ELI-597: Automates NHS Number salt creation and rotation #537
Conversation
eddalmond1
left a comment
eddalmond1
left a comment
There was a problem hiding this comment.
Looking good - a few minor checks around ensuring tags are definitely being managed by this process completely
infrastructure/stacks/api-layer/scripts/create_pending_secret.py
Outdated
Show resolved
Hide resolved
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| resource "aws_lambda_function" "create_secret_lambda" { | ||
| #checkov:skip=CKV_AWS_116: No deadletter queue is required for this Lambda function | ||
| #checkov:skip=CKV_AWS_115: Not applicable as it will not be possible to trigger concurrently | ||
| #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238 | ||
| #checkov:skip=CKV_AWS_50: No x-ray needed for this function | ||
| #checkov:skip=CKV_AWS_173: No encryption needed for the secret name | ||
| #checkov:skip=CKV_AWS_117: Does not need to be in a VPC | ||
|
|
||
| filename = data.archive_file.create_zip.output_path | ||
| function_name = "${terraform.workspace}-CreatePendingSecretFunction" | ||
| role = aws_iam_role.rotation_lambda_role.arn | ||
| handler = "create_pending_secret.lambda_handler" | ||
| runtime = "python3.13" | ||
| timeout = 30 | ||
|
|
||
| environment { | ||
| variables = { SECRET_NAME = module.secrets_manager.aws_hashing_secret_name } | ||
| } | ||
| } |
Check warning
Code scanning / checkov
Ensure that AWS Lambda function is configured inside a VPC Warning
There was a problem hiding this comment.
this just needs a VPC config block e.g.
vpc_config {
subnet_ids = [for v in data.aws_subnet.private_subnets : v.id]
security_group_ids = [data.aws_security_group.main_sg.id]
}
There was a problem hiding this comment.
I think we do need it within VPC, even if technically it'll just be making requests across the AWS control plane
| resource "aws_lambda_function" "create_secret_lambda" { | ||
| #checkov:skip=CKV_AWS_116: No deadletter queue is required for this Lambda function | ||
| #checkov:skip=CKV_AWS_115: Not applicable as it will not be possible to trigger concurrently | ||
| #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238 | ||
| #checkov:skip=CKV_AWS_50: No x-ray needed for this function | ||
| #checkov:skip=CKV_AWS_173: No encryption needed for the secret name | ||
| #checkov:skip=CKV_AWS_117: Does not need to be in a VPC | ||
|
|
||
| filename = data.archive_file.create_zip.output_path | ||
| function_name = "${terraform.workspace}-CreatePendingSecretFunction" | ||
| role = aws_iam_role.rotation_lambda_role.arn | ||
| handler = "create_pending_secret.lambda_handler" | ||
| runtime = "python3.13" | ||
| timeout = 30 | ||
|
|
||
| environment { | ||
| variables = { SECRET_NAME = module.secrets_manager.aws_hashing_secret_name } | ||
| } | ||
| } |
Check warning
Code scanning / checkov
Ensure that AWS Lambda function is configured for function-level concurrent execution limit Warning
There was a problem hiding this comment.
this just needs
reserved_concurrent_executions = 1
adding in the config, and makes sense as we wouldn't want parallel executions
| resource "aws_lambda_function" "promote_secret_lambda" { | ||
| #checkov:skip=CKV_AWS_116: No deadletter queue is required for this Lambda function | ||
| #checkov:skip=CKV_AWS_115: Not applicable as it will not be possible to trigger concurrently | ||
| #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238 | ||
| #checkov:skip=CKV_AWS_50: No x-ray needed for this function | ||
| #checkov:skip=CKV_AWS_173: No encryption needed for the secret name | ||
| #checkov:skip=CKV_AWS_117: Does not need to be in a VPC | ||
| filename = data.archive_file.promote_zip.output_path | ||
| function_name = "${terraform.workspace}-PromoteToCurrentFunction" | ||
| role = aws_iam_role.rotation_lambda_role.arn | ||
| handler = "promote_to_current.lambda_handler" | ||
| runtime = "python3.13" | ||
| timeout = 30 | ||
|
|
||
| environment { | ||
| variables = { SECRET_NAME = module.secrets_manager.aws_hashing_secret_name } | ||
| } | ||
| } |
Check warning
Code scanning / checkov
Ensure that AWS Lambda function is configured for function-level concurrent execution limit Warning
There was a problem hiding this comment.
