From 14d275e62cd2e29d4a65fd2e85b35955717e7a7a Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Wed, 15 Apr 2026 14:52:44 +0100 Subject: [PATCH 1/8] [ELI-731] creating a new role and adding a trust policy for the regression repo --- .../github_actions_policies.tf | 28 +++++++++++++++++++ .../github_actions_role.tf | 17 +++++++++++ .../stacks/iams-developer-roles/variables.tf | 6 ++++ 3 files changed, 51 insertions(+) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 13cdaf7f9..6ae2df5b0 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -721,6 +721,34 @@ data "aws_iam_policy_document" "github_actions_assume_role" { } } +# Assume role policy document for GitHub Actions +data "aws_iam_policy_document" "regression_repo_assume_role" { + statement { + sid = "OidcAssumeRoleWithWebIdentity" + effect = "Allow" + actions = ["sts:AssumeRoleWithWebIdentity"] + + principals { + type = "Federated" + identifiers = [ + aws_iam_openid_connect_provider.github.arn + ] + } + + condition { + test = "StringLike" + variable = "token.actions.githubusercontent.com:sub" + values = ["repo:${var.github_org}/${var.regression_repo}:*"] + } + + condition { + test = "StringEquals" + variable = "token.actions.githubusercontent.com:aud" + values = ["sts.amazonaws.com"] + } + } +} + resource "aws_iam_policy" "stream_management" { name = "stream-management" description = "Allow GitHub Actions to manage project Firehose delivery streams and Kinesis streams" diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_role.tf b/infrastructure/stacks/iams-developer-roles/github_actions_role.tf index 29a4a53a0..006fe19b7 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_role.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_role.tf @@ -107,3 +107,20 @@ data "aws_iam_policy_document" "github_actions_iam_bootstrap_assume_role" { } } } + +resource "aws_iam_role" "regression_test_role" { + name = "Eligibility-Signposting-API-E2E-Regression-Tests" + description = "Role for regression testing" + permissions_boundary = aws_iam_policy.permissions_boundary.arn + path = "/service-roles/" + + # Trust policy allowing GitHub Actions to assume the role + assume_role_policy = data.aws_iam_policy_document.regression_repo_assume_role.json + + tags = merge( + local.tags, + { + Name = "Eligibility-Signposting-API-E2E-Regression-Tests" + } + ) +} diff --git a/infrastructure/stacks/iams-developer-roles/variables.tf b/infrastructure/stacks/iams-developer-roles/variables.tf index 8de5b51b3..020a815ea 100644 --- a/infrastructure/stacks/iams-developer-roles/variables.tf +++ b/infrastructure/stacks/iams-developer-roles/variables.tf @@ -9,3 +9,9 @@ variable "github_repo" { description = "GitHub repository" type = string } + +variable "regression_repo" { + default = "eligibility-signposting-api-regression-tests" + description = "GitHub repository" + type = string +} From 271901b1ed443984daaa655cacdac7a3044db759 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Wed, 15 Apr 2026 14:55:33 +0100 Subject: [PATCH 2/8] [ELI-731] swapping things around into a logical order --- .../github_actions_policies.tf | 142 +++++++++--------- 1 file changed, 71 insertions(+), 71 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 6ae2df5b0..e9420be57 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -678,77 +678,6 @@ resource "aws_iam_policy" "iam_management" { tags = merge(local.tags, { Name = "iam-management" }) } -# Assume role policy document for GitHub Actions -data "aws_iam_policy_document" "github_actions_assume_role" { - statement { - sid = "OidcAssumeRoleWithWebIdentity" - effect = "Allow" - actions = ["sts:AssumeRoleWithWebIdentity"] - - principals { - type = "Federated" - identifiers = [ - aws_iam_openid_connect_provider.github.arn - ] - } - - condition { - test = "StringLike" - variable = "token.actions.githubusercontent.com:sub" - values = ["repo:${var.github_org}/${var.github_repo}:*"] - } - - condition { - test = "StringEquals" - variable = "token.actions.githubusercontent.com:aud" - values = ["sts.amazonaws.com"] - } - } - dynamic "statement" { - for_each = var.environment == "dev" ? [1] : [] - content { - sid = "AllowDevSSORoleToAssumeIamBootstrap" - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "AWS" - identifiers = [ - local.dev_role_arn - ] - } - } - } -} - -# Assume role policy document for GitHub Actions -data "aws_iam_policy_document" "regression_repo_assume_role" { - statement { - sid = "OidcAssumeRoleWithWebIdentity" - effect = "Allow" - actions = ["sts:AssumeRoleWithWebIdentity"] - - principals { - type = "Federated" - identifiers = [ - aws_iam_openid_connect_provider.github.arn - ] - } - - condition { - test = "StringLike" - variable = "token.actions.githubusercontent.com:sub" - values = ["repo:${var.github_org}/${var.regression_repo}:*"] - } - - condition { - test = "StringEquals" - variable = "token.actions.githubusercontent.com:aud" - values = ["sts.amazonaws.com"] - } - } -} - resource "aws_iam_policy" "stream_management" { name = "stream-management" description = "Allow GitHub Actions to manage project Firehose delivery streams and Kinesis streams" @@ -873,6 +802,77 @@ resource "aws_iam_policy" "cloudwatch_management" { tags = merge(local.tags, { Name = "cloudwatch-management" }) } +# Assume role policy document for GitHub Actions +data "aws_iam_policy_document" "github_actions_assume_role" { + statement { + sid = "OidcAssumeRoleWithWebIdentity" + effect = "Allow" + actions = ["sts:AssumeRoleWithWebIdentity"] + + principals { + type = "Federated" + identifiers = [ + aws_iam_openid_connect_provider.github.arn + ] + } + + condition { + test = "StringLike" + variable = "token.actions.githubusercontent.com:sub" + values = ["repo:${var.github_org}/${var.github_repo}:*"] + } + + condition { + test = "StringEquals" + variable = "token.actions.githubusercontent.com:aud" + values = ["sts.amazonaws.com"] + } + } + dynamic "statement" { + for_each = var.environment == "dev" ? [1] : [] + content { + sid = "AllowDevSSORoleToAssumeIamBootstrap" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = [ + local.dev_role_arn + ] + } + } + } +} + +# Assume role policy document for GitHub Actions +data "aws_iam_policy_document" "regression_repo_assume_role" { + statement { + sid = "OidcAssumeRoleWithWebIdentity" + effect = "Allow" + actions = ["sts:AssumeRoleWithWebIdentity"] + + principals { + type = "Federated" + identifiers = [ + aws_iam_openid_connect_provider.github.arn + ] + } + + condition { + test = "StringLike" + variable = "token.actions.githubusercontent.com:sub" + values = ["repo:${var.github_org}/${var.regression_repo}:*"] + } + + condition { + test = "StringEquals" + variable = "token.actions.githubusercontent.com:aud" + values = ["sts.amazonaws.com"] + } + } +} + # Attach the policies to the role resource "aws_iam_role_policy_attachment" "api_infrastructure" { role = aws_iam_role.github_actions.name From 6b225d4286fdeb89f742cc9b04fcb2b69ae09a41 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Wed, 15 Apr 2026 16:02:24 +0100 Subject: [PATCH 3/8] [ELI-731] adding required permissions to new role --- .../github_actions_policies.tf | 119 ++++++++++++++++++ 1 file changed, 119 insertions(+) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index e9420be57..5ef3c61a8 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -802,6 +802,115 @@ resource "aws_iam_policy" "cloudwatch_management" { tags = merge(local.tags, { Name = "cloudwatch-management" }) } +data "aws_iam_policy_document" "regression_test_permissions" { + statement { + sid = "S3Access" + Effect = "Allow", + Action = [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:GetBucketTagging", + "s3:GetObjectTagging", + "s3:PutObjectTagging", + "s3:GetObjectVersion", + ], + Resource = [ + "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-rules", + "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-rules/*", + "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-consumer-map", + "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-consumer-map/*" + ] + } + + statement { + sid = "DynamoAccess" + Effect = "Allow" + Action = [ + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:Query", + "dynamodb:Scan", + "dynamodb:UpdateItem", + "dynamodb:DeleteItem", + "dynamodb:DescribeTable", + "dynamodb:ListTables", + "dynamodb:DeleteTable", + "dynamodb:CreateTable", + "dynamodb:TagResource", + "dynamodb:UntagResource", + "dynamodb:ListTagsOfResource" + ] + resources = [ + "arn:aws:dynamodb:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:table/my-table" + ] + } + + statement { + sid = "SecretsManagerAccess" + Effect = "Allow" + Action = [ + "secretsmanager:GetSecretValue", + "secretsmanager:PutSecretValue", + "secretsmanager:DescribeSecret", + "secretsmanager:UpdateSecretVersionStage" + ] + } + + statement { + sid = "CloudWatchLogsRead" + Effect = "Allow" + Action = [ + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:GetLogEvents", + "logs:FilterLogEvents", + "logs:StartQuery", + "logs:GetQueryResults", + "logs:StopQuery" + ] + resources = ["*"] + } + + statement { + sid = "XRayRead" + Effect = "Allow" + Action = [ + "xray:GetTraceSummaries", + "xray:BatchGetTraces", + "xray:GetServiceGraph", + "xray:GetGroups", + "xray:GetGroup", + "xray:GetSamplingRules", + "xray:GetSamplingTargets", + "xray:GetSamplingStatisticSummaries", + "xray:UpdateSamplingRule" + ] + resources = ["*"] + } + + statement { + sid = "SSMRead" + Effect = "Allow" + Action = [ + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParametersByPath" + ] + resources = [ + "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/my-app/*" + ] + } +} + +resource "aws_iam_policy" "regression_test_permissions" { + name = "regression-test-permissions" + description = "Permissions for the regression test GitHub Actions role" + path = "/service-policies/" + policy = data.aws_iam_policy_document.regression_test_permissions.json +} + # Assume role policy document for GitHub Actions data "aws_iam_policy_document" "github_actions_assume_role" { statement { @@ -913,3 +1022,13 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_management" { role = aws_iam_role.github_actions.name policy_arn = aws_iam_policy.cloudwatch_management.arn } + +resource "aws_iam_role_policy_attachment" "regression_test_permissions" { + role = aws_iam_role.regression_test_role.name + policy_arn = aws_iam_policy.regression_test_permissions.arn +} + +resource "aws_iam_role_policy_attachment" "security_management" { + role = aws_iam_role.regression_test_role.name + policy_arn = aws_iam_policy.security_management.arn +} From 8afd37ce8ec6ca2ac03de5e6164e3590efdbb128 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Thu, 16 Apr 2026 13:20:52 +0100 Subject: [PATCH 4/8] [ELI-731] addressing commments --- .../iams-developer-roles/github_actions_policies.tf | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 5ef3c61a8..2e9bc8d7d 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -843,7 +843,7 @@ data "aws_iam_policy_document" "regression_test_permissions" { "dynamodb:ListTagsOfResource" ] resources = [ - "arn:aws:dynamodb:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:table/my-table" + "arn:aws:dynamodb:*:${data.aws_caller_identity.current.account_id}:table/*eligibility-signposting-api-${var.environment}-eligibility_datastore" ] } @@ -899,7 +899,10 @@ data "aws_iam_policy_document" "regression_test_permissions" { "ssm:GetParametersByPath" ] resources = [ - "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/my-app/*" + "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}/*", + "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/splunk/*", + "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/ptl/*", + "arn:aws:ssm:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:parameter/prod/*" ] } } @@ -1028,7 +1031,7 @@ resource "aws_iam_role_policy_attachment" "regression_test_permissions" { policy_arn = aws_iam_policy.regression_test_permissions.arn } -resource "aws_iam_role_policy_attachment" "security_management" { +resource "aws_iam_role_policy_attachment" "regression_security_management" { role = aws_iam_role.regression_test_role.name policy_arn = aws_iam_policy.security_management.arn } From a67ee36c3320e09bb0bdf3340166f30644ecde02 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Thu, 16 Apr 2026 13:31:12 +0100 Subject: [PATCH 5/8] [ELI-731] addressing comments --- .../github_actions_policies.tf | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 2e9bc8d7d..e13d9539c 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -805,8 +805,8 @@ resource "aws_iam_policy" "cloudwatch_management" { data "aws_iam_policy_document" "regression_test_permissions" { statement { sid = "S3Access" - Effect = "Allow", - Action = [ + effect = "Allow", + action = [ "s3:ListBucket", "s3:GetObject", "s3:PutObject", @@ -816,7 +816,7 @@ data "aws_iam_policy_document" "regression_test_permissions" { "s3:PutObjectTagging", "s3:GetObjectVersion", ], - Resource = [ + resource = [ "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-rules", "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-rules/*", "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-consumer-map", @@ -826,8 +826,8 @@ data "aws_iam_policy_document" "regression_test_permissions" { statement { sid = "DynamoAccess" - Effect = "Allow" - Action = [ + effect = "Allow" + action = [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", @@ -849,8 +849,8 @@ data "aws_iam_policy_document" "regression_test_permissions" { statement { sid = "SecretsManagerAccess" - Effect = "Allow" - Action = [ + effect = "Allow" + action = [ "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:DescribeSecret", @@ -860,8 +860,8 @@ data "aws_iam_policy_document" "regression_test_permissions" { statement { sid = "CloudWatchLogsRead" - Effect = "Allow" - Action = [ + effect = "Allow" + action = [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents", @@ -875,8 +875,8 @@ data "aws_iam_policy_document" "regression_test_permissions" { statement { sid = "XRayRead" - Effect = "Allow" - Action = [ + effect = "Allow" + action = [ "xray:GetTraceSummaries", "xray:BatchGetTraces", "xray:GetServiceGraph", @@ -892,8 +892,8 @@ data "aws_iam_policy_document" "regression_test_permissions" { statement { sid = "SSMRead" - Effect = "Allow" - Action = [ + effect = "Allow" + action = [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath" From 9541bc58d3672bbdfbff114eef79c86778edcbbf Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Thu, 16 Apr 2026 13:32:56 +0100 Subject: [PATCH 6/8] [ELI-731] addressing comments --- .../stacks/iams-developer-roles/github_actions_policies.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index e13d9539c..ee0bc0fe0 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -856,6 +856,7 @@ data "aws_iam_policy_document" "regression_test_permissions" { "secretsmanager:DescribeSecret", "secretsmanager:UpdateSecretVersionStage" ] + resources = ["*"] } statement { From 41229b18a2f1f3a2d6102b0a1447f7bb7343b8f9 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Fri, 17 Apr 2026 09:04:44 +0100 Subject: [PATCH 7/8] [ELI-731] changing name --- .../stacks/iams-developer-roles/github_actions_role.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_role.tf b/infrastructure/stacks/iams-developer-roles/github_actions_role.tf index 006fe19b7..ce54e6242 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_role.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_role.tf @@ -109,7 +109,7 @@ data "aws_iam_policy_document" "github_actions_iam_bootstrap_assume_role" { } resource "aws_iam_role" "regression_test_role" { - name = "Eligibility-Signposting-API-E2E-Regression-Tests" + name = "Eligibility-API-E2E-Regression-Tests" description = "Role for regression testing" permissions_boundary = aws_iam_policy.permissions_boundary.arn path = "/service-roles/" @@ -120,7 +120,7 @@ resource "aws_iam_role" "regression_test_role" { tags = merge( local.tags, { - Name = "Eligibility-Signposting-API-E2E-Regression-Tests" + Name = "Eligibility-API-E2E-Regression-Tests" } ) } From b2a9a456319168c5722d0f3095bd4dc41dff6c29 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Fri, 17 Apr 2026 09:55:23 +0100 Subject: [PATCH 8/8] [ELI-731] addressing comments --- .../github_actions_policies.tf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index ee0bc0fe0..13664e1b7 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -805,8 +805,8 @@ resource "aws_iam_policy" "cloudwatch_management" { data "aws_iam_policy_document" "regression_test_permissions" { statement { sid = "S3Access" - effect = "Allow", - action = [ + effect = "Allow" + actions = [ "s3:ListBucket", "s3:GetObject", "s3:PutObject", @@ -814,9 +814,9 @@ data "aws_iam_policy_document" "regression_test_permissions" { "s3:GetBucketTagging", "s3:GetObjectTagging", "s3:PutObjectTagging", - "s3:GetObjectVersion", + "s3:GetObjectVersion" ], - resource = [ + resources = [ "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-rules", "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-eli-rules/*", "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-consumer-map", @@ -827,7 +827,7 @@ data "aws_iam_policy_document" "regression_test_permissions" { statement { sid = "DynamoAccess" effect = "Allow" - action = [ + actions = [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", @@ -850,7 +850,7 @@ data "aws_iam_policy_document" "regression_test_permissions" { statement { sid = "SecretsManagerAccess" effect = "Allow" - action = [ + actions = [ "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:DescribeSecret", @@ -862,7 +862,7 @@ data "aws_iam_policy_document" "regression_test_permissions" { statement { sid = "CloudWatchLogsRead" effect = "Allow" - action = [ + actions = [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents", @@ -877,7 +877,7 @@ data "aws_iam_policy_document" "regression_test_permissions" { statement { sid = "XRayRead" effect = "Allow" - action = [ + actions = [ "xray:GetTraceSummaries", "xray:BatchGetTraces", "xray:GetServiceGraph", @@ -894,7 +894,7 @@ data "aws_iam_policy_document" "regression_test_permissions" { statement { sid = "SSMRead" effect = "Allow" - action = [ + actions = [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath"