From 6040f59b7eec79f26a4be94e9a52b7d4c36aff32 Mon Sep 17 00:00:00 2001 From: Adam Brown Date: Fri, 13 Oct 2023 15:33:36 +0100 Subject: [PATCH] [AEA-3537] CF Refactor Cleanup (#191) ## Summary - Routine Change ### Details - Removes temporary files needed for CF refactor ## Reviews Required - [x] Dev - [ ] Test - [ ] Tech Author - [ ] Product Owner ## Review Checklist :information_source: This section is to be filled in by the **reviewer**. - [ ] I have reviewed the changes in this PR and they fill all or part of the acceptance criteria of the ticket, and the code is in a mergeable state. - [ ] If there were infrastructure, operational, or build changes, I have made sure there is sufficient evidence that the changes will work. - [ ] I have ensured the jira ticket has been updated with the github pull request link --- cloudformation/account_resources_1.yml | 303 ------- cloudformation/ci_resources_dev_1.yml | 789 ------------------- cloudformation/ci_resources_dev_2.yml | 566 ------------- cloudformation/ci_resources_int_1.yml | 789 ------------------- cloudformation/ci_resources_int_2.yml | 566 ------------- cloudformation/ci_resources_prod_1.yml | 789 ------------------- cloudformation/ci_resources_prod_2.yml | 566 ------------- cloudformation/ci_resources_qa_1.yml | 789 ------------------- cloudformation/ci_resources_qa_2.yml | 566 ------------- cloudformation/ci_resources_ref_1.yml | 789 ------------------- cloudformation/ci_resources_ref_2.yml | 566 ------------- cloudformation/resources_to_import.ref | 590 -------------- cloudformation/resources_to_import_dev.txt | 93 --- cloudformation/resources_to_import_int.json | 93 --- cloudformation/resources_to_import_prod.json | 93 --- cloudformation/resources_to_import_qa.json | 93 --- cloudformation/resources_to_import_ref.json | 93 --- 17 files changed, 8133 deletions(-) delete mode 100644 cloudformation/account_resources_1.yml delete mode 100644 cloudformation/ci_resources_dev_1.yml delete mode 100644 cloudformation/ci_resources_dev_2.yml delete mode 100644 cloudformation/ci_resources_int_1.yml delete mode 100644 cloudformation/ci_resources_int_2.yml delete mode 100644 cloudformation/ci_resources_prod_1.yml delete mode 100644 cloudformation/ci_resources_prod_2.yml delete mode 100644 cloudformation/ci_resources_qa_1.yml delete mode 100644 cloudformation/ci_resources_qa_2.yml delete mode 100644 cloudformation/ci_resources_ref_1.yml delete mode 100644 cloudformation/ci_resources_ref_2.yml delete mode 100644 cloudformation/resources_to_import.ref delete mode 100644 cloudformation/resources_to_import_dev.txt delete mode 100644 cloudformation/resources_to_import_int.json delete mode 100644 cloudformation/resources_to_import_prod.json delete mode 100644 cloudformation/resources_to_import_qa.json delete mode 100644 cloudformation/resources_to_import_ref.json diff --git a/cloudformation/account_resources_1.yml b/cloudformation/account_resources_1.yml deleted file mode 100644 index c74eb89cc..000000000 --- a/cloudformation/account_resources_1.yml +++ /dev/null @@ -1,303 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Resources: - ApiGwCloudWatchRole: - Type: "AWS::IAM::Role" - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: - - apigateway.amazonaws.com - Action: "sts:AssumeRole" - Policies: - - PolicyName: "AllowApiGwLogging" - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "logs:CreateLogGroup" - - "logs:CreateLogStream" - - "logs:DescribeLogGroups" - - "logs:DescribeLogStreams" - - "logs:PutLogEvents" - - "logs:GetLogEvents" - - "logs:FilterLogEvents" - - "logs:CreateLogDelivery" - - "logs:PutResourcePolicy" - - "logs:UpdateLogDelivery" - - "logs:DeleteLogDelivery" - - "logs:DescribeResourcePolicies" - - "logs:GetLogDelivery" - - "logs:ListLogDeliveries" - Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/apigateway/*" - - Account: - Type: "AWS::ApiGateway::Account" - Properties: - CloudWatchRoleArn: !GetAtt ApiGwCloudWatchRole.Arn - - CloudwatchResourcePolicy: - Type: "AWS::Logs::ResourcePolicy" - Properties: - PolicyName: "AWSLogDeliveryWrite20150319" - PolicyDocument: '{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "*" ] } ] }' - - CloudwatchLogsKmsKey: - Type: "AWS::KMS::Key" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-policy-id - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" - Action: "kms:*" - Resource: "*" - - Sid: Allow API Gateway Logging - Effect: Allow - Principal: - Service: !Sub "logs.${AWS::Region}.amazonaws.com" - Action: - - kms:Encrypt* - - kms:Decrypt* - - kms:ReEncrypt* - - kms:GenerateDataKey* - - kms:Describe* - Resource: "*" - Condition: - ArnEquals: - kms:EncryptionContext:aws:logs:arn: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/apigateway/*" - - Sid: Allow API Gateway Role - Effect: Allow - Principal: - AWS: !GetAtt ApiGwCloudWatchRole.Arn - Action: - - kms:DescribeKey - - kms:GenerateDataKey* - - kms:Encrypt - - kms:ReEncrypt* - Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/apigateway/*" - - CloudwatchLogsKmsKeyAlias: - Type: AWS::KMS::Alias - Properties: - AliasName: alias/ApiGwCloudwatchLogsKmsKeyAlias - TargetKeyId: !Ref CloudwatchLogsKmsKey - - ArtifactsBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - ArtifactsBucketKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/ArtifactsBucketKMSKeyAlias - TargetKeyId: !Ref ArtifactsBucketKMSKey - - ArtifactsBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: artifact/ - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${ArtifactsBucketKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - TrustStoreBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - TrustStoreBucketKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/TrustStoreBucketKMSKeyAlias - TargetKeyId: !Ref TrustStoreBucketKMSKey - - TrustStoreBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: truststore/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - VersioningConfiguration: - Status: Enabled - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${TrustStoreBucketKMSKeyKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - AuditLoggingBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: "AES256" - - SplunkDeliveryStreamBackupKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SplunkDeliveryStreamBackupKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/SplunkDeliveryStreamBackupKMSKeyAlias - TargetKeyId: !Ref SplunkDeliveryStreamBackupKMSKey - - SplunkDeliveryStreamBackupBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: splunkDeliveryStreamBackup/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - BucketKeyEnabled: false - ServerSideEncryptionByDefault: - SSEAlgorithm: aws:kms - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${SplunkDeliveryStreamBackupKMSKeyAlias}" - - SplunkDeliveryStreamBackupBucketRole: - Type: "AWS::IAM::Role" - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Principal: - Service: "firehose.amazonaws.com" - Action: "sts:AssumeRole" - - SecretsKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SecretsKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/SecretsKMSKeyAlias - TargetKeyId: !Ref SecretsKMSKey - -Outputs: - CloudwatchLogsKmsKeyArn: - Description: "The Arn of the API GW cloudwatch logs KMS Key" - Value: !GetAtt CloudwatchLogsKmsKey.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudwatchLogsKmsKeyArn"]] diff --git a/cloudformation/ci_resources_dev_1.yml b/cloudformation/ci_resources_dev_1.yml deleted file mode 100644 index cbda7063c..000000000 --- a/cloudformation/ci_resources_dev_1.yml +++ /dev/null @@ -1,789 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Parameters: - SubjectClaimFilters: - Type: CommaDelimitedList - Default: "repo:NHSDigital/prescriptionsforpatients:*" - Description: > - Subject claim filter for valid tokens. - Default allows only pull requests of the NHSDigital/prescriptionsforpatients to assume the role. - See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims - for examples of filtering by branch or deployment environment. - -Resources: - GitHubIdentityProvider: - Type: AWS::IAM::OIDCProvider - Properties: - Url: https://token.actions.githubusercontent.com - ThumbprintList: - - 6938fd4d98bab03faadb97b34396831e3780aea1 - ClientIdList: - - sts.amazonaws.com - - CloudFormationDeployRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Action: sts:AssumeRoleWithWebIdentity - Principal: - Federated: !GetAtt GitHubIdentityProvider.Arn - Condition: - StringEquals: - token.actions.githubusercontent.com:aud: sts.amazonaws.com - StringLike: - token.actions.githubusercontent.com:sub: !Ref SubjectClaimFilters - Policies: - - PolicyName: CreateCloudFormationStack - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateStack" - - "cloudformation:UpdateStack" - - "cloudformation:DeleteStack" - - "cloudformation:DescribeStacks" - - "cloudformation:ListExports" - - "cloudformation:CreateChangeSet" - - "cloudformation:DescribeChangeSet" - - "cloudformation:ExecuteChangeSet" - - "cloudformation:DescribeStackEvents" - - "cloudformation:GetTemplateSummary" - - "cloudformation:ListStacks" - Resource: "*" - - PolicyName: AssumeExecutionRole - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "iam:PassRole" - Resource: !GetAtt CloudFormationExecutionRole.Arn - - PolicyName: UseArtifactBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: !GetAtt ArtifactsBucketKMSKey.Arn - - CloudFormationExecutionRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - "sts:AssumeRole" - # see https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for permissions - Policies: - - PolicyName: GrantCloudFormationDeployAccess - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateChangeSet" - - "iam:Attach*" - - "iam:Create*" - - "iam:Delete*" - - "iam:Detach*" - - "iam:Get*" - - "iam:List*" - - "iam:Put*" - - "iam:Remove*" - - "iam:Tag*" - - "iam:Untag*" - - "iam:Update*" - - "iam:PassRole" - - "logs:AssociateKmsKey" - - "logs:DisassociateKmsKey" - - "logs:CreateLogGroup" - - "logs:DeleteLogGroup" - - "logs:TagLogGroup" - - "logs:CreateLogStream" - - "logs:DeleteLogStream" - - "logs:PutRetentionPolicy" - - "logs:DeleteRetentionPolicy" - - "logs:PutSubscriptionFilter" - - "logs:DescribeSubscriptionFilters" - - "logs:DeleteSubscriptionFilter" - - "logs:DescribeLogGroups" - - "logs:CreateLogDelivery" - - "logs:DeleteLogDelivery" - - "logs:ListLogDeliveries" - - "logs:GetLogDelivery" - - "logs:UpdateLogDelivery" - - "logs:ListTagsLogGroup" - - "logs:UntagLogGroup" - - "lambda:Add*" - - "lambda:CreateFunction" - - "lambda:Delete*" - - "lambda:Get*" - - "lambda:List*" - - "lambda:Publish*" - - "lambda:Put*" - - "lambda:Remove*" - - "lambda:Tag*" - - "lambda:Untag*" - - "lambda:Update*" - - "kms:Create*" - - "kms:Delete*" - - "kms:Describe*" - - "kms:Get*" - - "kms:List*" - - "kms:Put*" - - "kms:ScheduleKeyDeletion*" - - "kms:Tag*" - - "kms:Untag*" - - "kms:Update*" - - "apigateway:DELETE" - - "apigateway:GET" - - "apigateway:POST" - - "apigateway:PATCH" - - "apigateway:PUT" - - "apigateway:AddCertificateToDomain" - - "apigateway:RemoveCertificateFromDomain" - - "apigateway:TagResource" - # s3 permissions can be removed once https://github.com/NHSDigital/prescriptionsforpatients/pull/165 is merged - - "s3:CreateBucket" - - "s3:DeleteBucket" - - "s3:SetBucketEncryption" - - "s3:PutEncryptionConfiguration" - - "s3:PutBucketVersioning" - - "s3:GetBucketTagging" - - "s3:PutBucketTagging" - - "firehose:CreateDeliveryStream" - - "firehose:DescribeDeliveryStream" - - "firehose:DeleteDeliveryStream" - - "firehose:UpdateDestination" - - "firehose:ListTagsForDeliveryStream" - - "firehose:TagDeliveryStream" - - "firehose:UntagDeliveryStream" - - "acm:AddTagsToCertificate" - - "acm:DeleteCertificate" - - "acm:DescribeCertificate" - - "acm:GetCertificate" - - "acm:ListCertificates" - - "acm:ListTagsForCertificate" - - "acm:RemoveTagsFromCertificate" - - "acm:RenewCertificate" - - "acm:RequestCertificate" - - "route53:ChangeResourceRecordSets" - - "route53:GetHostedZone" - - "route53:ListResourceRecordSets" - - "route53:GetChange" - Resource: "*" - - PolicyName: UseTrustStoreBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: !GetAtt TrustStoreBucketKMSKey.Arn - - ArtifactsBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - ArtifactsBucketKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/ArtifactsBucketKMSKeyAlias - TargetKeyId: !Ref ArtifactsBucketKMSKey - - ArtifactsBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: artifact/ - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${ArtifactsBucketKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - ArtifactsBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref ArtifactsBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt ArtifactsBucket.Arn, "/*"]] - - !GetAtt ArtifactsBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - !Join ["", [!GetAtt ArtifactsBucket.Arn, "/*"]] - - !GetAtt ArtifactsBucket.Arn - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - TrustStoreBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - TrustStoreBucketKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/TrustStoreBucketKMSKeyAlias - TargetKeyId: !Ref TrustStoreBucketKMSKey - - TrustStoreBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: truststore/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - VersioningConfiguration: - Status: Enabled - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${TrustStoreBucketKMSKeyKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - TrustStoreBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref TrustStoreBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt TrustStoreBucket.Arn, "/*"]] - - !GetAtt TrustStoreBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - !Join ["", [!GetAtt TrustStoreBucket.Arn, "/*"]] - - !GetAtt TrustStoreBucket.Arn - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - AuditLoggingBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: "AES256" - - AuditLoggingBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref AuditLoggingBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/*"]] - - !GetAtt AuditLoggingBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join [ - "", - [ - !GetAtt AuditLoggingBucket.Arn, - "/splunkDeliveryStreamBackup/*", - ], - ] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/artifact/*"]] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt ArtifactsBucket.Arn - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/truststore/*"]] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt TrustStoreBucket.Arn - - SplunkDeliveryStreamBackupKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SplunkDeliveryStreamBackupKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/SplunkDeliveryStreamBackupKMSKeyAlias - TargetKeyId: !Ref SplunkDeliveryStreamBackupKMSKey - - SplunkDeliveryStreamBackupBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: splunkDeliveryStreamBackup/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - BucketKeyEnabled: false - ServerSideEncryptionByDefault: - SSEAlgorithm: aws:kms - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${SplunkDeliveryStreamBackupKMSKeyAlias}" - - SplunkDeliveryStreamBackupBucketRole: - Type: "AWS::IAM::Role" - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Principal: - Service: "firehose.amazonaws.com" - Action: "sts:AssumeRole" - - SplunkDeliveryStreamBackupBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref SplunkDeliveryStreamBackupBucket - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt SplunkDeliveryStreamBackupBucket.Arn, "/*"]] - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - !Join # Access to bucket contents - - "" - - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - "/*" - Principal: - AWS: - - !GetAtt SplunkDeliveryStreamBackupBucketRole.Arn - - SplunkDeliveryStreamBackupBucketRoleKMSPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-SplunkDeliveryStreamBackupKMSKey-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - kms:DescribeKey - - kms:GenerateDataKey* - - kms:Encrypt - - kms:ReEncrypt* - Resource: - - !GetAtt SplunkDeliveryStreamBackupKMSKey.Arn - Roles: - - !Ref SplunkDeliveryStreamBackupBucketRole - - SplunkDeliveryStreamBackupBucketIAMPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-backup-bucket-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - !Join # Access to bucket contents - - "" - - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - "/*" - Roles: - - !Ref SplunkDeliveryStreamBackupBucketRole - - SecretsKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SecretsKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/SecretsKMSKeyAlias - TargetKeyId: !Ref SecretsKMSKey - - CAKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - CACertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA certificate - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientCertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxCertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePrivateKey: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Private key for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePublicCertificate: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Public certificate for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineASID: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: ASID for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePartyKey: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: PartyKey for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineCAChain: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA chain for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - -Outputs: - CloudFormationDeployRole: - Description: ARN of the IAM