[NDR-343] Add SSM param to terraform (#549)

jameslinnell · web-flow · commit 44c5343cbab4 · 2025-12-30T11:06:04.000Z
diff --git a/infrastructure/core.tf b/infrastructure/core.tf
@@ -0,0 +1,14 @@
+# A set of resources that do not belong to one workspace but are shared across the environment.
+
+module "ssm_param_mtls_common_names" {
+  count                = local.is_sandbox ? 0 : 1
+  source               = "./modules/ssm_parameter"
+  environment          = var.environment
+  owner                = var.owner
+  name                 = "mtls_common_names"
+  type                 = "SecureString"
+  description          = "A list of mtls common names that will be used to determine authorisation and resources."
+  value                = "REPLACE_ME"
+  key_id               = module.pdm_encryption_key.id
+  ignore_value_changes = true
+}
diff --git a/infrastructure/lambda-get-document-fhir.tf b/infrastructure/lambda-get-document-fhir.tf
@@ -42,6 +42,7 @@ module "get-doc-fhir-lambda" {
     module.pdm_dynamodb_table.dynamodb_read_policy_document,
     module.core_dynamodb_table.dynamodb_read_policy_document,
     aws_iam_policy.ssm_access_policy.policy,
+    aws_iam_policy.mtls_access_ssm_policy.policy,
     module.ndr-lloyd-george-store.s3_read_policy_document,
     module.pdm-document-store.s3_read_policy_document,
   ]
diff --git a/infrastructure/lambda-post-document-fhir.tf b/infrastructure/lambda-post-document-fhir.tf
@@ -9,6 +9,7 @@ module "post-document-references-fhir-lambda" {
     module.core_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-bulk-staging-store.s3_write_policy_document,
     module.ndr-app-config.app_config_policy,
+    aws_iam_policy.mtls_access_ssm_policy.policy,
     aws_iam_policy.ssm_access_policy.policy
   ]
   kms_deletion_window = var.kms_deletion_window
diff --git a/infrastructure/lambda-search-document-references-fhir.tf b/infrastructure/lambda-search-document-references-fhir.tf
@@ -13,7 +13,9 @@ module "search-document-references-fhir-lambda" {
     module.core_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-lloyd-george-store.s3_read_policy_document,
     module.ndr-document-store.s3_read_policy_document,
-    module.ndr-app-config.app_config_policy
+    module.ndr-app-config.app_config_policy,
+    aws_iam_policy.mtls_access_ssm_policy.policy,
+    aws_iam_policy.ssm_access_policy.policy
   ]
   kms_deletion_window = var.kms_deletion_window
   rest_api_id         = aws_api_gateway_rest_api.ndr_doc_store_api.id
diff --git a/infrastructure/policies.tf b/infrastructure/policies.tf
@@ -109,3 +109,21 @@ resource "aws_iam_policy" "transfer_family_kill_switch" {
     ]
   })
 }
+
+resource "aws_iam_policy" "mtls_access_ssm_policy" {
+  name = "${terraform.workspace}_mtls_ssm_parameters"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "kms:Decrypt",
+        ],
+        Resource = [
+          module.pdm_encryption_key.kms_arn
+        ]
+      }
+    ]
+  })
+}

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ module "get-doc-fhir-lambda" {`
`42`	`42`	`module.pdm_dynamodb_table.dynamodb_read_policy_document,`
`43`	`43`	`module.core_dynamodb_table.dynamodb_read_policy_document,`
`44`	`44`	`aws_iam_policy.ssm_access_policy.policy,`
	`45`	`+ aws_iam_policy.mtls_access_ssm_policy.policy,`
`45`	`46`	`module.ndr-lloyd-george-store.s3_read_policy_document,`
`46`	`47`	`module.pdm-document-store.s3_read_policy_document,`
`47`	`48`	`]`
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ module "post-document-references-fhir-lambda" {`
`9`	`9`	`module.core_dynamodb_table.dynamodb_write_policy_document,`
`10`	`10`	`module.ndr-bulk-staging-store.s3_write_policy_document,`
`11`	`11`	`module.ndr-app-config.app_config_policy,`
	`12`	`+ aws_iam_policy.mtls_access_ssm_policy.policy,`
`12`	`13`	`aws_iam_policy.ssm_access_policy.policy`
`13`	`14`	`]`
`14`	`15`	`kms_deletion_window = var.kms_deletion_window`