Merge pull request #453 from communitiesuk/DT-280

DT-280 Change SES to use keys specific to application
communitiesuk · Nov 14, 2024 · 6fd7876 · 6fd7876
2 parents 60e1126 + a7d7df0
commit 6fd7876
Show file tree

Hide file tree

Showing 10 changed files with 42 additions and 10 deletions.
diff --git a/terraform/modules/marklogic/deploy_user.tf b/terraform/modules/marklogic/deploy_user.tf
@@ -23,6 +23,7 @@ resource "aws_kms_alias" "ml_deploy_secrets" {
   target_key_id = aws_kms_key.ml_deploy_secrets.key_id
 }
 
+
 data "aws_secretsmanager_secret" "ml_admin_user" {
   name = "ml-admin-user-${var.environment}"
 
@@ -67,6 +68,11 @@ data "aws_iam_policy_document" "read_marklogic_deploy_secrets" {
     effect    = "Allow"
     resources = [aws_kms_key.ml_deploy_secrets.arn]
   }
+  statement {
+    actions   = ["kms:DescribeKey", "kms:Decrypt"]
+    effect    = "Allow"
+    resources = var.ses_deploy_secret_arns
+  }
   statement {
     actions   = ["secretsmanager:ListSecrets"]
     effect    = "Allow"

diff --git a/terraform/modules/marklogic/outputs.tf b/terraform/modules/marklogic/outputs.tf
@@ -33,4 +33,4 @@ output "daily_backup_bucket_arn" {
 
 output "weekly_backup_bucket_arn" {
   value = module.weekly_backup_bucket.bucket_arn
-}
+}
diff --git a/terraform/modules/marklogic/variables.tf b/terraform/modules/marklogic/variables.tf
@@ -125,3 +125,8 @@ variable "weekly_backup_bucket_retention_days" {
 variable "iam_github_openid_connect_provider_arn" {
   type = string
 }
+
+variable "ses_deploy_secret_arns" {
+  type        = list(string)
+  description = "List of arns of the kms keys for SES credentials"
+}
diff --git a/terraform/modules/ses_user/main.tf b/terraform/modules/ses_user/main.tf
@@ -10,9 +10,6 @@ variable "ses_identity_arns" {
   type = list(string)
 }
 
-variable "kms_key_arn" {
-  type = string
-}
 
 variable "from_address_patterns" {
   type        = list(string)
@@ -37,6 +34,20 @@ resource "aws_iam_access_key" "smtp_user" {
   user = aws_iam_user.smtp_user.name
 }
 
+resource "aws_kms_key" "deploy_secrets" {
+  description         = "deploy-secrets-${var.username}"
+  enable_key_rotation = true
+
+  tags = {
+    "terraform-plan-read" = true
+  }
+}
+
+resource "aws_kms_alias" "deploy_secrets" {
+  name          = "alias/deploy-secrets-${var.username}"
+  target_key_id = aws_kms_key.deploy_secrets.key_id
+}
+
 data "aws_iam_policy_document" "ses_sender" {
   statement {
     actions   = ["ses:SendRawEmail"]
@@ -68,3 +79,7 @@ output "smtp_password" {
   value     = aws_iam_access_key.smtp_user.ses_smtp_password_v4
   sensitive = true
 }
+
+output "deploy_secret_arn" {
+  value = aws_kms_key.deploy_secrets.arn
+}
diff --git a/terraform/modules/ses_user/secret.tf b/terraform/modules/ses_user/secret.tf
@@ -1,7 +1,7 @@
 resource "aws_secretsmanager_secret" "ses_user" {
   name                    = "tf-smtp-${var.username}"
   description             = "Managed by Terraform, do not update manually"
-  kms_key_id              = var.kms_key_arn
+  kms_key_id              = aws_kms_key.deploy_secrets.arn
   recovery_window_in_days = 0
 
   tags = {

diff --git a/terraform/production/main.tf b/terraform/production/main.tf
@@ -70,7 +70,6 @@ module "delta_ses_user" {
   ses_identity_arns     = [module.ses_identity.arn]
   from_address_patterns = ["[email protected]"]
   environment           = local.environment
-  kms_key_arn           = module.marklogic.deploy_user_kms_key_arn
   vpc_id                = module.networking.vpc.id
 }
 
