Merge remote-tracking branch 'origin/main' into PRMP-939

Author: PedroSoaresNHS

.github/workflows/deploy-pre-prod.yml

@@ -44,8 +44,8 @@ jobs:
         run: |
           echo Tag to deploy: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }}
 
-  terraform_plan_apply:
-    name: Terraform Plan/Apply (pre-prod)
+  terraform_plan_apply_base_iam:
+    name: Terraform Plan/Apply base-iam (pre-prod)
     runs-on: ubuntu-latest
     needs: ["tag_main"]
     environment: pre-prod
@@ -56,43 +56,38 @@ jobs:
           ref: ${{ needs.tag_main.outputs.version }}
           fetch-depth: "0"
 
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v5
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
-          role-skip-session-tagging: true
-          aws-region: ${{ vars.AWS_REGION }}
-          mask-aws-account-id: true
-
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
+      - name: Apply base_iam
+        uses: ./.github/actions/tf-plan-apply
         with:
-          terraform_version: 1.14.3
-          terraform_wrapper: false
-
-      - name: Initialise Terraform
-        id: init
-        run: terraform init -backend-config=backend-pre-prod.conf
-        working-directory: ./infrastructure
-        shell: bash
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/pre-prod-github-bootstrap
+          bucket_prefix: "pre-prod"
+          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          working_directory: "./base_iam"  # Use separate base_iam directory
+          workspace: ${{ secrets.AWS_WORKSPACE }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}
+          tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}"
 
-      - name: Select Terraform Workspace
-        id: workspace
-        run: terraform workspace select ${{ secrets.AWS_WORKSPACE }}
-        working-directory: ./infrastructure
-        shell: bash
 
-      - name: Check Terraform Formatting
-        run: terraform fmt -check
-        working-directory: ./infrastructure
-
-      - name: Run Terraform Plan
-        id: plan
-        run: |
-          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
-        working-directory: ./infrastructure
-        shell: bash
+  terraform_plan_apply:
+    name: Terraform Plan/Apply infrastructure (pre-prod)
+    runs-on: ubuntu-latest
+    needs: ["tag_main", "terraform_plan_apply_base_iam"]
+    environment: pre-prod
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.tag_main.outputs.version }}
+          fetch-depth: "0"
 
-      - name: Run Terraform Apply
-        run: terraform apply -auto-approve -input=false tf.plan
-        working-directory: ./infrastructure
+      - name: Apply Main
+        uses: ./.github/actions/tf-plan-apply
+        with:
+          # use newly updated role
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/pre-prod-github-actions-role
+          bucket_prefix: "pre-prod"
+          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          workspace: ${{ secrets.AWS_WORKSPACE }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}

base_iam/iam_github_pre-prod.tf

@@ -1,10 +1,10 @@
-# aws_iam_role.github_role_pre-prod[0]:
-resource "aws_iam_role" "github_role_pre_prod" {
+# aws_iam_role.pre_prod_github_actions[0]:
+resource "aws_iam_role" "pre_prod_github_actions" {
   count                 = local.is_pre_production ? 1 : 0
-  description           = "This role is to provide access for GitHub actions to the pre-prod environment. "
+  name                  = "${terraform.workspace}-github-actions-role"
+  description           = "This role is to provide access for GitHub Actions to the ${terraform.workspace} environment."
   force_detach_policies = false
   max_session_duration  = 3600
-  name                  = "Github-Actions-pre-prod-role"
   name_prefix           = null
   path                  = "/"
   permissions_boundary  = null
@@ -30,13 +30,6 @@ resource "aws_iam_role" "github_role_pre_prod" {
             Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
           }
         },
-        {
-          Action = "sts:AssumeRole"
-          Effect = "Allow"
-          Principal = {
-            AWS = "arn:aws:sts::${data.aws_caller_identity.current.account_id}:assumed-role/AWSReservedSSO_DomainCGpit-Administrators_3f00be4c22ce78e5/ABKH2@hscic.gov.uk"
-          }
-        },
       ]
       Version = "2012-10-17"
     }
@@ -48,7 +41,7 @@ resource "aws_iam_role" "github_role_pre_prod" {
 
