chore: create infra for svc search 3

tstephen-nhs · tstephen-nhs · commit 527c6f65b99d · 2025-12-19T17:14:15.000Z
diff --git a/SAMtemplates/functions/main.yaml b/SAMtemplates/functions/main.yaml
@@ -22,6 +22,7 @@ Globals:
         SpinePartyKeyARN: !ImportValue account-resources:SpinePartyKey
         SpineCAChainARN: !ImportValue account-resources:SpineCAChain
         ServiceSearchApiKeyARN: !ImportValue account-resources:ServiceSearchApiKey
+        ServiceSearch3ApiKeyARN: !Ref ServiceSearch3ApiKeyARN
     Layers:
       - !Sub arn:aws:lambda:${AWS::Region}:580247275435:layer:LambdaInsightsExtension:52
 
@@ -30,6 +31,10 @@ Parameters:
     Type: String
     Default: none
 
+  ServiceSearch3ApiKeyARN:
+    Type: String
+    Description: ARN of the Service Search API v3 Key Secret
+
   Env:
     Type: String
     Default: dev
@@ -68,6 +73,14 @@ Parameters:
   SSMParameterPolicy:
     Type: String
 
+  SecretsPolicy:
+    Type: String
+    Description: ARN of the policy to read secrets
+
+  KMSPolicy:
+    Type: String
+    Description: ARN of the policy to use KMS key
+
 Resources:
   GetSecretsLayer:
     Type: AWS::Serverless::LayerVersion
@@ -121,6 +134,8 @@ Resources:
           - ","
           - - !ImportValue account-resources:LambdaAccessSecretsPolicy
             - !Ref SSMParameterPolicy
+            - !Ref SecretsPolicy
+            - !Ref KMSPolicy
         LogRetentionInDays: !Ref LogRetentionInDays
         CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
         EnableSplunk: !Ref EnableSplunk
diff --git a/SAMtemplates/main_template.yaml b/SAMtemplates/main_template.yaml
@@ -168,6 +168,16 @@ Resources:
         CommitId: !Ref CommitId
         ToggleGetStatusUpdates: !Ref ToggleGetStatusUpdates
         SSMParameterPolicy: !GetAtt Parameters.Outputs.GetPfPParameterPolicy
+        ServiceSearch3ApiKeyARN: !GetAtt Secrets.Outputs.PfPServiceSearchApiKeySecret
+        SecretsPolicy: !GetAtt Secrets.Outputs.GetPfPSecretPolicy
+        KMSPolicy: !GetAtt Secrets.Outputs.UsePfPSecretsKMSKeyPolicyArn
+
+  Secrets:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location: secrets/main.yaml
+      Parameters:
+        StackName: !Ref AWS::StackName
 
   StateMachines:
     Type: AWS::Serverless::Application
diff --git a/SAMtemplates/secrets/main.yaml b/SAMtemplates/secrets/main.yaml
@@ -0,0 +1,96 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Parameters:
+  StackName:
+    Type: String
+    Default: none
+
+Resources:
+  PfPSecretsKMSKey:
+    Type: AWS::KMS::Key
+    Properties:
+      EnableKeyRotation: true
+      KeyPolicy:
+        Version: 2012-10-17
+        Id: PfPSecretsKeyPolicy
+        Statement:
+          - Sid: EnableIAMUserPermissions
+            Effect: Allow
+            Principal:
+              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
+            Action: kms:*
+            Resource: "*"
+          - Sid: Enable read only decrypt
+            Effect: Allow
+            Principal:
+              AWS: "*"
+            Action:
+              - kms:DescribeKey
+              - kms:Decrypt
+            Resource: "*"
+            Condition:
+              ArnLike:
+                aws:PrincipalArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/AWSReservedSSO_ReadOnly*"
+
+  PfPSecretsKMSKeyAlias:
+    Type: AWS::KMS::Alias
+    Properties:
+      AliasName: !Sub alias/${StackName}-PfPSecretsKMSKey
+      TargetKeyId: !Ref PfPSecretsKMSKey
+
+  UsePfPSecretsKMSKeyPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: !Sub ${StackName}-UsePfPSecretsKMSKey
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: AllowKmsForSecretsEncryption
+            Effect: Allow
+            Action:
+              - kms:DescribeKey
+              - kms:GenerateDataKey*
+              - kms:Encrypt
+              - kms:ReEncrypt*
+              - kms:Decrypt
+            Resource: !GetAtt PfPSecretsKMSKey.Arn
+
+  PfPServiceSearchApiKeySecret:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: !Sub ${StackName}-PfP-ServiceSearch-API-Key
+      Description: API Key for Service Search
+      KmsKeyId: !Ref PfPSecretsKMSKey
+
+  GetPfPSecretPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: "Allows reading PfP secret parameters"
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - secretsmanager:GetSecretValue
+              - secretsmanager:DescribeSecret
+            Resource:
+              - !Ref PfPServiceSearchApiKeySecret
+
+Outputs:
+  PfPServiceSearchApiKeySecret:
+    Description: The name of the PfP Service Search API Key secret
+    Value: !Ref PfPServiceSearchApiKeySecret
+    Export:
+      Name: !Sub ${StackName}-PfP-ServiceSearch-API-Key
+
+  GetPfPSecretPolicy:
+    Description: ARN of policy granting permission to read secrets
+    Value: !Ref GetPfPSecretPolicy
+    Export:
+      Name: !Sub ${StackName}-GetPfPSecretPolicy
+
+  UsePfPSecretsKMSKeyPolicyArn:
+    Description: ARN of managed policy granting PfP secrets KMS usage
+    Value: !Ref UsePfPSecretsKMSKeyPolicy
+    Export:
+      Name: !Sub ${StackName}-UsePfPSecretsKMSKeyPolicyArn
