[NDR-343] Allow workspaces to access SSM parameters belonging to the persistent workspace for that environment. (#551)

Author: jameslinnell

infrastructure/main.tf

@@ -79,3 +79,12 @@ data "aws_ssm_parameter" "apim_url" {
   name = "/repo/${var.environment}/user-input/apim-api-url"
 }
 
+data "terraform_remote_state" "shared" {
+  backend = "s3"
+
+  config = {
+    bucket = local.shared_terraform_state_bucket
+    key    = "env:/${var.shared_infra_workspace}/ndr/terraform.tfstate"
+    region = "eu-west-2"
+  }
+}

infrastructure/policies.tf

@@ -121,7 +121,7 @@ resource "aws_iam_policy" "mtls_access_ssm_policy" {
           "kms:Decrypt",
         ],
         Resource = [
-          module.pdm_encryption_key.kms_arn
+          local.common_name_kms_key_arn
         ]
       }
     ]

infrastructure/preprod.tfvars

@@ -1,4 +1,5 @@
 environment                       = "pre-prod"
+shared_infra_workspace            = "pre-prod"
 owner                             = "nhse/ndr-team"
 domain                            = "national-document-repository.nhs.uk"
 certificate_domain                = "pre-prod.national-document-repository.nhs.uk"

infrastructure/prod.tfvars

@@ -1,4 +1,5 @@
 environment                       = "prod"
+shared_infra_workspace            = "prod"
 owner                             = "nhse/ndr-team"
 domain                            = "national-document-repository.nhs.uk"
 certificate_domain                = "national-document-repository.nhs.uk"

infrastructure/test.tfvars

@@ -1,4 +1,5 @@
 environment                       = "test"
+shared_infra_workspace            = "ndr-test"
 owner                             = "nhse/ndr-team"
 domain                            = "access-request-fulfilment.patient-deductions.nhs.uk"
 certificate_domain                = "ndr-test.access-request-fulfilment.patient-deductions.nhs.uk"

infrastructure/variable.tf

@@ -274,8 +274,10 @@ locals {
 
   apim_api_url = "https://${var.apim_environment}api.service.nhs.uk/national-document-repository/FHIR/R4"
 
-  truststore_bucket_id = local.is_sandbox ? "ndr-dev-${var.truststore_bucket_name}" : module.ndr-truststore[0].bucket_id
-  truststore_uri       = "s3://${local.truststore_bucket_id}/${var.ca_pem_filename}"
+  truststore_bucket_id          = local.is_sandbox ? "ndr-dev-${var.truststore_bucket_name}" : module.ndr-truststore[0].bucket_id
+  truststore_uri                = "s3://${local.truststore_bucket_id}/${var.ca_pem_filename}"
+  shared_terraform_state_bucket = "ndr-${var.environment}-terraform-state-${data.aws_caller_identity.current.account_id}"
+  common_name_kms_key_arn       = local.is_sandbox ? data.terraform_remote_state.shared.outputs.pdm_kms_key_arn : module.pdm_encryption_key.kms_arn
 }
 
 variable "nrl_api_endpoint_suffix" {
@@ -321,3 +323,9 @@ variable "ssh_key_management_dry_run" {
   type        = bool
   default     = false
 }
+
+variable "shared_infra_workspace" {
+  description = "Workspace that owns shared infra like SSM and KMS"
+  type        = string
+  default     = "ndr-dev"
+}