Merge pull request #8585 from ministryofjustice/feature/update-delega…

…te-access Assume role in MP account to resolve secrets access issue in Sprinkler account workflow
ministryofjustice · Nov 25, 2024 · 20979bf · 20979bf
2 parents affc6d7 + a209e32
commit 20979bf
Show file tree

Hide file tree

Showing 13 changed files with 69 additions and 12 deletions.
diff --git a/terraform/environments/bootstrap/delegate-access/iam.tf b/terraform/environments/bootstrap/delegate-access/iam.tf
@@ -3,8 +3,13 @@ module "cross-account-access" {
   providers = {
     aws = aws.workspace
   }
-  account_id             = local.modernisation_platform_account.id
-  policy_arn             = "arn:aws:iam::aws:policy/AdministratorAccess"
-  role_name              = "ModernisationPlatformAccess"
-  additional_trust_roles = terraform.workspace == "testing-test" ? ["arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:user/testing-ci"] : []
+  account_id = local.modernisation_platform_account.id
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+  role_name  = "ModernisationPlatformAccess"
+  additional_trust_roles = concat(
+    [
+      "arn:aws:iam::${local.environment_management.account_ids["sprinkler-development"]}:role/github-actions"
+    ],
+    terraform.workspace == "testing-test" ? ["arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:user/testing-ci"] : []
+  )
 }
diff --git a/terraform/environments/bootstrap/member-bootstrap/locals.tf b/terraform/environments/bootstrap/member-bootstrap/locals.tf
@@ -6,6 +6,12 @@ data "aws_caller_identity" "modernisation-platform" {
   provider = aws.modernisation-platform
 }
 
+# To Get Modernisation Platform Account Number
+data "aws_ssm_parameter" "modernisation_platform_account_id" {
+  provider = aws.modernisation-platform
+  name = "modernisation_platform_account_id"
+}
+
 data "aws_iam_session_context" "whoami" {
   arn = data.aws_caller_identity.current.arn
 }

diff --git a/terraform/environments/bootstrap/member-bootstrap/notifications.tf b/terraform/environments/bootstrap/member-bootstrap/notifications.tf
@@ -89,13 +89,13 @@ resource "aws_cloudwatch_metric_alarm" "backup_vault_config_alarm" {
 
 # Keys for pagerduty
 data "aws_secretsmanager_secret_version" "pagerduty_integration_keys" {
-  provider  = aws.modernisation-platform
+  provider  = aws.modernisation-secrets-read
   secret_id = data.aws_secretsmanager_secret.pagerduty_integration_keys.id
 }
 
 # Get the map of pagerduty integration keys
 data "aws_secretsmanager_secret" "pagerduty_integration_keys" {
-  provider = aws.modernisation-platform
+  provider = aws.modernisation-secrets-read
   name     = "pagerduty_integration_keys"
 }
 

diff --git a/terraform/environments/bootstrap/member-bootstrap/providers.tf b/terraform/environments/bootstrap/member-bootstrap/providers.tf
@@ -6,6 +6,15 @@ provider "aws" {
   }
 }
 
+# AWS provider (modernisation-secrets-read): Required for assuming a role into modernisation platform account to read secrets
+provider "aws" {
+  alias  = "modernisation-secrets-read"
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${data.aws_ssm_parameter.modernisation_platform_account_id.value}:role/modernisation-account-limited-read-member-access"
+  }
+}
+
 # AWS provider for the workspace you're working in but in us-east-1, to do things like accepting License Manager grants
 provider "aws" {
   region = "us-east-1"

diff --git a/terraform/environments/bootstrap/member-bootstrap/secrets.tf b/terraform/environments/bootstrap/member-bootstrap/secrets.tf
@@ -1,11 +1,11 @@
 # Get secret by name for environment management
 data "aws_secretsmanager_secret" "environment_management" {
-  provider = aws.modernisation-platform
+  provider = aws.modernisation-secrets-read
   name     = "environment_management"
 }
 
 # Get latest secret value with ID from above. This secret stores account IDs for the Modernisation Platform sub-accounts
 data "aws_secretsmanager_secret_version" "environment_management" {
-  provider  = aws.modernisation-platform
+  provider  = aws.modernisation-secrets-read
   secret_id = data.aws_secretsmanager_secret.environment_management.id
 }
diff --git a/terraform/environments/bootstrap/secure-baselines/locals.tf b/terraform/environments/bootstrap/secure-baselines/locals.tf
@@ -2,6 +2,11 @@
 # We use that to ensure a Modernisation Platform member account remains part of the AWS Organization.
 data "aws_organizations_organization" "root_account" {}
 