Role(CloudFormationDeployRole) - Value: !GetAtt CloudFormationDeployRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationDeployRole"]] - CloudFormationExecutionRole: - Description: ARN of the IAM Role(CloudFormationExecutionRole) - Value: !GetAtt CloudFormationExecutionRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRole"]] - - ArtifactsBucket: - Description: ARN of the Artifacts bucket - Value: "arn:aws:s3:::ci-resources-artifactsbucket-8tfokumg8i3z" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "ArtifactsBucket"]] - TrustStoreBucket: - Description: ARN of the Truststore bucket - Value: "arn:aws:s3:::ci-resources-truststorebucket-1emm0xo65wil5" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "TrustStoreBucket"]] - CAKeySecret: - Description: ARN of the CA key secret - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:CAKeySecret-7g4tLfbycztz-cfA3s7" - CACertSecret: - Description: ARN of the CA cert secret - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:CACertSecret-gOWD4WVgmZdW-3gE9sC" - ClientKeySecret: - Description: ARN of the client key secret - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:ClientKeySecret-4Z1UJA6I1okR-kqSztG" - ClientCertSecret: - Description: ARN of the client cert secret - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:ClientCertSecret-AMQU5esIE2Pf-ORlGPr" - ClientSandboxKeySecret: - Description: ARN of the client key secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:ClientSandboxKeySecret-i1BbVULPrHIp-VpaLkB" - ClientSandboxCertSecret: - Description: ARN of the client cert secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:ClientSandboxCertSecret-afesUigB6XnZ-W2zDSp" - SpinePrivateKey: - Description: ARN of the private key for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:SpinePrivateKey-HnChNrtt7V8s-0xkZv8" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePrivateKey"]] - SpinePublicCertificate: - Description: ARN of the public certificate for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:SpinePublicCertificate-BnxLh6WWp3ha-UMaI2i" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePublicCertificate"]] - SpineASID: - Description: ASID for spine - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:SpineASID-zWa3SxTIKm5G-m0GZWS" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineASID"]] - SpinePartyKey: - Description: PartyKey for spine - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:SpinePartyKey-QwSRGcXj5iiE-Gy1KQR" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePartyKey"]] - SecretsKMSKey: - Description: SecretsKMSKey - Value: "arn:aws:kms:eu-west-2:591291862413:key/2bd1ac53-f6a5-4d95-9553-764c0cbe5b0f" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SecretsKMSKey"]] - SpineCAChain: - Description: SpineCAChain - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:SpineCAChain-devzI7ZLqyPy-DaV6su" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineCAChain"]] - AuditLoggingBucket: - Description: ARN of the audit logging bucket - Value: "arn:aws:s3:::ci-resources-auditloggingbucket-qinzx9hzgs2j" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "AuditLoggingBucket"]] - SplunkDeliveryStreamBackupBucketRole: - Description: The splunk delivery stream role - Value: "ci-resources-SplunkDeliveryStreamBackupBucketRole-16K41IGY3PBER" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRole"], - ] - SplunkDeliveryStreamBackupBucketRoleArn: - Description: The splunk delivery stream role - Value: "arn:aws:iam::591291862413:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-16K41IGY3PBER" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRoleArn"], - ] - SplunkDeliveryStreamBackupBucket: - Description: ARN of the splunk delivery stream backup bucket - Value: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-moadbtfdist3" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucket"]] - SplunkDeliveryStreamBackupKMSKey: - Description: SplunkDeliveryStreamBackupKMSKey - Value: "arn:aws:kms:eu-west-2:591291862413:key/01c6d877-d492-4000-8145-1cb0b626565a" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupKMSKey"]] diff --git a/cloudformation/ci_resources_dev_2.yml b/cloudformation/ci_resources_dev_2.yml deleted file mode 100644 index e55d40aa9..000000000 --- a/cloudformation/ci_resources_dev_2.yml +++ /dev/null @@ -1,566 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Parameters: - SubjectClaimFilters: - Type: CommaDelimitedList - Default: "repo:NHSDigital/prescriptionsforpatients:*" - Description: > - Subject claim filter for valid tokens. - Default allows only pull requests of the NHSDigital/prescriptionsforpatients to assume the role. - See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims - for examples of filtering by branch or deployment environment. - -Resources: - GitHubIdentityProvider: - Type: AWS::IAM::OIDCProvider - Properties: - Url: https://token.actions.githubusercontent.com - ThumbprintList: - - 6938fd4d98bab03faadb97b34396831e3780aea1 - ClientIdList: - - sts.amazonaws.com - - CloudFormationDeployRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Action: sts:AssumeRoleWithWebIdentity - Principal: - Federated: !GetAtt GitHubIdentityProvider.Arn - Condition: - StringEquals: - token.actions.githubusercontent.com:aud: sts.amazonaws.com - StringLike: - token.actions.githubusercontent.com:sub: !Ref SubjectClaimFilters - Policies: - - PolicyName: CreateCloudFormationStack - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateStack" - - "cloudformation:UpdateStack" - - "cloudformation:DeleteStack" - - "cloudformation:DescribeStacks" - - "cloudformation:ListExports" - - "cloudformation:CreateChangeSet" - - "cloudformation:DescribeChangeSet" - - "cloudformation:ExecuteChangeSet" - - "cloudformation:DescribeStackEvents" - - "cloudformation:GetTemplateSummary" - - "cloudformation:ListStacks" - Resource: "*" - - PolicyName: AssumeExecutionRole - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "iam:PassRole" - Resource: !GetAtt CloudFormationExecutionRole.Arn - - PolicyName: UseArtifactBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: "arn:aws:kms:eu-west-2:591291862413:key/91f11a0a-255d-4f25-9d5d-e2711d3c4b20" - - CloudFormationExecutionRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - "sts:AssumeRole" - # see https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for permissions - Policies: - - PolicyName: GrantCloudFormationDeployAccess - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateChangeSet" - - "iam:Attach*" - - "iam:Create*" - - "iam:Delete*" - - "iam:Detach*" - - "iam:Get*" - - "iam:List*" - - "iam:Put*" - - "iam:Remove*" - - "iam:Tag*" - - "iam:Untag*" - - "iam:Update*" - - "iam:PassRole" - - "logs:AssociateKmsKey" - - "logs:DisassociateKmsKey" - - "logs:CreateLogGroup" - - "logs:DeleteLogGroup" - - "logs:TagLogGroup" - - "logs:CreateLogStream" - - "logs:DeleteLogStream" - - "logs:PutRetentionPolicy" - - "logs:DeleteRetentionPolicy" - - "logs:PutSubscriptionFilter" - - "logs:DescribeSubscriptionFilters" - - "logs:DeleteSubscriptionFilter" - - "logs:DescribeLogGroups" - - "logs:CreateLogDelivery" - - "logs:DeleteLogDelivery" - - "logs:ListLogDeliveries" - - "logs:GetLogDelivery" - - "logs:UpdateLogDelivery" - - "logs:ListTagsLogGroup" - - "logs:UntagLogGroup" - - "lambda:Add*" - - "lambda:CreateFunction" - - "lambda:Delete*" - - "lambda:Get*" - - "lambda:List*" - - "lambda:Publish*" - - "lambda:Put*" - - "lambda:Remove*" - - "lambda:Tag*" - - "lambda:Untag*" - - "lambda:Update*" - - "kms:Create*" - - "kms:Delete*" - - "kms:Describe*" - - "kms:Get*" - - "kms:List*" - - "kms:Put*" - - "kms:ScheduleKeyDeletion*" - - "kms:Tag*" - - "kms:Untag*" - - "kms:Update*" - - "apigateway:DELETE" - - "apigateway:GET" - - "apigateway:POST" - - "apigateway:PATCH" - - "apigateway:PUT" - - "apigateway:AddCertificateToDomain" - - "apigateway:RemoveCertificateFromDomain" - - "apigateway:TagResource" - # s3 permissions can be removed once https://github.com/NHSDigital/prescriptionsforpatients/pull/165 is merged - - "s3:CreateBucket" - - "s3:DeleteBucket" - - "s3:SetBucketEncryption" - - "s3:PutEncryptionConfiguration" - - "s3:PutBucketVersioning" - - "s3:GetBucketTagging" - - "s3:PutBucketTagging" - - "firehose:CreateDeliveryStream" - - "firehose:DescribeDeliveryStream" - - "firehose:DeleteDeliveryStream" - - "firehose:UpdateDestination" - - "firehose:ListTagsForDeliveryStream" - - "firehose:TagDeliveryStream" - - "firehose:UntagDeliveryStream" - - "acm:AddTagsToCertificate" - - "acm:DeleteCertificate" - - "acm:DescribeCertificate" - - "acm:GetCertificate" - - "acm:ListCertificates" - - "acm:ListTagsForCertificate" - - "acm:RemoveTagsFromCertificate" - - "acm:RenewCertificate" - - "acm:RequestCertificate" - - "route53:ChangeResourceRecordSets" - - "route53:GetHostedZone" - - "route53:ListResourceRecordSets" - - "route53:GetChange" - Resource: "*" - - PolicyName: UseTrustStoreBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: "arn:aws:kms:eu-west-2:591291862413:key/86bc22d8-391d-4597-b606-e366d1d4f069" - - ArtifactsBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-artifactsbucket-8tfokumg8i3z" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-artifactsbucket-8tfokumg8i3z/*" - - "arn:aws:s3:::ci-resources-artifactsbucket-8tfokumg8i3z" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - "arn:aws:s3:::ci-resources-artifactsbucket-8tfokumg8i3z/*" - - "arn:aws:s3:::ci-resources-artifactsbucket-8tfokumg8i3z" - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - TrustStoreBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-truststorebucket-1emm0xo65wil5" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-truststorebucket-1emm0xo65wil5/*" - - "arn:aws:s3:::ci-resources-truststorebucket-1emm0xo65wil5" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - "arn:aws:s3:::ci-resources-truststorebucket-1emm0xo65wil5/*" - - "arn:aws:s3:::ci-resources-truststorebucket-1emm0xo65wil5" - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - AuditLoggingBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-auditloggingbucket-qinzx9hzgs2j" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-qinzx9hzgs2j/*" - - "arn:aws:s3:::ci-resources-auditloggingbucket-qinzx9hzgs2j" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-qinzx9hzgs2j/splunkDeliveryStreamBackup/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-moadbtfdist3" - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-qinzx9hzgs2j/artifact/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-artifactsbucket-8tfokumg8i3z" - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-qinzx9hzgs2j/truststore/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-truststorebucket-1emm0xo65wil5" - - SplunkDeliveryStreamBackupBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-splunkdeliverystreambackupbucket-moadbtfdist3" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-moadbtfdist3/*" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-moadbtfdist3" - Condition: - Bool: - aws:SecureTransport: false - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-moadbtfdist3" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-moadbtfdist3/*" - Principal: - AWS: - - "arn:aws:iam::591291862413:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-16K41IGY3PBER" - - SplunkDeliveryStreamBackupBucketRoleKMSPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-SplunkDeliveryStreamBackupKMSKey-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - kms:DescribeKey - - kms:GenerateDataKey* - - kms:Encrypt - - kms:ReEncrypt* - Resource: - - "arn:aws:kms:eu-west-2:591291862413:key/01c6d877-d492-4000-8145-1cb0b626565a" - Roles: - - "ci-resources-SplunkDeliveryStreamBackupBucketRole-16K41IGY3PBER" - - SplunkDeliveryStreamBackupBucketIAMPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-backup-bucket-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-moadbtfdist3" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-moadbtfdist3/*" - Roles: - - "ci-resources-SplunkDeliveryStreamBackupBucketRole-16K41IGY3PBER" - - CAKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - CACertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA certificate - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientCertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxCertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePrivateKey: - Type: AWS::SecretsManager::Secret - Properties: - Description: Private key for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePublicCertificate: - Type: AWS::SecretsManager::Secret - Properties: - Description: Public certificate for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineASID: - Type: AWS::SecretsManager::Secret - Properties: - Description: ASID for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePartyKey: - Type: AWS::SecretsManager::Secret - Properties: - Description: PartyKey for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineCAChain: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA chain for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - -Outputs: - CloudFormationDeployRole: - Description: ARN of the IAM Role(CloudFormationDeployRole) - Value: !GetAtt CloudFormationDeployRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationDeployRole"]] - CloudFormationExecutionRole: - Description: ARN of the IAM Role(CloudFormationExecutionRole) - Value: !GetAtt CloudFormationExecutionRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRole"]] - CloudFormationExecutionRoleName: - Description: Name of the IAM Role(CloudFormationExecutionRole) - Value: !Ref CloudFormationExecutionRole - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRoleName"]] - - ArtifactsBucket: - Description: ARN of the Artifacts bucket - Value: "arn:aws:s3:::ci-resources-artifactsbucket-8tfokumg8i3z" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "ArtifactsBucket"]] - TrustStoreBucket: - Description: ARN of the Truststore bucket - Value: "arn:aws:s3:::ci-resources-truststorebucket-1emm0xo65wil5" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "TrustStoreBucket"]] - CAKeySecret: - Description: ARN of the CA key secret - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:CAKeySecret-7g4tLfbycztz-cfA3s7" - CACertSecret: - Description: ARN of the CA cert secret - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:CACertSecret-gOWD4WVgmZdW-3gE9sC" - ClientKeySecret: - Description: ARN of the client key secret - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:ClientKeySecret-4Z1UJA6I1okR-kqSztG" - ClientCertSecret: - Description: ARN of the client cert secret - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:ClientCertSecret-AMQU5esIE2Pf-ORlGPr" - ClientSandboxKeySecret: - Description: ARN of the client key secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:ClientSandboxKeySecret-i1BbVULPrHIp-VpaLkB" - ClientSandboxCertSecret: - Description: ARN of the client cert secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:ClientSandboxCertSecret-afesUigB6XnZ-W2zDSp" - SpinePrivateKey: - Description: ARN of the private key for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:SpinePrivateKey-HnChNrtt7V8s-0xkZv8" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePrivateKey"]] - SpinePublicCertificate: - Description: ARN of the public certificate for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:SpinePublicCertificate-BnxLh6WWp3ha-UMaI2i" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePublicCertificate"]] - SpineASID: - Description: ASID for spine - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:SpineASID-zWa3SxTIKm5G-m0GZWS" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineASID"]] - SpinePartyKey: - Description: PartyKey for spine - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:SpinePartyKey-QwSRGcXj5iiE-Gy1KQR" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePartyKey"]] - SecretsKMSKey: - Description: SecretsKMSKey - Value: "arn:aws:kms:eu-west-2:591291862413:key/2bd1ac53-f6a5-4d95-9553-764c0cbe5b0f" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SecretsKMSKey"]] - SpineCAChain: - Description: SpineCAChain - Value: "arn:aws:secretsmanager:eu-west-2:591291862413:secret:SpineCAChain-devzI7ZLqyPy-DaV6su" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineCAChain"]] - AuditLoggingBucket: - Description: ARN of the audit logging bucket - Value: "arn:aws:s3:::ci-resources-auditloggingbucket-qinzx9hzgs2j" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "AuditLoggingBucket"]] - SplunkDeliveryStreamBackupBucketRole: - Description: The splunk delivery stream role - Value: "ci-resources-SplunkDeliveryStreamBackupBucketRole-16K41IGY3PBER" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRole"], - ] - SplunkDeliveryStreamBackupBucketRoleArn: - Description: The splunk delivery stream role - Value: "arn:aws:iam::591291862413:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-16K41IGY3PBER" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRoleArn"], - ] - SplunkDeliveryStreamBackupBucket: - Description: ARN of the splunk delivery stream backup bucket - Value: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-moadbtfdist3" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucket"]] - SplunkDeliveryStreamBackupKMSKey: - Description: SplunkDeliveryStreamBackupKMSKey - Value: "arn:aws:kms:eu-west-2:591291862413:key/01c6d877-d492-4000-8145-1cb0b626565a" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupKMSKey"]] diff --git a/cloudformation/ci_resources_int_1.yml b/cloudformation/ci_resources_int_1.yml deleted file mode 100644 index 4cfc27215..000000000 --- a/cloudformation/ci_resources_int_1.yml +++ /dev/null @@ -1,789 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Parameters: - SubjectClaimFilters: - Type: CommaDelimitedList - Default: "repo:NHSDigital/prescriptionsforpatients:*" - Description: > - Subject claim filter for valid tokens. - Default allows only pull requests of the NHSDigital/prescriptionsforpatients to assume the role. - See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims - for examples of filtering by branch or deployment environment. - -Resources: - GitHubIdentityProvider: - Type: AWS::IAM::OIDCProvider - Properties: - Url: https://token.actions.githubusercontent.com - ThumbprintList: - - 6938fd4d98bab03faadb97b34396831e3780aea1 - ClientIdList: - - sts.amazonaws.com - - CloudFormationDeployRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Action: sts:AssumeRoleWithWebIdentity - Principal: - Federated: !GetAtt GitHubIdentityProvider.Arn - Condition: - StringEquals: - token.actions.githubusercontent.com:aud: sts.amazonaws.com - StringLike: - token.actions.githubusercontent.com:sub: !Ref SubjectClaimFilters - Policies: - - PolicyName: CreateCloudFormationStack - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateStack" - - "cloudformation:UpdateStack" - - "cloudformation:DeleteStack" - - "cloudformation:DescribeStacks" - - "cloudformation:ListExports" - - "cloudformation:CreateChangeSet" - - "cloudformation:DescribeChangeSet" - - "cloudformation:ExecuteChangeSet" - - "cloudformation:DescribeStackEvents" - - "cloudformation:GetTemplateSummary" - - "cloudformation:ListStacks" - Resource: "*" - - PolicyName: AssumeExecutionRole - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "iam:PassRole" - Resource: !GetAtt CloudFormationExecutionRole.Arn - - PolicyName: UseArtifactBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: !GetAtt ArtifactsBucketKMSKey.Arn - - CloudFormationExecutionRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - "sts:AssumeRole" - # see https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for permissions - Policies: - - PolicyName: GrantCloudFormationDeployAccess - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateChangeSet" - - "iam:Attach*" - - "iam:Create*" - - "iam:Delete*" - - "iam:Detach*" - - "iam:Get*" - - "iam:List*" - - "iam:Put*" - - "iam:Remove*" - - "iam:Tag*" - - "iam:Untag*" - - "iam:Update*" - - "iam:PassRole" - - "logs:AssociateKmsKey" - - "logs:DisassociateKmsKey" - - "logs:CreateLogGroup" - - "logs:DeleteLogGroup" - - "logs:TagLogGroup" - - "logs:CreateLogStream" - - "logs:DeleteLogStream" - - "logs:PutRetentionPolicy" - - "logs:DeleteRetentionPolicy" - - "logs:PutSubscriptionFilter" - - "logs:DescribeSubscriptionFilters" - - "logs:DeleteSubscriptionFilter" - - "logs:DescribeLogGroups" - - "logs:CreateLogDelivery" - - "logs:DeleteLogDelivery" - - "logs:ListLogDeliveries" - - "logs:GetLogDelivery" - - "logs:UpdateLogDelivery" - - "logs:ListTagsLogGroup" - - "logs:UntagLogGroup" - - "lambda:Add*" - - "lambda:CreateFunction" - - "lambda:Delete*" - - "lambda:Get*" - - "lambda:List*" - - "lambda:Publish*" - - "lambda:Put*" - - "lambda:Remove*" - - "lambda:Tag*" - - "lambda:Untag*" - - "lambda:Update*" - - "kms:Create*" - - "kms:Delete*" - - "kms:Describe*" - - "kms:Get*" - - "kms:List*" - - "kms:Put*" - - "kms:ScheduleKeyDeletion*" - - "kms:Tag*" - - "kms:Untag*" - - "kms:Update*" - - "apigateway:DELETE" - - "apigateway:GET" - - "apigateway:POST" - - "apigateway:PATCH" - - "apigateway:PUT" - - "apigateway:AddCertificateToDomain" - - "apigateway:RemoveCertificateFromDomain" - - "apigateway:TagResource" - # s3 permissions can be removed once https://github.com/NHSDigital/prescriptionsforpatients/pull/165 is merged - - "s3:CreateBucket" - - "s3:DeleteBucket" - - "s3:SetBucketEncryption" - - "s3:PutEncryptionConfiguration" - - "s3:PutBucketVersioning" - - "s3:GetBucketTagging" - - "s3:PutBucketTagging" - - "firehose:CreateDeliveryStream" - - "firehose:DescribeDeliveryStream" - - "firehose:DeleteDeliveryStream" - - "firehose:UpdateDestination" - - "firehose:ListTagsForDeliveryStream" - - "firehose:TagDeliveryStream" - - "firehose:UntagDeliveryStream" - - "acm:AddTagsToCertificate" - - "acm:DeleteCertificate" - - "acm:DescribeCertificate" - - "acm:GetCertificate" - - "acm:ListCertificates" - - "acm:ListTagsForCertificate" - - "acm:RemoveTagsFromCertificate" - - "acm:RenewCertificate" - - "acm:RequestCertificate" - - "route53:ChangeResourceRecordSets" - - "route53:GetHostedZone" - - "route53:ListResourceRecordSets" - - "route53:GetChange" - Resource: "*" - - PolicyName: UseTrustStoreBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: !GetAtt TrustStoreBucketKMSKey.Arn - - ArtifactsBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - ArtifactsBucketKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/ArtifactsBucketKMSKeyAlias - TargetKeyId: !Ref ArtifactsBucketKMSKey - - ArtifactsBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: artifact/ - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${ArtifactsBucketKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - ArtifactsBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref ArtifactsBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt ArtifactsBucket.Arn, "/*"]] - - !GetAtt ArtifactsBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - !Join ["", [!GetAtt ArtifactsBucket.Arn, "/*"]] - - !GetAtt ArtifactsBucket.Arn - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - TrustStoreBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - TrustStoreBucketKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/TrustStoreBucketKMSKeyAlias - TargetKeyId: !Ref TrustStoreBucketKMSKey - - TrustStoreBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: truststore/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - VersioningConfiguration: - Status: Enabled - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${TrustStoreBucketKMSKeyKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - TrustStoreBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref TrustStoreBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt TrustStoreBucket.Arn, "/*"]] - - !GetAtt TrustStoreBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - !Join ["", [!GetAtt TrustStoreBucket.Arn, "/*"]] - - !GetAtt TrustStoreBucket.Arn - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - AuditLoggingBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: "AES256" - - AuditLoggingBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref AuditLoggingBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/*"]] - - !GetAtt AuditLoggingBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join [ - "", - [ - !GetAtt AuditLoggingBucket.Arn, - "/splunkDeliveryStreamBackup/*", - ], - ] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/artifact/*"]] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt ArtifactsBucket.Arn - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/truststore/*"]] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt TrustStoreBucket.Arn - - SplunkDeliveryStreamBackupKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SplunkDeliveryStreamBackupKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/SplunkDeliveryStreamBackupKMSKeyAlias - TargetKeyId: !Ref SplunkDeliveryStreamBackupKMSKey - - SplunkDeliveryStreamBackupBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: splunkDeliveryStreamBackup/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - BucketKeyEnabled: false - ServerSideEncryptionByDefault: - SSEAlgorithm: aws:kms - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${SplunkDeliveryStreamBackupKMSKeyAlias}" - - SplunkDeliveryStreamBackupBucketRole: - Type: "AWS::IAM::Role" - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Principal: - Service: "firehose.amazonaws.com" - Action: "sts:AssumeRole" - - SplunkDeliveryStreamBackupBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref SplunkDeliveryStreamBackupBucket - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt SplunkDeliveryStreamBackupBucket.Arn, "/*"]] - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - !Join # Access to bucket contents - - "" - - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - "/*" - Principal: - AWS: - - !GetAtt SplunkDeliveryStreamBackupBucketRole.Arn - - SplunkDeliveryStreamBackupBucketRoleKMSPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-SplunkDeliveryStreamBackupKMSKey-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - kms:DescribeKey - - kms:GenerateDataKey* - - kms:Encrypt - - kms:ReEncrypt* - Resource: - - !GetAtt SplunkDeliveryStreamBackupKMSKey.Arn - Roles: - - !Ref SplunkDeliveryStreamBackupBucketRole - - SplunkDeliveryStreamBackupBucketIAMPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-backup-bucket-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - !Join # Access to bucket contents - - "" - - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - "/*" - Roles: - - !Ref SplunkDeliveryStreamBackupBucketRole - - SecretsKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SecretsKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/SecretsKMSKeyAlias - TargetKeyId: !Ref SecretsKMSKey - - CAKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - CACertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA certificate - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientCertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxCertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePrivateKey: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Private key for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePublicCertificate: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Public certificate for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineASID: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: ASID for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePartyKey: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: PartyKey for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineCAChain: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA chain for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - -Outputs: - CloudFormationDeployRole: - Description: ARN of the IAM Role(CloudFormationDeployRole) - Value: !GetAtt CloudFormationDeployRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationDeployRole"]] - CloudFormationExecutionRole: - Description: ARN of the IAM Role(CloudFormationExecutionRole) - Value: !GetAtt CloudFormationExecutionRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRole"]] - - ArtifactsBucket: - Description: ARN of the Artifacts bucket - Value: "arn:aws:s3:::ci-resources-artifactsbucket-4687sfjwdxcw" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "ArtifactsBucket"]] - TrustStoreBucket: - Description: ARN of the Truststore bucket - Value: "arn:aws:s3:::ci-resources-truststorebucket-lz9g6bkko6tj" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "TrustStoreBucket"]] - CAKeySecret: - Description: ARN of the CA key secret - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:CAKeySecret-4TPqF7pJU7zV-bsADow" - CACertSecret: - Description: ARN of the CA cert secret - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:CACertSecret-g0HYKRs3JD2e-GVjfc6" - ClientKeySecret: - Description: ARN of the client key secret - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:ClientKeySecret-ZOzOHTscmeqU-45Sl4i" - ClientCertSecret: - Description: ARN of the client cert secret - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:ClientCertSecret-l9fBFdVmFSSB-IONS4H" - ClientSandboxKeySecret: - Description: ARN of the client key secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:ClientSandboxKeySecret-kdyRRtxYIAcs-GZykli" - ClientSandboxCertSecret: - Description: ARN of the client cert secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:ClientSandboxCertSecret-8AFbM33zygEp-87bcki" - SpinePrivateKey: - Description: ARN of the private key for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:SpinePrivateKey-Wm0lwn8GKiuF-DEwGAC" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePrivateKey"]] - SpinePublicCertificate: - Description: ARN of the public certificate for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:SpinePublicCertificate-JuqBiFFNVYxx-S3lVNP" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePublicCertificate"]] - SpineASID: - Description: ASID for spine - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:SpineASID-XguJCr6SyVdy-Fj2wsW" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineASID"]] - SpinePartyKey: - Description: PartyKey for spine - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:SpinePartyKey-9gracUnJf99O-MHFdPY" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePartyKey"]] - SecretsKMSKey: - Description: SecretsKMSKey - Value: "arn:aws:kms:eu-west-2:399793560585:key/2056234e-6476-4e18-a166-9f43bca567d7" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SecretsKMSKey"]] - SpineCAChain: - Description: SpineCAChain - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:SpineCAChain-w4FsLBdgoeBi-cEWAV3" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineCAChain"]] - AuditLoggingBucket: - Description: ARN of the audit logging bucket - Value: "arn:aws:s3:::ci-resources-auditloggingbucket-1fuls8ilhv5wc" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "AuditLoggingBucket"]] - SplunkDeliveryStreamBackupBucketRole: - Description: The splunk delivery stream role - Value: "ci-resources-SplunkDeliveryStreamBackupBucketRole-B5P28150Z82I" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRole"], - ] - SplunkDeliveryStreamBackupBucketRoleArn: - Description: The splunk delivery stream role - Value: "arn:aws:iam::399793560585:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-B5P28150Z82I" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRoleArn"], - ] - SplunkDeliveryStreamBackupBucket: - Description: ARN of the splunk delivery stream backup bucket - Value: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-tktdzdskuzex" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucket"]] - SplunkDeliveryStreamBackupKMSKey: - Description: SplunkDeliveryStreamBackupKMSKey - Value: "arn:aws:kms:eu-west-2:399793560585:key/5750eeaa-de6d-47aa-aeb1-a8302c4fb198" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupKMSKey"]] diff --git a/cloudformation/ci_resources_int_2.yml b/cloudformation/ci_resources_int_2.yml deleted file mode 100644 index 6cb23aa48..000000000 --- a/cloudformation/ci_resources_int_2.yml +++ /dev/null @@ -1,566 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Parameters: - SubjectClaimFilters: - Type: CommaDelimitedList - Default: "repo:NHSDigital/prescriptionsforpatients:*" - Description: > - Subject claim filter for valid tokens. - Default allows only pull requests of the NHSDigital/prescriptionsforpatients to assume the role. - See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims - for examples of filtering by branch or deployment environment. - -Resources: - GitHubIdentityProvider: - Type: AWS::IAM::OIDCProvider - Properties: - Url: https://token.actions.githubusercontent.com - ThumbprintList: - - 6938fd4d98bab03faadb97b34396831e3780aea1 - ClientIdList: - - sts.amazonaws.com - - CloudFormationDeployRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Action: sts:AssumeRoleWithWebIdentity - Principal: - Federated: !GetAtt GitHubIdentityProvider.Arn - Condition: - StringEquals: - token.actions.githubusercontent.com:aud: sts.amazonaws.com - StringLike: - token.actions.githubusercontent.com:sub: !Ref SubjectClaimFilters - Policies: - - PolicyName: CreateCloudFormationStack - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateStack" - - "cloudformation:UpdateStack" - - "cloudformation:DeleteStack" - - "cloudformation:DescribeStacks" - - "cloudformation:ListExports" - - "cloudformation:CreateChangeSet" - - "cloudformation:DescribeChangeSet" - - "cloudformation:ExecuteChangeSet" - - "cloudformation:DescribeStackEvents" - - "cloudformation:GetTemplateSummary" - - "cloudformation:ListStacks" - Resource: "*" - - PolicyName: AssumeExecutionRole - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "iam:PassRole" - Resource: !GetAtt CloudFormationExecutionRole.Arn - - PolicyName: UseArtifactBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: "arn:aws:kms:eu-west-2:399793560585:key/15b9207c-bc32-4d5d-9910-628baf3deeef" - - CloudFormationExecutionRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - "sts:AssumeRole" - # see https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for permissions - Policies: - - PolicyName: GrantCloudFormationDeployAccess - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateChangeSet" - - "iam:Attach*" - - "iam:Create*" - - "iam:Delete*" - - "iam:Detach*" - - "iam:Get*" - - "iam:List*" - - "iam:Put*" - - "iam:Remove*" - - "iam:Tag*" - - "iam:Untag*" - - "iam:Update*" - - "iam:PassRole" - - "logs:AssociateKmsKey" - - "logs:DisassociateKmsKey" - - "logs:CreateLogGroup" - - "logs:DeleteLogGroup" - - "logs:TagLogGroup" - - "logs:CreateLogStream" - - "logs:DeleteLogStream" - - "logs:PutRetentionPolicy" - - "logs:DeleteRetentionPolicy" - - "logs:PutSubscriptionFilter" - - "logs:DescribeSubscriptionFilters" - - "logs:DeleteSubscriptionFilter" - - "logs:DescribeLogGroups" - - "logs:CreateLogDelivery" - - "logs:DeleteLogDelivery" - - "logs:ListLogDeliveries" - - "logs:GetLogDelivery" - - "logs:UpdateLogDelivery" - - "logs:ListTagsLogGroup" - - "logs:UntagLogGroup" - - "lambda:Add*" - - "lambda:CreateFunction" - - "lambda:Delete*" - - "lambda:Get*" - - "lambda:List*" - - "lambda:Publish*" - - "lambda:Put*" - - "lambda:Remove*" - - "lambda:Tag*" - - "lambda:Untag*" - - "lambda:Update*" - - "kms:Create*" - - "kms:Delete*" - - "kms:Describe*" - - "kms:Get*" - - "kms:List*" - - "kms:Put*" - - "kms:ScheduleKeyDeletion*" - - "kms:Tag*" - - "kms:Untag*" - - "kms:Update*" - - "apigateway:DELETE" - - "apigateway:GET" - - "apigateway:POST" - - "apigateway:PATCH" - - "apigateway:PUT" - - "apigateway:AddCertificateToDomain" - - "apigateway:RemoveCertificateFromDomain" - - "apigateway:TagResource" - # s3 permissions can be removed once https://github.com/NHSDigital/prescriptionsforpatients/pull/165 is merged - - "s3:CreateBucket" - - "s3:DeleteBucket" - - "s3:SetBucketEncryption" - - "s3:PutEncryptionConfiguration" - - "s3:PutBucketVersioning" - - "s3:GetBucketTagging" - - "s3:PutBucketTagging" - - "firehose:CreateDeliveryStream" - - "firehose:DescribeDeliveryStream" - - "firehose:DeleteDeliveryStream" - - "firehose:UpdateDestination" - - "firehose:ListTagsForDeliveryStream" - - "firehose:TagDeliveryStream" - - "firehose:UntagDeliveryStream" - - "acm:AddTagsToCertificate" - - "acm:DeleteCertificate" - - "acm:DescribeCertificate" - - "acm:GetCertificate" - - "acm:ListCertificates" - - "acm:ListTagsForCertificate" - - "acm:RemoveTagsFromCertificate" - - "acm:RenewCertificate" - - "acm:RequestCertificate" - - "route53:ChangeResourceRecordSets" - - "route53:GetHostedZone" - - "route53:ListResourceRecordSets" - - "route53:GetChange" - Resource: "*" - - PolicyName: UseTrustStoreBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: "arn:aws:kms:eu-west-2:399793560585:key/9f53466d-e5d2-4d9e-938d-786db0a703c4" - - ArtifactsBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-artifactsbucket-4687sfjwdxcw" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-artifactsbucket-4687sfjwdxcw/*" - - "arn:aws:s3:::ci-resources-artifactsbucket-4687sfjwdxcw" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - "arn:aws:s3:::ci-resources-artifactsbucket-4687sfjwdxcw/*" - - "arn:aws:s3:::ci-resources-artifactsbucket-4687sfjwdxcw" - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - TrustStoreBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-truststorebucket-lz9g6bkko6tj" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-truststorebucket-lz9g6bkko6tj/*" - - "arn:aws:s3:::ci-resources-truststorebucket-lz9g6bkko6tj" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - "arn:aws:s3:::ci-resources-truststorebucket-lz9g6bkko6tj/*" - - "arn:aws:s3:::ci-resources-truststorebucket-lz9g6bkko6tj" - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - AuditLoggingBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-auditloggingbucket-1fuls8ilhv5wc" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-1fuls8ilhv5wc/*" - - "arn:aws:s3:::ci-resources-auditloggingbucket-1fuls8ilhv5wc" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-1fuls8ilhv5wc/splunkDeliveryStreamBackup/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-tktdzdskuzex" - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-1fuls8ilhv5wc/artifact/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-artifactsbucket-4687sfjwdxcw" - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-1fuls8ilhv5wc/truststore/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-truststorebucket-lz9g6bkko6tj" - - SplunkDeliveryStreamBackupBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-splunkdeliverystreambackupbucket-tktdzdskuzex" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-tktdzdskuzex/*" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-tktdzdskuzex" - Condition: - Bool: - aws:SecureTransport: false - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-tktdzdskuzex" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-tktdzdskuzex/*" - Principal: - AWS: - - "arn:aws:iam::399793560585:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-B5P28150Z82I" - - SplunkDeliveryStreamBackupBucketRoleKMSPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-SplunkDeliveryStreamBackupKMSKey-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - kms:DescribeKey - - kms:GenerateDataKey* - - kms:Encrypt - - kms:ReEncrypt* - Resource: - - "arn:aws:kms:eu-west-2:399793560585:key/5750eeaa-de6d-47aa-aeb1-a8302c4fb198" - Roles: - - "ci-resources-SplunkDeliveryStreamBackupBucketRole-B5P28150Z82I" - - SplunkDeliveryStreamBackupBucketIAMPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-backup-bucket-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-tktdzdskuzex" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-tktdzdskuzex/*" - Roles: - - "ci-resources-SplunkDeliveryStreamBackupBucketRole-B5P28150Z82I" - - CAKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - CACertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA certificate - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientCertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxCertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePrivateKey: - Type: AWS::SecretsManager::Secret - Properties: - Description: Private key for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePublicCertificate: - Type: AWS::SecretsManager::Secret - Properties: - Description: Public certificate for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineASID: - Type: AWS::SecretsManager::Secret - Properties: - Description: ASID for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePartyKey: - Type: AWS::SecretsManager::Secret - Properties: - Description: PartyKey for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineCAChain: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA chain for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - -Outputs: - CloudFormationDeployRole: - Description: ARN of the IAM Role(CloudFormationDeployRole) - Value: !GetAtt CloudFormationDeployRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationDeployRole"]] - CloudFormationExecutionRole: - Description: ARN of the IAM Role(CloudFormationExecutionRole) - Value: !GetAtt CloudFormationExecutionRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRole"]] - CloudFormationExecutionRoleName: - Description: Name of the IAM Role(CloudFormationExecutionRole) - Value: !Ref CloudFormationExecutionRole - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRoleName"]] - - ArtifactsBucket: - Description: ARN of the Artifacts bucket - Value: "arn:aws:s3:::ci-resources-artifactsbucket-4687sfjwdxcw" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "ArtifactsBucket"]] - TrustStoreBucket: - Description: ARN of the Truststore bucket - Value: "arn:aws:s3:::ci-resources-truststorebucket-lz9g6bkko6tj" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "TrustStoreBucket"]] - CAKeySecret: - Description: ARN of the CA key secret - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:CAKeySecret-4TPqF7pJU7zV-bsADow" - CACertSecret: - Description: ARN of the CA cert secret - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:CACertSecret-g0HYKRs3JD2e-GVjfc6" - ClientKeySecret: - Description: ARN of the client key secret - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:ClientKeySecret-ZOzOHTscmeqU-45Sl4i" - ClientCertSecret: - Description: ARN of the client cert secret - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:ClientCertSecret-l9fBFdVmFSSB-IONS4H" - ClientSandboxKeySecret: - Description: ARN of the client key secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:ClientSandboxKeySecret-kdyRRtxYIAcs-GZykli" - ClientSandboxCertSecret: - Description: ARN of the client cert secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:ClientSandboxCertSecret-8AFbM33zygEp-87bcki" - SpinePrivateKey: - Description: ARN of the private key for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:SpinePrivateKey-Wm0lwn8GKiuF-DEwGAC" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePrivateKey"]] - SpinePublicCertificate: - Description: ARN of the public certificate for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:SpinePublicCertificate-JuqBiFFNVYxx-S3lVNP" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePublicCertificate"]] - SpineASID: - Description: ASID for spine - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:SpineASID-XguJCr6SyVdy-Fj2wsW" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineASID"]] - SpinePartyKey: - Description: PartyKey for spine - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:SpinePartyKey-9gracUnJf99O-MHFdPY" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePartyKey"]] - SecretsKMSKey: - Description: SecretsKMSKey - Value: "arn:aws:kms:eu-west-2:399793560585:key/2056234e-6476-4e18-a166-9f43bca567d7" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SecretsKMSKey"]] - SpineCAChain: - Description: SpineCAChain - Value: "arn:aws:secretsmanager:eu-west-2:399793560585:secret:SpineCAChain-w4FsLBdgoeBi-cEWAV3" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineCAChain"]] - AuditLoggingBucket: - Description: ARN of the audit logging bucket - Value: "arn:aws:s3:::ci-resources-auditloggingbucket-1fuls8ilhv5wc" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "AuditLoggingBucket"]] - SplunkDeliveryStreamBackupBucketRole: - Description: The splunk