NHSDigital
diff --git a/‎infra/Makefile‎
Lines changed: 6 additions & 0 deletions b/‎infra/Makefile‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎infra/auto_ops_policy.json‎
Lines changed: 222 additions & 0 deletions b/‎infra/auto_ops_policy.json‎
Lines changed: 222 additions & 0 deletions
diff --git a/‎infra/endpoints.tf‎
Lines changed: 9 additions & 9 deletions b/‎infra/endpoints.tf‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎infra/environments/int/variables.tfvars‎
Lines changed: 5 additions & 3 deletions b/‎infra/environments/int/variables.tfvars‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎infra/environments/dev/variables.tfvars‎ ‎…a/environments/non-prod/variables.tfvars‎infra/environments/dev/variables.tfvars renamed to infra/environments/non-prod/variables.tfvars
Lines changed: 4 additions & 2 deletions b/‎infra/environments/dev/variables.tfvars‎ ‎…a/environments/non-prod/variables.tfvars‎infra/environments/dev/variables.tfvars renamed to infra/environments/non-prod/variables.tfvars
Lines changed: 4 additions & 2 deletions
diff --git a/‎infra/environments/prod/variables.tfvars‎
Lines changed: 7 additions & 5 deletions b/‎infra/environments/prod/variables.tfvars‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎infra/kinesis_role.tf‎
Lines changed: 0 additions & 39 deletions b/‎infra/kinesis_role.tf‎
Lines changed: 0 additions & 39 deletions
@@ -19,6 +19,9 @@ workspace:
 init:
 	$(tf_cmd) init $(tf_state) -upgrade $(tf_vars)
 
+init-reconfigure:
+	$(tf_cmd) init $(tf_state) -upgrade $(tf_vars) -reconfigure
+
 plan: workspace
 	 $(tf_cmd) plan $(tf_vars)
 
@@ -39,5 +42,8 @@ ifndef name
 endif
 	$(tf_cmd) output -raw $(name)
 