+# To Get Modernisation Platform Account Number
+data "aws_ssm_parameter" "modernisation_platform_account_id" {
+  name = "modernisation_platform_account_id"
+}
+
 locals {
   enable-cloudtrail-events         = strcontains(terraform.workspace, "digital-prison-reporting") ? false : true
   reduced_preprod_backup_retention = strcontains(terraform.workspace, "ccms-ebs") ? true : false

diff --git a/terraform/environments/bootstrap/secure-baselines/main.tf b/terraform/environments/bootstrap/secure-baselines/main.tf
@@ -81,12 +81,14 @@ module "baselines" {
 
 # Keys for pagerduty
 data "aws_secretsmanager_secret_version" "pagerduty_integration_keys" {
+  provider  = aws.modernisation-secrets-read
   secret_id = data.aws_secretsmanager_secret.pagerduty_integration_keys.id
 }
 
 # Get the map of pagerduty integration keys
 data "aws_secretsmanager_secret" "pagerduty_integration_keys" {
-  name = "pagerduty_integration_keys"
+  provider = aws.modernisation-secrets-read
+  name     = "pagerduty_integration_keys"
 }
 
 # Keys for pagerduty

diff --git a/terraform/environments/bootstrap/secure-baselines/providers.tf b/terraform/environments/bootstrap/secure-baselines/providers.tf
@@ -3,6 +3,15 @@ provider "aws" {
   region = "eu-west-2"
 }
 
+# AWS provider (modernisation-secrets-read): Required for assuming a role into modernisation platform account to read secrets
+provider "aws" {
+  alias  = "modernisation-secrets-read"
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${data.aws_ssm_parameter.modernisation_platform_account_id.value}:role/modernisation-account-limited-read-member-access"
+  }
+}
+
 # AWS provider (workspace): the workspace account. Required for assuming a role into an account for bootstrapping
 provider "aws" {
   alias  = "workspace"

diff --git a/terraform/environments/bootstrap/secure-baselines/secrets.tf b/terraform/environments/bootstrap/secure-baselines/secrets.tf
@@ -1,9 +1,11 @@
 # Get secret by name for environment management
 data "aws_secretsmanager_secret" "environment_management" {
-  name = "environment_management"
+  provider = aws.modernisation-secrets-read
+  name     = "environment_management"
 }
 
 # Get latest secret value with ID from above. This secret stores account IDs for the Modernisation Platform sub-accounts
 data "aws_secretsmanager_secret_version" "environment_management" {
+  provider  = aws.modernisation-secrets-read
   secret_id = data.aws_secretsmanager_secret.environment_management.id
 }
diff --git a/terraform/environments/bootstrap/single-sign-on/data.tf b/terraform/environments/bootstrap/single-sign-on/data.tf
@@ -1,4 +1,9 @@
 data "aws_s3_bucket" "mod_platform_artefact" {
   provider = aws.core-shared-services
   bucket   = "mod-platform-image-artefact-bucket20230203091453221500000001"
+}
+
+# To Get Modernisation Platform Account Number
+data "aws_ssm_parameter" "modernisation_platform_account_id" {
+  name = "modernisation_platform_account_id"
 }
diff --git a/terraform/environments/bootstrap/single-sign-on/providers.tf b/terraform/environments/bootstrap/single-sign-on/providers.tf
@@ -12,6 +12,15 @@ provider "aws" {
   }
 }
 
+# AWS provider (modernisation-secrets-read): Required for assuming a role into modernisation platform account to read secrets
+provider "aws" {
+  alias  = "modernisation-secrets-read"
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${data.aws_ssm_parameter.modernisation_platform_account_id.value}:role/modernisation-account-limited-read-member-access"
+  }
+}
+
 # AWS provider (workspace): the workspace account. Required for assuming a role into an account for bootstrapping
 provider "aws" {
   alias  = "workspace"

diff --git a/terraform/environments/bootstrap/single-sign-on/secrets.tf b/terraform/environments/bootstrap/single-sign-on/secrets.tf
@@ -1,9 +1,11 @@
 # Get secret by name for environment management
 data "aws_secretsmanager_secret" "environment_management" {
-  name = "environment_management"
+  provider = aws.modernisation-secrets-read
+  name     = "environment_management"
 }
 
 # Get latest secret value with ID from above. This secret stores account IDs for the Modernisation Platform sub-accounts
 data "aws_secretsmanager_secret_version" "environment_management" {
+  provider  = aws.modernisation-secrets-read
   secret_id = data.aws_secretsmanager_secret.environment_management.id
 }
diff --git a/terraform/modernisation-platform-account/iam.tf b/terraform/modernisation-platform-account/iam.tf
@@ -209,7 +209,10 @@ data "aws_iam_policy_document" "modernisation_account_terraform_state_role" {
       "s3:GetObject",
       "s3:PutObject",
     ]
-    resources = ["arn:aws:s3:::modernisation-platform-terraform-state/environments/members/*"]
+    resources = [
+      "arn:aws:s3:::modernisation-platform-terraform-state/environments/members/*",
+      "arn:aws:s3:::modernisation-platform-terraform-state/environments/bootstrap/*"
+    ]
   }
 }