this just needs
reserved_concurrent_executions = 1
adding in the config, and makes sense as we wouldn't want parallel executions
| resource "aws_sns_topic" "cli_login_topic" { | ||
| #checkov:skip=CKV_AWS_26: Topic contains nothing sensitive so no encryption required | ||
| name = "cli-login-notifications" | ||
| } |
Check warning
Code scanning / checkov
Ensure all data stored in the SNS topic is encrypted Warning
There was a problem hiding this comment.
I think we'd want this encrypting so add a kms key
resource "aws_kms_key" "whatever you want to call it" {
description = "KMS key for SNS topic encryption"
deletion_window_in_days = 14
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
}
Action = "kms:"
Resource = ""
},
{
Sid = "Allow SNS to use the key"
Effect = "Allow"
Principal = {
Service = "sns.amazonaws.com"
}
Action = [
"kms:Decrypt",
"kms:GenerateDataKey"
]
Resource = "*"
}
]
})
}
resource "aws_kms_alias" "sns_kms_alias" {
name = "alias/${terraform.workspace}-sns-topic-key" # change this as well
target_key_id = aws_kms_key.sns_kms_key.key_id
}
data "aws_caller_identity" "current" {}
and use above e.g.
name = "cli-login-notifications"
kms_master_key_id = aws_kms_key.sns_kms_key.id
}
| resource "aws_lambda_function" "create_secret_lambda" { | ||
| #checkov:skip=CKV_AWS_116: No deadletter queue is required for this Lambda function | ||
| #checkov:skip=CKV_AWS_115: Not applicable as it will not be possible to trigger concurrently | ||
| #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238 | ||
| #checkov:skip=CKV_AWS_50: No x-ray needed for this function | ||
| #checkov:skip=CKV_AWS_173: No encryption needed for the secret name | ||
| #checkov:skip=CKV_AWS_117: Does not need to be in a VPC | ||
|
|
||
| filename = data.archive_file.create_zip.output_path | ||
| function_name = "${terraform.workspace}-CreatePendingSecretFunction" | ||
| role = aws_iam_role.rotation_lambda_role.arn | ||
| handler = "create_pending_secret.lambda_handler" | ||
| runtime = "python3.13" | ||
| timeout = 30 | ||
|
|
||
| environment { | ||
| variables = { SECRET_NAME = module.secrets_manager.aws_hashing_secret_name } | ||
| } | ||
| } |
There was a problem hiding this comment.
this just needs a VPC config block e.g.
vpc_config {
subnet_ids = [for v in data.aws_subnet.private_subnets : v.id]
security_group_ids = [data.aws_security_group.main_sg.id]
}
| resource "aws_lambda_function" "create_secret_lambda" { | ||
| #checkov:skip=CKV_AWS_116: No deadletter queue is required for this Lambda function | ||
| #checkov:skip=CKV_AWS_115: Not applicable as it will not be possible to trigger concurrently | ||
| #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238 | ||
| #checkov:skip=CKV_AWS_50: No x-ray needed for this function | ||
| #checkov:skip=CKV_AWS_173: No encryption needed for the secret name | ||
| #checkov:skip=CKV_AWS_117: Does not need to be in a VPC | ||
|
|
||
| filename = data.archive_file.create_zip.output_path | ||
| function_name = "${terraform.workspace}-CreatePendingSecretFunction" | ||
| role = aws_iam_role.rotation_lambda_role.arn | ||
| handler = "create_pending_secret.lambda_handler" | ||
| runtime = "python3.13" | ||
| timeout = 30 | ||
|
|
||
| environment { | ||
| variables = { SECRET_NAME = module.secrets_manager.aws_hashing_secret_name } | ||
| } | ||
| } |
There was a problem hiding this comment.