 resource "aws_iam_role_policy" "cloudfront_policy_pre_prod" {
   count = local.is_pre_production ? 1 : 0
-  role  = aws_iam_role.github_role_pre_prod[0].id
+  role  = aws_iam_role.pre_prod_github_actions[0].name
   name  = "cloudfront_policy"
   policy = jsonencode(
     {
@@ -68,7 +61,7 @@ resource "aws_iam_role_policy" "cloudfront_policy_pre_prod" {
             "cloudfront:CreateInvalidation",
             "cloudfront:UpdateOriginAccessControl",
             "cloudfront:CreateOriginRequestPolicy",
-            "cloudfront:UpdateOriginRequestPolicy"
+            "cloudfront:UpdateOriginRequestPolicy",
           ]
           Effect   = "Allow"
           Resource = "*"
@@ -82,7 +75,7 @@ resource "aws_iam_role_policy" "cloudfront_policy_pre_prod" {
 
 resource "aws_iam_role_policy" "cloudwatch_logs_policy_pre_prod" {
   count = local.is_pre_production ? 1 : 0
-  role  = aws_iam_role.github_role_pre_prod[0].id
+  role  = aws_iam_role.pre_prod_github_actions[0].name
   name  = "cloudwatch_logs_policy"
   policy = jsonencode(
     {
@@ -112,7 +105,7 @@ resource "aws_iam_role_policy" "cloudwatch_logs_policy_pre_prod" {
 
 resource "aws_iam_role_policy" "ecr_policy_pre_prod" {
   count = local.is_pre_production ? 1 : 0
-  role  = aws_iam_role.github_role_pre_prod[0].id
+  role  = aws_iam_role.pre_prod_github_actions[0].name
   name  = "ecr_policy"
   policy = jsonencode(
     {
@@ -141,7 +134,7 @@ resource "aws_iam_role_policy" "ecr_policy_pre_prod" {
 
 resource "aws_iam_role_policy" "ecs_policy_pre_prod" {
   count = local.is_pre_production ? 1 : 0
-  role  = aws_iam_role.github_role_pre_prod[0].id
+  role  = aws_iam_role.pre_prod_github_actions[0].name
   name  = "ecs_policy"
   policy = jsonencode(
     {
@@ -163,7 +156,7 @@ resource "aws_iam_role_policy" "ecs_policy_pre_prod" {
 
 resource "aws_iam_role_policy" "github_extended_policy_virus_scanner_pre_prod" {
   count = local.is_pre_production ? 1 : 0
-  role  = aws_iam_role.github_role_pre_prod[0].id
+  role  = aws_iam_role.pre_prod_github_actions[0].name
   name  = "github-extended-policy-virus-scanner"
   policy = jsonencode(
     {
@@ -198,7 +191,7 @@ resource "aws_iam_role_policy" "github_extended_policy_virus_scanner_pre_prod" {
 
 resource "aws_iam_role_policy" "lambda_pre_prod" {
   count = local.is_pre_production ? 1 : 0
-  role  = aws_iam_role.github_role_pre_prod[0].id
+  role  = aws_iam_role.pre_prod_github_actions[0].name
   name  = "lambda"
   policy = jsonencode(
     {
@@ -234,7 +227,7 @@ resource "aws_iam_role_policy" "lambda_pre_prod" {
 
 resource "aws_iam_role_policy" "mtls_gateway_pre_prod" {
   count = local.is_pre_production ? 1 : 0
-  role  = aws_iam_role.github_role_pre_prod[0].id
+  role  = aws_iam_role.pre_prod_github_actions[0].name
   name  = "mtls-gateway"
   policy = jsonencode(
     {
@@ -302,7 +295,7 @@ resource "aws_iam_role_policy" "mtls_gateway_pre_prod" {
 
 resource "aws_iam_role_policy" "resource_tagging_pre_prod" {
   count = local.is_pre_production ? 1 : 0
-  role  = aws_iam_role.github_role_pre_prod[0].id
+  role  = aws_iam_role.pre_prod_github_actions[0].name
   name  = "resource_tagging"
   policy = jsonencode(
     {
@@ -437,23 +430,129 @@ resource "aws_iam_role_policy" "resource_tagging_pre_prod" {
   )
 }
 
