Permissions and naming

robertnovac1 · robertnovac1 · commit 2e4992b10d6f · 2025-07-01T15:29:15.000+01:00
diff --git a/infra/roles.tf b/infra/roles.tf
@@ -59,6 +59,14 @@ resource "aws_iam_role" "auto_ops" {
           AWS = "arn:aws:iam::${var.build_agent_account_id}:role/build-agent"
         },
         Action = "sts:AssumeRole"
+      },
+      {
+        Sid    = ""
+        Effect = "Allow",
+        Principal = {
+          AWS = "arn:aws:iam::${var.imms_account_id}:role/DevOps"
+        },
+        Action = "sts:AssumeRole"
       }
     ]
   })
diff --git a/infra_old_prod/kms_dynamo.tf b/infra_old_prod/kms_dynamo.tf
@@ -50,7 +50,17 @@ resource "aws_kms_key" "dynamodb_encryption" {
       ],
       "Resource": "*"
     },
-        {
+    {
+      "Sid": "KMS KeyUser access for Admin",
+      "Effect": "Allow",
+      "Principal": { "AWS": ["arn:aws:iam::084828561157:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Admin_acce656dcacf6f4c"] },
+      "Action": [
+        "kms:Encrypt",
+        "kms:GenerateDataKey*"
+      ],
+      "Resource": "*"
+    },
+    {
       "Sid": "AllowAccountA",
       "Effect": "Allow",
       "Principal": {
diff --git a/infra_old_prod/kms_kinesis.tf b/infra_old_prod/kms_kinesis.tf
@@ -49,6 +49,16 @@ resource "aws_kms_key" "kinesis_stream_encryption" {
         "kms:GenerateDataKey*"
         ],
     "Resource": "*"
+    },
+    {
+      "Sid": "KMS KeyUser access for Admin",
+      "Effect": "Allow",
+      "Principal": { "AWS": ["arn:aws:iam::084828561157:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Admin_acce656dcacf6f4c"] },
+      "Action": [
+        "kms:Encrypt",
+        "kms:GenerateDataKey*"
+      ],
+      "Resource": "*"
     }
  ]
 }
diff --git a/infra_old_prod/kms_lambda.tf b/infra_old_prod/kms_lambda.tf
@@ -49,6 +49,16 @@ resource "aws_kms_key" "lambda_env_encryption" {
         "kms:GenerateDataKey*"
         ],
     "Resource": "*"
+    },
+    {
+      "Sid": "KMS KeyUser access for Admin",
+      "Effect": "Allow",
+      "Principal": { "AWS": ["arn:aws:iam::084828561157:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Admin_acce656dcacf6f4c"] },
+      "Action": [
+        "kms:Encrypt",
+        "kms:GenerateDataKey*"
+      ],
+      "Resource": "*"
     }
  ]
 }
diff --git a/infra_old_prod/kms_s3.tf b/infra_old_prod/kms_s3.tf
@@ -41,7 +41,17 @@ resource "aws_kms_key" "s3_shared_key" {
        "kms:GenerateDataKey*"
      ],
      "Resource": "*"
-   }
+   },
+   {
+      "Sid": "KMS KeyUser access for Admin",
+      "Effect": "Allow",
+      "Principal": { "AWS": ["arn:aws:iam::084828561157:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Admin_acce656dcacf6f4c"] },
+      "Action": [
+        "kms:Encrypt",
+        "kms:GenerateDataKey*"
+      ],
+      "Resource": "*"
+    }
  ]
 }
 POLICY
diff --git a/infra_old_prod/roles.tf b/infra_old_prod/roles.tf
@@ -59,6 +59,14 @@ resource "aws_iam_role" "auto_ops" {
           AWS = "arn:aws:iam::${var.build_agent_account_id}:role/build-agent"
         },
         Action = "sts:AssumeRole"
+      },
+      {
+        Sid    = ""
+        Effect = "Allow",
+        Principal = {
+          AWS = "arn:aws:iam::${var.imms_account_id}:role/DevOps"
+        },
+        Action = "sts:AssumeRole"
       }
     ]
   })
diff --git a/terraform_old/variables.tf b/terraform_old/variables.tf
@@ -2,10 +2,10 @@ variable "profile" {
   default = "apim-dev"
 }
 variable "aws_account_name" {
-  default = "non-prod"
+  default = "int"
 }
 variable "project_name" {
-  default = "immunisations"
+  default = "immunisation"
 }
 
 variable "project_short_name" {
@@ -19,7 +19,7 @@ variable "service" {
 data "aws_vpc" "default" {
   filter {
     name   = "tag:Name"
-    values = [local.vpc_name]
+    values = ["imms-${var.aws_account_name}-fhir-api-vpc"]
   }
 }
 
@@ -38,18 +38,19 @@ locals {
   project_domain_name = data.aws_route53_zone.project_zone.name
 }
 
+
 locals {
+  local_config            = "int"
   environment             = var.aws_account_name
   env                     = terraform.workspace
-  prefix                  = "${var.project_name}-${var.service}-${local.env}"
-  short_prefix            = "${var.project_short_name}-${local.env}"
-  batch_prefix            = "immunisation-batch-${local.env}"
-  service_domain_name     = "${local.env}.${local.project_domain_name}"
   config_env              = local.environment
-  vpc_name                = "imms-${local.config_env}-fhir-api-vpc"
+  prefix                  = "${var.project_name}-${var.service}-${local.env}-${local.local_config}"
+  short_prefix            = "${var.project_short_name}-${local.env}-${local.local_config}"
+  batch_prefix            = "immunisation-batch-${local.env}-${local.local_config}"
+  service_domain_name     = "${local.env}.${local.project_domain_name}"
   immunisation_account_id = "084828561157"
   dspp_core_account_id    = "603871901111"
-  local_config            = "int"
+
   tags = {
     Project     = var.project_name
     Environment = local.environment

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,16 @@ resource "aws_kms_key" "kinesis_stream_encryption" {`
`49`	`49`	`"kms:GenerateDataKey*"`
`50`	`50`	`],`
`51`	`51`	`"Resource": "*"`
	`52`	`+ },`
	`53`	`+ {`
	`54`	`+ "Sid": "KMS KeyUser access for Admin",`
	`55`	`+ "Effect": "Allow",`
	`56`	`+ "Principal": { "AWS": ["arn:aws:iam::084828561157:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Admin_acce656dcacf6f4c"] },`
	`57`	`+ "Action": [`
	`58`	`+ "kms:Encrypt",`
	`59`	`+ "kms:GenerateDataKey*"`
	`60`	`+ ],`
	`61`	`+ "Resource": "*"`
`52`	`62`	`}`
`53`	`63`	`]`
`54`	`64`	`}`