I think we do need it within VPC, even if technically it'll just be making requests across the AWS control plane
| resource "aws_lambda_function" "create_secret_lambda" { | ||
| #checkov:skip=CKV_AWS_116: No deadletter queue is required for this Lambda function | ||
| #checkov:skip=CKV_AWS_115: Not applicable as it will not be possible to trigger concurrently | ||
| #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238 | ||
| #checkov:skip=CKV_AWS_50: No x-ray needed for this function | ||
| #checkov:skip=CKV_AWS_173: No encryption needed for the secret name | ||
| #checkov:skip=CKV_AWS_117: Does not need to be in a VPC | ||
|
|
||
| filename = data.archive_file.create_zip.output_path | ||
| function_name = "${terraform.workspace}-CreatePendingSecretFunction" | ||
| role = aws_iam_role.rotation_lambda_role.arn | ||
| handler = "create_pending_secret.lambda_handler" | ||
| runtime = "python3.13" | ||
| timeout = 30 | ||
|
|
||
| environment { | ||
| variables = { SECRET_NAME = module.secrets_manager.aws_hashing_secret_name } | ||
| } | ||
| } |
There was a problem hiding this comment.
this just needs
reserved_concurrent_executions = 1
adding in the config, and makes sense as we wouldn't want parallel executions
| resource "aws_lambda_function" "promote_secret_lambda" { | ||
| #checkov:skip=CKV_AWS_116: No deadletter queue is required for this Lambda function | ||
| #checkov:skip=CKV_AWS_115: Not applicable as it will not be possible to trigger concurrently | ||
| #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238 | ||
| #checkov:skip=CKV_AWS_50: No x-ray needed for this function | ||
| #checkov:skip=CKV_AWS_173: No encryption needed for the secret name | ||
| #checkov:skip=CKV_AWS_117: Does not need to be in a VPC | ||
| filename = data.archive_file.promote_zip.output_path | ||
| function_name = "${terraform.workspace}-PromoteToCurrentFunction" | ||
| role = aws_iam_role.rotation_lambda_role.arn | ||
| handler = "promote_to_current.lambda_handler" | ||
| runtime = "python3.13" | ||
| timeout = 30 | ||
|
|
||
| environment { | ||
| variables = { SECRET_NAME = module.secrets_manager.aws_hashing_secret_name } | ||
| } | ||
| } |
| resource "aws_sns_topic" "cli_login_topic" { | ||
| #checkov:skip=CKV_AWS_26: Topic contains nothing sensitive so no encryption required | ||
| name = "cli-login-notifications" | ||
| } |
There was a problem hiding this comment.
I think we'd want this encrypting so add a kms key
resource "aws_kms_key" "whatever you want to call it" {
description = "KMS key for SNS topic encryption"
deletion_window_in_days = 14
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
}
Action = "kms:"
Resource = ""
},
{
Sid = "Allow SNS to use the key"
Effect = "Allow"
Principal = {
Service = "sns.amazonaws.com"
}
Action = [
"kms:Decrypt",
"kms:GenerateDataKey"
]
Resource = "*"
}
]
})
}
resource "aws_kms_alias" "sns_kms_alias" {
name = "alias/${terraform.workspace}-sns-topic-key" # change this as well
target_key_id = aws_kms_key.sns_kms_key.key_id
}
data "aws_caller_identity" "current" {}
and use above e.g.
name = "cli-login-notifications"
kms_master_key_id = aws_kms_key.sns_kms_key.id
}
4 participants
Description
Context
Type of changes
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.