+resource "aws_iam_role_policy" "rum_policy_pre_prod" {
+  count = local.is_pre_production ? 1 : 0
+  role  = aws_iam_role.pre_prod_github_actions[0].name
+  name  = "rum_policy"
+  policy = jsonencode(
+    {
+      Statement = [
+        {
+          Action = [
+            "cognito-identity:SetIdentityPoolRoles",
+            "cognito-identity:CreateIdentityPool",
+            "cognito-identity:DeleteIdentityPool",
+            "cognito-identity:UpdateIdentityPool",
+          ]
+          Effect   = "Allow"
+          Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*"
+          Sid      = "AllowIdentityPool"
+        },
+        {
+          Action = [
+            "rum:TagResource",
+            "rum:UntagResource",
+            "rum:ListTagsForResource",
+            "iam:PassRole",
+            "rum:UpdateAppMonitor",
+            "rum:GetAppMonitor",
+            "rum:CreateAppMonitor",
+            "rum:DeleteAppMonitor",
+          ]
+          Effect   = "Allow"
+          Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*"
+          Sid      = "AllowAppMonitor"
+        },
+        {
+          Action = [
+            "logs:DeleteLogGroup",
+            "logs:DeleteResourcePolicy",
+            "logs:DescribeLogGroups",
+          ]
+          Effect   = "Allow"
+          Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*"
+          Sid      = "AllowRumServiceLogs"
+        },
+        {
+          Action = [
+            "logs:CreateLogDelivery",
+            "logs:GetLogDelivery",
+            "logs:UpdateLogDelivery",
+            "logs:DeleteLogDelivery",
+            "logs:ListLogDeliveries",
+            "logs:DescribeResourcePolicies",
+          ]
+          Effect   = "Allow"
+          Resource = "*"
+          Sid      = "AllowRumServiceAllLogs"
+        },
+      ]
+      Version = "2012-10-17"
+    }
+  )
+}
+
+resource "aws_iam_role_policy" "scheduler_policy_pre_prod" {
+  count = local.is_pre_production ? 1 : 0
+  role  = aws_iam_role.pre_prod_github_actions[0].name
+  name  = "scheduler_policy"
+  policy = jsonencode(
+    {
+      Statement = [
+        {
+          Action   = "scheduler:DeleteSchedule"
+          Effect   = "Allow"
+          Resource = "*"
+          Sid      = "VisualEditor0"
+        },
+      ]
+      Version = "2012-10-17"
+    }
+  )
+}
+
+resource "aws_iam_role_policy" "step_functions_pre_prod" {
+  count = local.is_pre_production ? 1 : 0
+  role  = aws_iam_role.pre_prod_github_actions[0].name
+  name  = "step_functions"
+  policy = jsonencode(
+    {
+      Statement = [
+        {
+          Action = [
+            "states:DescribeStateMachine",
+            "states:UpdateStateMachine",
+            "states:DeleteStateMachine",
+            "states:CreateStateMachine",
+            "states:TagResource",
+            "states:UntagResource",
+          ]
+          Effect   = "Allow"
+          Resource = "arn:aws:states:eu-west-2:${data.aws_caller_identity.current.account_id}:stateMachine:*"
+          Sid      = "VisualEditor0"
+        },
+      ]
+      Version = "2012-10-17"
+    }
+  )
+}
+
 
