forms-deploy/infra/deployments/integration/account/engineer-access.tf at e56eafacd90ddc1274126d5f0e136049f9a0c86d · govuk-forms/forms-deploy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
module "users" {
  source = "../../../modules/users"
}

module "common_values" {
  source = "../../../modules/common-values"
}

locals {
  ip_restrictions = var.require_vpn_to_access ? module.common_values.vpn_ip_addresses : []

  admin_users    = module.users.with_role["integration_admin"]
  suppport_users = module.users.with_role["integration_support"]
  readonly_users = module.users.with_role["integration_readonly"]
}

resource "aws_iam_policy" "deny_parameter_store" {
  name        = "deny-parameter-store-read-access"
  path        = "/"
  description = "Deny viewing secrets in parameter store"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ssm:GetParameter*",
        ]
        Effect   = "Deny"
        Resource = ["*"]
      }
    ]
  })
}

resource "aws_iam_policy" "lock_state_files" {
  name = "release-lock-on-state-files"
  path = "/"

  description = "Allow locking state files"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "s3:GetObject",
          "s3:PutObject",
          "s3:DeleteObject"
        ]
        Effect = "Allow"
        Resource = [
          "arn:aws:s3:::${var.bucket}/*.tflock"
        ]
      }
    ]
  })
}


module "admin_role" {
  for_each = toset(local.admin_users)

  source          = "../../../modules/gds-user-role/"
  email           = "${each.value}@digital.cabinet-office.gov.uk"
  role_suffix     = "admin"
  iam_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"]
  ip_restrictions = local.ip_restrictions
}

module "support_role" {
  for_each = toset(concat(local.admin_users, local.suppport_users))

  source      = "../../../modules/gds-user-role/"
  email       = "${each.value}@digital.cabinet-office.gov.uk"
  role_suffix = "support"
  iam_policy_arns = [
    aws_iam_policy.lock_state_files.arn
  ]
  ip_restrictions = local.ip_restrictions
}

module "readonly_role" {
  for_each = toset(concat(local.admin_users, local.suppport_users, local.readonly_users))

  source      = "../../../modules/gds-user-role/"
  email       = "${each.value}@digital.cabinet-office.gov.uk"
  role_suffix = "readonly"
  iam_policy_arns = [
    "arn:aws:iam::aws:policy/ReadOnlyAccess",
    aws_iam_policy.lock_state_files.arn
  ]
  ip_restrictions = local.ip_restrictions
}

module "pentester_role" {
  for_each = toset(var.pentester_email_addresses)

  source      = "../../../modules/gds-user-role/"
  email       = each.value
  role_suffix = "pentester"
  iam_policy_arns = [
    "arn:aws:iam::aws:policy/ReadOnlyAccess",
    "arn:aws:iam::aws:policy/SecurityAudit",
    aws_iam_policy.deny_parameter_store.arn
  ]
  ip_restrictions = var.pentester_cidr_ranges
}