+import: 
+	$(tf_cmd) import $(tf_vars) $(to) $(id)
+
 tf-%:
 	$(tf_cmd) $*
@@ -0,0 +1,222 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "iam:CreateServiceSpecificCredential",
+                "firehose:*",
+                "iam:TagMFADevice",
+                "iam:ListServiceSpecificCredentials",
+                "iam:PutRolePolicy",
+                "iam:ListSigningCertificates",
+                "iam:AddRoleToInstanceProfile",
+                "ses:SendEmail",
+                "iam:SimulateCustomPolicy",
+                "iam:ListRolePolicies",
+                "iam:DeleteOpenIDConnectProvider",
+                "iam:PutGroupPolicy",
+                "iam:ListPolicies",
+                "sns:*",
+                "iam:GetRole",
+                "iam:ListSAMLProviders",
+                "apigateway:*",
+                "iam:TagPolicy",
+                "iam:UpdateServerCertificate",
+                "cloudwatch:*",
+                "pipes:*",
+                "ecs:*",
+                "ec2:*",
+                "iam:GetOpenIDConnectProvider",
+                "iam:UntagRole",
+                "iam:PutRolePermissionsBoundary",
+                "iam:TagRole",
+                "cloudtrail:*",
+                "iam:ResetServiceSpecificCredential",
+                "iam:DeleteRolePermissionsBoundary",
+                "iam:ListInstanceProfilesForRole",
+                "iam:PassRole",
+                "iam:DeleteRolePolicy",
+                "kms:*",
+                "iam:EnableMFADevice",
+                "iam:ResyncMFADevice",
+                "iam:ListCloudFrontPublicKeys",
+                "guardduty:*",
+                "iam:ListRoles",
+                "iam:DeleteUser",
+                "iam:GetContextKeysForCustomPolicy",
+                "iam:CreatePolicy",
+                "iam:CreateServiceLinkedRole",
+                "iam:AttachGroupPolicy",
+                "iam:DeleteVirtualMFADevice",
+                "ecr:*",
+                "iam:UpdateRole",
+                "iam:UntagOpenIDConnectProvider",
+                "iam:ListGroups",
+                "iam:UntagInstanceProfile",
+                "iam:DeleteServiceSpecificCredential",
+                "iam:TagOpenIDConnectProvider",
+                "iam:DeleteSAMLProvider",
+                "iam:UpdateAssumeRolePolicy",
+                "iam:GetPolicyVersion",
+                "application-autoscaling:*",
+                "iam:DeleteGroup",
+                "iam:GetMFADevice",
+                "iam:ListServerCertificates",
+                "iam:RemoveRoleFromInstanceProfile",
+                "iam:UpdateGroup",
+                "dynamodb:*",
+                "iam:ListVirtualMFADevices",
+                "servicediscovery:*",
+                "cloudfront:*",
+                "iam:ListSSHPublicKeys",
+                "iam:GetAccountEmailAddress",
+                "iam:ListOpenIDConnectProviderTags",
+                "config:*",
+                "ebs:*",
+                "iam:DeleteCloudFrontPublicKey",
+                "events:*",
+                "iam:ChangePassword",
+                "iam:UpdateLoginProfile",
+                "iam:GetServerCertificate",
+                "iam:GetAccessKeyLastUsed",
+                "iam:UpdateSSHPublicKey",
+                "iam:UpdateAccountPasswordPolicy",
+                "iam:DeleteServiceLinkedRole",
+                "iam:ListSTSRegionalEndpointsStatus",
+                "iam:GetAccountSummary",
+                "iam:DeletePolicy",
+                "iam:CreateVirtualMFADevice",
+                "iam:ListMFADevices",
+                "iam:AddUserToGroup",
+                "tag:*",
+                "iam:CreatePolicyVersion",
+                "iam:GetInstanceProfile",
+                "elasticloadbalancing:*",
+                "iam:UntagServerCertificate",
+                "iam:ListUserPolicies",
+                "iam:TagUser",
+                "iam:ListPolicyVersions",
+                "iam:ListOpenIDConnectProviders",
+                "lambda:*",
+                "iam:ListUsers",
+                "iam:UpdateSigningCertificate",
+                "iam:ListUserTags",
+                "iam:GetAccountPasswordPolicy",
+                "iam:DeactivateMFADevice",
+                "iam:DeleteAccessKey",
+                "rds:*",
+                "iam:ListRoleTags",
+                "iam:UpdateCloudFrontPublicKey",
+                "iam:GenerateServiceLastAccessedDetails",
+                "iam:UpdateOpenIDConnectProviderThumbprint",
+                "iam:SetSecurityTokenServicePreferences",
+                "iam:DeleteServerCertificate",
+                "quicksight:*",
+                "iam:UploadSSHPublicKey",
+                "iam:DetachGroupPolicy",
+                "iam:GetCredentialReport",
+                "iam:UpdateServiceSpecificCredential",
+                "iam:GetPolicy",
+                "iam:RemoveClientIDFromOpenIDConnectProvider",
+                "iam:ListEntitiesForPolicy",
+                "iam:DeleteRole",
+                "iam:UpdateRoleDescription",
+                "iam:UploadCloudFrontPublicKey",
+                "iam:GetRolePolicy",
+                "iam:CreateInstanceProfile",
+                "iam:GenerateCredentialReport",
+                "sqs:*",
+                "iam:GetServiceLastAccessedDetails",
+                "athena:*",
+                "iam:GetServiceLinkedRoleDeletionStatus",
+                "iam:ListAttachedGroupPolicies",
+                "iam:ListPolicyTags",
+                "iam:DeleteAccountAlias",
+                "iam:UpdateSAMLProvider",
+                "iam:ListAccessKeys",
+                "iam:DeleteInstanceProfile",
+                "elasticfilesystem:*",
+                "cognito-identity:*",
+                "s3:*",
+                "iam:ListGroupPolicies",
+                "ses:SendRawEmail",
+                "iam:GetSSHPublicKey",
+                "iam:PutUserPermissionsBoundary",
+                "iam:DeleteUserPermissionsBoundary",
+                "ssm:*",
+                "iam:ListServerCertificateTags",
+                "iam:PutUserPolicy",
+                "iam:TagServerCertificate",
+                "iam:ListAccountAliases",
+                "iam:UntagPolicy",
+                "iam:GetUser",
+                "iam:GetLoginProfile",
+                "acm:*",
+                "iam:TagInstanceProfile",
+                "iam:SetDefaultPolicyVersion",
+                "logs:*",
+                "iam:CreateRole",
+                "iam:AttachRolePolicy",
+                "iam:SetSTSRegionalEndpointStatus",
+                "iam:TagSAMLProvider",
+                "autoscaling:*",
+                "iam:CreateLoginProfile",
+                "iam:DetachRolePolicy",
+                "iam:SimulatePrincipalPolicy",
+                "secretsmanager:*",
+                "iam:ListAttachedRolePolicies",
+                "iam:CreateAccountAlias",
+                "iam:ListSAMLProviderTags",
+                "kinesis:*",
+                "iam:DetachUserPolicy",
+                "iam:GetAccountAuthorizationDetails",
+                "iam:CreateGroup",
+                "iam:UntagSAMLProvider",
+                "iam:UpdateUser",
+                "iam:DeleteUserPolicy",
+                "iam:AttachUserPolicy",
+                "iam:UpdateAccessKey",
+                "iam:DeleteSigningCertificate",
+                "iam:GetUserPolicy",
+                "waf:*",
+                "iam:ListGroupsForUser",
+                "iam:GetAccountName",
+                "cognito-idp:*",
+                "iam:GetGroupPolicy",
+                "iam:GetServiceLastAccessedDetailsWithEntities",
+                "iam:ListPoliciesGrantingServiceAccess",
+                "iam:DeleteSSHPublicKey",
+                "iam:ListInstanceProfileTags",
+                "iam:CreateUser",
+                "iam:GetGroup",
+                "glue:*",
+                "iam:GetOrganizationsAccessReport",
+                "iam:CreateAccessKey",
+                "iam:GetContextKeysForPrincipalPolicy",
+                "iam:UpdateAccountName",
+                "iam:RemoveUserFromGroup",
+                "wafv2:*",
+                "iam:GetCloudFrontPublicKey",
+                "iam:ListAttachedUserPolicies",
+                "iam:UpdateAccountEmailAddress",
+                "iam:GetSAMLProvider",
+                "iam:DeleteLoginProfile",
+                "iam:UploadSigningCertificate",
+                "iam:DeleteAccountPasswordPolicy",
+                "iam:ListInstanceProfiles",
+                "iam:CreateOpenIDConnectProvider",
+                "iam:UploadServerCertificate",
+                "iam:UntagUser",
+                "iam:UntagMFADevice",
+                "route53:*",
+                "iam:DeleteGroupPolicy",
+                "iam:ListMFADeviceTags",
+                "elasticache:*",
+                "iam:DeletePolicyVersion"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
@@ -216,8 +216,7 @@ resource "aws_vpc_endpoint" "kinesis_stream_endpoint" {
 
