From 7633e58175d1541ad5b9cdf75af785f49c03062b Mon Sep 17 00:00:00 2001 From: Hadi Qureshi Date: Mon, 23 Feb 2026 07:32:29 +0000 Subject: [PATCH 1/4] feat: iam user and key rotation --- terraform/main.tf | 56 ++++++++++++++++++++++++++++++++++++++++++++ terraform/secrets.tf | 10 ++++++++ 2 files changed, 66 insertions(+) create mode 100644 terraform/secrets.tf diff --git a/terraform/main.tf b/terraform/main.tf index 3cd2e1f..f99693f 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -135,4 +135,60 @@ resource "aws_iam_role_policy_attachment" "eventbridge_policy" { resource "aws_cloudwatch_log_group" "loggroup" { name = "/aws/lambda/${aws_lambda_function.lambda_function.function_name}" retention_in_days = var.log_retention_days +} + +# IAM User Group +resource "aws_iam_group" "group" { + name = "${var.env_name}-${var.lambda_name}-user-group" + path = "/" +} + +resource "aws_iam_group_policy_attachment" "group_vpc_permissions_attachment" { + group = aws_iam_group.group.name + policy_arn = aws_iam_policy.vpc_permissions.arn +} + +resource "aws_iam_group_policy_attachment" "group_lambda_logging_attachment" { + group = aws_iam_group.group.name + policy_arn = aws_iam_policy.lambda_logging.arn +} + +resource "aws_iam_group_policy_attachment" "group_lambda_s3_policy_attachment" { + group = aws_iam_group.group.name + policy_arn = aws_iam_policy.lambda_s3_policy.arn +} + +resource "aws_iam_group_policy_attachment" "group_lambda_secret_manager_policy_attachment" { + group = aws_iam_group.group.name + policy_arn = aws_iam_policy.lambda_secret_manager_policy.arn +} + +resource "aws_iam_group_policy_attachment" "group_lambda_eventbridge_policy_attachment" { + group = aws_iam_group.group.name + policy_arn = aws_iam_policy.lambda_eventbridge_policy.arn +} + +# IAM User +resource "aws_iam_user" "user" { + name = "${var.env_name}-${var.lambda_name}" + path = "/" +} + +# Assign IAM User to group +resource "aws_iam_user_group_membership" "user_group_attach" { + user = aws_iam_user.user.name + + groups = [ + aws_iam_group.group.name + ] +} + +# IAM Key Rotation Module +module "iam_key_rotation" { + source = "git::https://github.com/ONS-Innovation/keh-aws-iam-key-rotation.git?ref=v0.1.0" + + iam_username = aws_iam_user.user.name + access_key_secret_arn = aws_secretsmanager_secret.access_key.arn + secret_key_secret_arn = aws_secretsmanager_secret.secret_key.arn + rotation_in_days = 90 } \ No newline at end of file diff --git a/terraform/secrets.tf b/terraform/secrets.tf new file mode 100644 index 0000000..49fd23f --- /dev/null +++ b/terraform/secrets.tf @@ -0,0 +1,10 @@ +# Secrets for rotated IAM user access keys +resource "aws_secretsmanager_secret" "access_key" { + name = "${var.env_name}-${var.lambda_name}-access-key" + description = "Access Key ID for tech audit tool IAM user" +} + +resource "aws_secretsmanager_secret" "secret_key" { + name = "${var.env_name}-${var.lambda_name}-secret-key" + description = "Secret Access Key for tech audit tool IAM user" +} \ No newline at end of file From d640d8e86c9663849aa57ec3ada760cda1b3d29f Mon Sep 17 00:00:00 2001 From: Hadi Qureshi Date: Mon, 23 Feb 2026 07:33:08 +0000 Subject: [PATCH 2/4] chore: add whitespace at eof (secrets.tf) --- terraform/secrets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/secrets.tf b/terraform/secrets.tf index 49fd23f..994655a 100644 --- a/terraform/secrets.tf +++ b/terraform/secrets.tf @@ -7,4 +7,4 @@ resource "aws_secretsmanager_secret" "access_key" { resource "aws_secretsmanager_secret" "secret_key" { name = "${var.env_name}-${var.lambda_name}-secret-key" description = "Secret Access Key for tech audit tool IAM user" -} \ No newline at end of file +} From 94a3a8e001a9ab9729c63a6e7bbf5e99cb13916b Mon Sep 17 00:00:00 2001 From: Hadi Qureshi Date: Mon, 23 Feb 2026 08:18:55 +0000 Subject: [PATCH 3/4] update: fix secrets desc --- terraform/secrets.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/secrets.tf b/terraform/secrets.tf index 994655a..ea4a7a4 100644 --- a/terraform/secrets.tf +++ b/terraform/secrets.tf @@ -1,10 +1,10 @@ # Secrets for rotated IAM user access keys resource "aws_secretsmanager_secret" "access_key" { name = "${var.env_name}-${var.lambda_name}-access-key" - description = "Access Key ID for tech audit tool IAM user" + description = "Access Key ID for github copilot usage lambda IAM user" } resource "aws_secretsmanager_secret" "secret_key" { name = "${var.env_name}-${var.lambda_name}-secret-key" - description = "Secret Access Key for tech audit tool IAM user" + description = "Secret Access Key for github copilot usage lambda IAM user" } From d892ba12695b34cd19604bcdf5bd15eb46b1da6b Mon Sep 17 00:00:00 2001 From: Hadi Qureshi Date: Mon, 23 Feb 2026 12:50:38 +0000 Subject: [PATCH 4/4] update: set recov window to 0 for secret deletion --- terraform/secrets.tf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/terraform/secrets.tf b/terraform/secrets.tf index ea4a7a4..ca4a942 100644 --- a/terraform/secrets.tf +++ b/terraform/secrets.tf @@ -1,10 +1,14 @@ # Secrets for rotated IAM user access keys resource "aws_secretsmanager_secret" "access_key" { name = "${var.env_name}-${var.lambda_name}-access-key" - description = "Access Key ID for github copilot usage lambda IAM user" + description = "Access Key ID for copilot usage lambda IAM user" + recovery_window_in_days = 0 // Secret will be deleted immediately + force_overwrite_replica_secret = true // Allow overwriting the secret in case of changes } resource "aws_secretsmanager_secret" "secret_key" { name = "${var.env_name}-${var.lambda_name}-secret-key" - description = "Secret Access Key for github copilot usage lambda IAM user" + description = "Secret Access Key for copilot usage lambda IAM user" + recovery_window_in_days = 0 // Secret will be deleted immediately + force_overwrite_replica_secret = true // Allow overwriting the secret in case of changes }