@@ -80,7 +79,6 @@ module "cpm_ses_user" {
   ses_identity_arns     = [module.ses_identity.arn]
   from_address_patterns = ["[email protected]"]
   environment           = local.environment
-  kms_key_arn           = module.marklogic.deploy_user_kms_key_arn
   vpc_id                = module.networking.vpc.id
 }
 
@@ -241,6 +239,7 @@ module "marklogic" {
   # TODO DT-803 Reduce/remove this once we are happy with our testing on staging
   weekly_backup_bucket_retention_days    = 60
   iam_github_openid_connect_provider_arn = module.github_actions_openid_connect_provider.github_oidc_provider_arn
+  ses_deploy_secret_arns                 = [module.delta_ses_user.deploy_secret_arn, module.cpm_ses_user.deploy_secret_arn]
 }
 
 module "gh_runner" {

diff --git a/terraform/production/outputs.tf b/terraform/production/outputs.tf
@@ -144,6 +144,10 @@ output "deploy_user_kms_key_arn" {
   value = module.marklogic.deploy_user_kms_key_arn
 }
 
+output "deploy_user_delta_kms_key_arn" {
+  value = module.delta_ses_user.deploy_secret_arn
+}
+
 output "auth_internal_alb" {
   value = module.auth_internal_alb.alb
 }

diff --git a/terraform/staging/main.tf b/terraform/staging/main.tf
@@ -322,6 +322,7 @@ module "marklogic" {
   ebs_backup_role_arn                     = module.ebs_backup.role_arn
   ebs_backup_completed_sns_topic_arn      = module.ebs_backup.sns_topic_arn
   iam_github_openid_connect_provider_arn  = data.aws_iam_openid_connect_provider.github.arn
+  ses_deploy_secret_arns                  = [module.delta_ses_user.deploy_secret_arn, module.cpm_ses_user.deploy_secret_arn]
 }
 
 module "gh_runner" {
@@ -391,7 +392,6 @@ module "delta_ses_user" {
   ses_identity_arns     = [module.ses_identity.arn]
   from_address_patterns = ["[email protected]"]
   environment           = local.environment
-  kms_key_arn           = module.marklogic.deploy_user_kms_key_arn
   vpc_id                = module.networking.vpc.id
 }
 
@@ -401,7 +401,6 @@ module "cpm_ses_user" {
   ses_identity_arns     = [module.ses_identity.arn]
   from_address_patterns = ["[email protected]"]
   environment           = local.environment
-  kms_key_arn           = module.marklogic.deploy_user_kms_key_arn
   vpc_id                = module.networking.vpc.id
 }
 

diff --git a/terraform/staging/outputs.tf b/terraform/staging/outputs.tf
@@ -153,6 +153,10 @@ output "deploy_user_kms_key_arn" {
   value = module.marklogic.deploy_user_kms_key_arn
 }
 
+output "deploy_user_delta_kms_key_arn" {
+  value = module.delta_ses_user.deploy_secret_arn
+}
+
 output "auth_internal_alb" {
   value = module.auth_internal_alb.alb
 }

diff --git a/terraform/test/main.tf b/terraform/test/main.tf
@@ -327,6 +327,7 @@ module "marklogic" {
   ebs_backup_role_arn                     = module.ebs_backup.role_arn
   ebs_backup_completed_sns_topic_arn      = module.ebs_backup.sns_topic_arn
   iam_github_openid_connect_provider_arn  = module.github_actions_openid_connect_provider.github_oidc_provider_arn
+  ses_deploy_secret_arns                  = []
 }
 
 module "gh_runner" {
@@ -405,7 +406,6 @@ module "ses_user" {
   ses_identity_arns     = [module.ses_identity.arn]
   from_address_patterns = ["*@datacollection.dluhc-dev.uk"]
   environment           = local.environment
-  kms_key_arn           = null
   vpc_id                = module.networking.vpc.id
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -33,4 +33,4 @@ output "daily_backup_bucket_arn" { @@
     output "weekly_backup_bucket_arn" {
       value = module.weekly_backup_bucket.bucket_arn
-    }
+    }