Merge f4daf4d into d0622e5

ministryofjustice · Aug 14, 2024 · 0e0076f · 0e0076f
2 parents d0622e5 + f4daf4d
commit 0e0076f
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 1 deletion.
diff --git a/terraform/environment/region/event_received.tf b/terraform/environment/region/event_received.tf
@@ -34,6 +34,7 @@ module "event_received" {
   }
 
   providers = {
-    aws.region = aws.region
+    aws.region     = aws.region
+    aws.management = aws.management
   }
 }
diff --git a/terraform/environment/region/modules/app/ecs.tf b/terraform/environment/region/modules/app/ecs.tf
@@ -135,6 +135,11 @@ data "aws_kms_alias" "opensearch_encryption_key" {
   provider = aws.region
 }
 
+data "aws_kms_alias" "jwt_key" {
+  name     = "alias/opg-data-lpa-store/${data.aws_default_tags.current.tags.account-name}/jwt-key"
+  provider = aws.management
+}
+
 data "aws_secretsmanager_secret" "private_jwt_key" {
   name     = "private-jwt-key-base64"
   provider = aws.region
@@ -209,6 +214,7 @@ data "aws_iam_policy_document" "task_role_access_policy" {
 
     resources = [
       data.aws_kms_alias.secrets_manager_secret_encryption_key.target_key_arn,
+      data.aws_kms_alias.jwt_key.target_key_arn,
     ]
   }
 
@@ -486,6 +492,10 @@ locals {
         {
           name  = "SEARCH_INDEXING_DISABLED",
           value = "1"
+        },
+        {
+          name  = "JWT_KEY_SECRET_ARN",
+          value = data.aws_secretsmanager_secret.lpa_store_jwt_key.arn
         }
       ]
     }

diff --git a/terraform/environment/region/modules/event_received/data_sources.tf b/terraform/environment/region/modules/event_received/data_sources.tf
@@ -24,3 +24,13 @@ data "aws_secretsmanager_secret" "lpa_store_jwt_secret_key" {
   name     = "lpa-store-jwt-secret-key"
   provider = aws.region
 }
+
+data "aws_kms_alias" "jwt_key" {
+  name     = "alias/opg-data-lpa-store/${data.aws_default_tags.current.tags.account-name}/jwt-key"
+  provider = aws.management
+}
+
+data "aws_secretsmanager_secret" "lpa_store_jwt_key" {
+  name     = "opg-data-lpa-store/${data.aws_default_tags.current.tags.account-name}/jwt-key"
+  provider = aws.management
+}
diff --git a/terraform/environment/region/modules/event_received/lambda.tf b/terraform/environment/region/modules/event_received/lambda.tf
@@ -14,6 +14,7 @@ module "event_received" {
     SEARCH_INDEX_NAME          = var.search_index_name
     SEARCH_INDEXING_DISABLED   = 1
     EVENT_BUS_NAME             = var.event_bus_name
+    JWT_KEY_SECRET_ARN         = data.aws_secretsmanager_secret.lpa_store_jwt_key.arn
   }
   image_uri            = "${var.lambda_function_image_ecr_url}:${var.lambda_function_image_tag}"
   aws_iam_role         = var.event_received_lambda_role
@@ -206,6 +207,7 @@ data "aws_iam_policy_document" "event_received" {
     resources = [
       data.aws_secretsmanager_secret.gov_uk_notify_api_key.arn,
       data.aws_secretsmanager_secret.lpa_store_jwt_secret_key.arn,
+      data.aws_secretsmanager_secret.lpa_store_jwt_key.arn,
     ]
   }
 
@@ -215,6 +217,7 @@ data "aws_iam_policy_document" "event_received" {
     resources = [
       data.aws_kms_alias.secrets_manager_secret_encryption_key.target_key_arn,
       data.aws_kms_alias.aws_lambda.target_key_arn,
+      data.aws_kms_alias.jwt_key.target_key_arn,
     ]
 
     actions = [

diff --git a/terraform/environment/region/modules/event_received/versions.tf b/terraform/environment/region/modules/event_received/versions.tf
@@ -7,6 +7,7 @@ terraform {
       version = "~> 5.61.0"
       configuration_aliases = [
         aws.region,
+        aws.management
       ]
     }
   }