMSKey
+
+  PSUNotifyApplicationIDSecret:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: !Sub ${StackName}-PSU-Notify-Application-ID
+      Description: The application ID for the DoS application to use when sending notifications to NHS Notify (e.g. bd492cde-b67e-487b-97fd-44b7414c8e95)
+      KmsKeyId: !Ref PSUSecretsKMSKey
+
+  PSUNotifyAPIKeySecret:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: !Sub ${StackName}-PSU-Notify-API-Key
+      Description: API Key for NHS Notify
+      KmsKeyId: !Ref PSUSecretsKMSKey
+
   GetSQSSaltSecretPolicy:
     Type: AWS::IAM::ManagedPolicy
     Properties:
@@ -28,7 +105,25 @@ Resources:
             Action:
               - secretsmanager:GetSecretValue
               - secretsmanager:DescribeSecret
-            Resource: !Ref SQSSaltSecret
+            Resource:
+              - !Ref SQSSaltSecret
+
+  GetPSUSecretPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: "Allows reading PSU secret parameters"
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - secretsmanager:GetSecretValue
+              - secretsmanager:DescribeSecret
+            Resource:
+              - !Ref PSUNotifyKIDSecret
+              - !Ref PSUNotifyPrivateKeySecret
+              - !Ref PSUNotifyApplicationIDSecret
+              - !Ref PSUNotifyAPIKeySecret
 
 Outputs:
   SQSSaltSecret:
@@ -37,8 +132,44 @@ Outputs:
     Export:
       Name: !Sub ${StackName}-SQSSaltSecret
 
+  PSUNotifyKIDSecret:
+    Description: The name of the PSU Notify KID secret
+    Value: !Ref PSUNotifyKIDSecret
+    Export:
+      Name: !Sub ${StackName}-PSU-Notify-KID
+
+  PSUNotifyPrivateKeySecret:
+    Description: The name of the PSU Notify Private Key secret
+    Value: !Ref PSUNotifyPrivateKeySecret
+    Export:
+      Name: !Sub ${StackName}-PSU-Notify-PrivateKey
+
+  PSUNotifyApplicationIDSecret:
+    Description: The name of the PSU Notify Application ID secret
+    Value: !Ref PSUNotifyApplicationIDSecret
+    Export:
+      Name: !Sub ${StackName}-PSU-Notify-Application-ID
+
+  PSUNotifyAPIKeySecret:
+    Description: The name of the PSU Notify API Key secret
+    Value: !Ref PSUNotifyAPIKeySecret
+    Export:
+      Name: !Sub ${StackName}-PSU-Notify-API-Key
+
+  GetPSUSecretPolicy:
+    Description: ARN of policy granting permission to read secrets
+    Value: !Ref GetPSUSecretPolicy
+    Export:
+      Name: !Sub ${StackName}-GetPSUSecretPolicy
+
   GetSQSSaltSecretPolicy:
     Description: ARN of policy granting permission to read the SQS salt secret
     Value: !Ref GetSQSSaltSecretPolicy
     Export:
       Name: !Sub ${StackName}-GetSQSSaltSecretPolicy
+
+  UsePSUSecretsKMSKeyPolicyArn:
+    Description: ARN of managed policy granting PSU secrets KMS usage
+    Value: !Ref UsePSUSecretsKMSKeyPolicy
+    Export:
+      Name: !Sub ${StackName}-UsePSUSecretsKMSKeyPolicyArn