 # TODO - remove and use the key we manage in this Terraform workspace
 data "aws_kms_key" "existing_lambda_env_encryption" {
-  count = local.account == "non-prod" ? 1 : 0
-
+  count  = var.environment == "non-prod" ? 1 : 0
   key_id = "648c8c6f-54bf-4b79-ad72-0be6e8d72423"
 }
 
@@ -243,14 +242,15 @@ resource "aws_vpc_endpoint" "kms_endpoint" {
           "kms:Encrypt",
           "kms:GenerateDataKey*"
         ],
-        Resource = local.account == "non-prod" ? [
+        Resource = var.environment == "prod" ? [
           aws_kms_key.lambda_env_encryption.arn,
-          #aws_kms_key.s3_shared_key.arn,
-          data.aws_kms_key.existing_lambda_env_encryption[0].arn
-          ] : [
-          aws_kms_key.lambda_env_encryption.arn
-          #aws_kms_key.s3_shared_key.arn
-        ]
+          aws_kms_key.s3_shared_key.arn
+          ] : concat([
+            aws_kms_key.lambda_env_encryption.arn,
+            aws_kms_key.s3_shared_key.arn
+            ], length(data.aws_kms_key.existing_lambda_env_encryption) > 0 ? [
+            data.aws_kms_key.existing_lambda_env_encryption[0].arn
+        ] : [])
       }
     ]
   })
 
@@ -1,5 +1,7 @@
-imms_account_id = 084828561157
-dspp_account_id = 603871901111
+imms_account_id = "084828561157"
+dspp_account_id = "603871901111"
 admin_role      = "aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Admin_acce656dcacf6f4c"
-dev_ops_role    = "DevOps"
+dev_ops_role    = "aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Devops_1d28e4f37b940bcd"
 auto_ops_role   = "auto-ops"
+dspp_admin_role = "root"
+environment     = "int"
@@ -1,5 +1,7 @@
-imms_account_id = 345594581768
-dspp_account_id = 603871901111
+imms_account_id = "345594581768"
+dspp_account_id = "603871901111"
 admin_role      = "root" # We shouldn't be using the root account. There should be an Admin role
 dev_ops_role    = "DevOps"
 auto_ops_role   = "auto-ops"
+dspp_admin_role = "root"
+environment     = "non-prod"
@@ -1,6 +1,8 @@
-imms_account_id = 664418956997
-dspp_account_id = 232116723729
+imms_account_id = "664418956997"
+dspp_account_id = "232116723729"
 # TODO: Fill in the values below
-admin_role    = ""
-dev_ops_role  = ""
-auto_ops_role = ""
+admin_role      = "" # We shouldn't be using the root account. There should be an Admin role
+dev_ops_role    = ""
+auto_ops_role   = "auto-ops"
+dspp_admin_role = "root"
+environment     = "prod"