-##############################################################################################################
 # ATTACHED POLICIES
 
 resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_pre_prod" {
   count      = local.is_pre_production ? 1 : 0
-  role       = aws_iam_role.github_role_pre_prod[0].name
+  role       = aws_iam_role.pre_prod_github_actions[0].name
   policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
 }
 
 resource "aws_iam_role_policy_attachment" "github_actions_policy_pre_prod" {
   count      = local.is_pre_production ? 1 : 0
-  role       = aws_iam_role.github_role_pre_prod[0].name
+  role       = aws_iam_role.pre_prod_github_actions[0].name
   policy_arn = aws_iam_policy.github_actions_policy_pre_prod[0].arn
 }
 
-# aws_iam_policy.github_actions_policy_pre-prod[0]:
+# aws_iam_policy.github_actions_policy_pre_prod[0]:
 resource "aws_iam_policy" "github_actions_policy_pre_prod" {
   count       = local.is_pre_production ? 1 : 0
   description = null
@@ -696,7 +795,7 @@ resource "aws_iam_policy" "github_actions_policy_pre_prod" {
             "ec2:AllocateAddress",
             "ec2:CreateNatGateway",
             "scheduler:CreateSchedule",
-            "scheduler:UpdateSchedule"
+            "scheduler:UpdateSchedule",
           ]
           Effect   = "Allow"
           Resource = "*"
@@ -711,11 +810,11 @@ resource "aws_iam_policy" "github_actions_policy_pre_prod" {
 
 resource "aws_iam_role_policy_attachment" "github_extended_policy_1_pre_prod" {
   count      = local.is_pre_production ? 1 : 0
-  role       = aws_iam_role.github_role_pre_prod[0].name
+  role       = aws_iam_role.pre_prod_github_actions[0].name
   policy_arn = aws_iam_policy.github_extended_policy_1_pre_prod[0].arn
 }
 
-# aws_iam_policy.github_extended_policy_1_pre-prod[0]:
+# aws_iam_policy.github_extended_policy_1_pre_prod[0]:
 resource "aws_iam_policy" "github_extended_policy_1_pre_prod" {
   count       = local.is_pre_production ? 1 : 0
   description = "more required items for GitHub access"
@@ -845,12 +944,21 @@ resource "aws_iam_policy" "github_extended_policy_1_pre_prod" {
             "s3:PutBucketNotification",
             "iam:UpdateAssumeRolePolicy",
             "sqs:sendmessage",
-            "kms:GenerateDataKey"
+            "kms:GenerateDataKey",
           ]
           Effect   = "Allow"
           Resource = "*"
           Sid      = "VisualEditor0"
         },
+        {
+          Action = [
+            "acm:AddTagsToCertificate",
+            "acm:DeleteCertificate",
+          ]
+          Effect   = "Allow"
+          Resource = "arn:aws:acm:us-east-1:${data.aws_caller_identity.current.account_id}:certificate/*"
+          Sid      = "VisualEditor1"
+        },
       ]
       Version = "2012-10-17"
     }

base_iam/policy_tool.py

@@ -34,10 +34,10 @@ def run_command(command):
 
 
 def import_resources(aws_account_id, env, role_name, policy_names):
-    run_command(f'terraform import -var environment={env} aws_iam_role.github_role_{env}[0] {role_name} ')
+    run_command(f'terraform import -var environment={env} -var aws_account_id={aws_account_id} aws_iam_role.github_role_{env}[0] {role_name} ')
     for policy_name in policy_names:
         resource_name = policy_name.replace("-", "_")
-        run_command(f'terraform import -var environment={env} aws_iam_policy.{resource_name}_{env}[0] arn:aws:iam::{aws_account_id}:policy/{policy_name}')
+        run_command(f'terraform import -var environment={env}  -var aws_account_id={aws_account_id} aws_iam_policy.{resource_name}_{env}[0] arn:aws:iam::{aws_account_id}:policy/{policy_name}')
 
 
 def tidy_resource_file(aws_account_id, env, source):