delivery stream role - Value: "ci-resources-SplunkDeliveryStreamBackupBucketRole-B5P28150Z82I" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRole"], - ] - SplunkDeliveryStreamBackupBucketRoleArn: - Description: The splunk delivery stream role - Value: "arn:aws:iam::399793560585:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-B5P28150Z82I" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRoleArn"], - ] - SplunkDeliveryStreamBackupBucket: - Description: ARN of the splunk delivery stream backup bucket - Value: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-tktdzdskuzex" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucket"]] - SplunkDeliveryStreamBackupKMSKey: - Description: SplunkDeliveryStreamBackupKMSKey - Value: "arn:aws:kms:eu-west-2:399793560585:key/5750eeaa-de6d-47aa-aeb1-a8302c4fb198" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupKMSKey"]] diff --git a/cloudformation/ci_resources_prod_1.yml b/cloudformation/ci_resources_prod_1.yml deleted file mode 100644 index 18ad37d97..000000000 --- a/cloudformation/ci_resources_prod_1.yml +++ /dev/null @@ -1,789 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Parameters: - SubjectClaimFilters: - Type: CommaDelimitedList - Default: "repo:NHSDigital/prescriptionsforpatients:*" - Description: > - Subject claim filter for valid tokens. - Default allows only pull requests of the NHSDigital/prescriptionsforpatients to assume the role. - See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims - for examples of filtering by branch or deployment environment. - -Resources: - GitHubIdentityProvider: - Type: AWS::IAM::OIDCProvider - Properties: - Url: https://token.actions.githubusercontent.com - ThumbprintList: - - 6938fd4d98bab03faadb97b34396831e3780aea1 - ClientIdList: - - sts.amazonaws.com - - CloudFormationDeployRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Action: sts:AssumeRoleWithWebIdentity - Principal: - Federated: !GetAtt GitHubIdentityProvider.Arn - Condition: - StringEquals: - token.actions.githubusercontent.com:aud: sts.amazonaws.com - StringLike: - token.actions.githubusercontent.com:sub: !Ref SubjectClaimFilters - Policies: - - PolicyName: CreateCloudFormationStack - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateStack" - - "cloudformation:UpdateStack" - - "cloudformation:DeleteStack" - - "cloudformation:DescribeStacks" - - "cloudformation:ListExports" - - "cloudformation:CreateChangeSet" - - "cloudformation:DescribeChangeSet" - - "cloudformation:ExecuteChangeSet" - - "cloudformation:DescribeStackEvents" - - "cloudformation:GetTemplateSummary" - - "cloudformation:ListStacks" - Resource: "*" - - PolicyName: AssumeExecutionRole - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "iam:PassRole" - Resource: !GetAtt CloudFormationExecutionRole.Arn - - PolicyName: UseArtifactBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: !GetAtt ArtifactsBucketKMSKey.Arn - - CloudFormationExecutionRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - "sts:AssumeRole" - # see https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for permissions - Policies: - - PolicyName: GrantCloudFormationDeployAccess - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateChangeSet" - - "iam:Attach*" - - "iam:Create*" - - "iam:Delete*" - - "iam:Detach*" - - "iam:Get*" - - "iam:List*" - - "iam:Put*" - - "iam:Remove*" - - "iam:Tag*" - - "iam:Untag*" - - "iam:Update*" - - "iam:PassRole" - - "logs:AssociateKmsKey" - - "logs:DisassociateKmsKey" - - "logs:CreateLogGroup" - - "logs:DeleteLogGroup" - - "logs:TagLogGroup" - - "logs:CreateLogStream" - - "logs:DeleteLogStream" - - "logs:PutRetentionPolicy" - - "logs:DeleteRetentionPolicy" - - "logs:PutSubscriptionFilter" - - "logs:DescribeSubscriptionFilters" - - "logs:DeleteSubscriptionFilter" - - "logs:DescribeLogGroups" - - "logs:CreateLogDelivery" - - "logs:DeleteLogDelivery" - - "logs:ListLogDeliveries" - - "logs:GetLogDelivery" - - "logs:UpdateLogDelivery" - - "logs:ListTagsLogGroup" - - "logs:UntagLogGroup" - - "lambda:Add*" - - "lambda:CreateFunction" - - "lambda:Delete*" - - "lambda:Get*" - - "lambda:List*" - - "lambda:Publish*" - - "lambda:Put*" - - "lambda:Remove*" - - "lambda:Tag*" - - "lambda:Untag*" - - "lambda:Update*" - - "kms:Create*" - - "kms:Delete*" - - "kms:Describe*" - - "kms:Get*" - - "kms:List*" - - "kms:Put*" - - "kms:ScheduleKeyDeletion*" - - "kms:Tag*" - - "kms:Untag*" - - "kms:Update*" - - "apigateway:DELETE" - - "apigateway:GET" - - "apigateway:POST" - - "apigateway:PATCH" - - "apigateway:PUT" - - "apigateway:AddCertificateToDomain" - - "apigateway:RemoveCertificateFromDomain" - - "apigateway:TagResource" - # s3 permissions can be removed once https://github.com/NHSDigital/prescriptionsforpatients/pull/165 is merged - - "s3:CreateBucket" - - "s3:DeleteBucket" - - "s3:SetBucketEncryption" - - "s3:PutEncryptionConfiguration" - - "s3:PutBucketVersioning" - - "s3:GetBucketTagging" - - "s3:PutBucketTagging" - - "firehose:CreateDeliveryStream" - - "firehose:DescribeDeliveryStream" - - "firehose:DeleteDeliveryStream" - - "firehose:UpdateDestination" - - "firehose:ListTagsForDeliveryStream" - - "firehose:TagDeliveryStream" - - "firehose:UntagDeliveryStream" - - "acm:AddTagsToCertificate" - - "acm:DeleteCertificate" - - "acm:DescribeCertificate" - - "acm:GetCertificate" - - "acm:ListCertificates" - - "acm:ListTagsForCertificate" - - "acm:RemoveTagsFromCertificate" - - "acm:RenewCertificate" - - "acm:RequestCertificate" - - "route53:ChangeResourceRecordSets" - - "route53:GetHostedZone" - - "route53:ListResourceRecordSets" - - "route53:GetChange" - Resource: "*" - - PolicyName: UseTrustStoreBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: !GetAtt TrustStoreBucketKMSKey.Arn - - ArtifactsBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - ArtifactsBucketKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/ArtifactsBucketKMSKeyAlias - TargetKeyId: !Ref ArtifactsBucketKMSKey - - ArtifactsBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: artifact/ - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${ArtifactsBucketKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - ArtifactsBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref ArtifactsBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt ArtifactsBucket.Arn, "/*"]] - - !GetAtt ArtifactsBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - !Join ["", [!GetAtt ArtifactsBucket.Arn, "/*"]] - - !GetAtt ArtifactsBucket.Arn - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - TrustStoreBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - TrustStoreBucketKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/TrustStoreBucketKMSKeyAlias - TargetKeyId: !Ref TrustStoreBucketKMSKey - - TrustStoreBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: truststore/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - VersioningConfiguration: - Status: Enabled - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${TrustStoreBucketKMSKeyKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - TrustStoreBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref TrustStoreBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt TrustStoreBucket.Arn, "/*"]] - - !GetAtt TrustStoreBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - !Join ["", [!GetAtt TrustStoreBucket.Arn, "/*"]] - - !GetAtt TrustStoreBucket.Arn - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - AuditLoggingBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: "AES256" - - AuditLoggingBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref AuditLoggingBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/*"]] - - !GetAtt AuditLoggingBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join [ - "", - [ - !GetAtt AuditLoggingBucket.Arn, - "/splunkDeliveryStreamBackup/*", - ], - ] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/artifact/*"]] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt ArtifactsBucket.Arn - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/truststore/*"]] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt TrustStoreBucket.Arn - - SplunkDeliveryStreamBackupKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SplunkDeliveryStreamBackupKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/SplunkDeliveryStreamBackupKMSKeyAlias - TargetKeyId: !Ref SplunkDeliveryStreamBackupKMSKey - - SplunkDeliveryStreamBackupBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: splunkDeliveryStreamBackup/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - BucketKeyEnabled: false - ServerSideEncryptionByDefault: - SSEAlgorithm: aws:kms - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${SplunkDeliveryStreamBackupKMSKeyAlias}" - - SplunkDeliveryStreamBackupBucketRole: - Type: "AWS::IAM::Role" - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Principal: - Service: "firehose.amazonaws.com" - Action: "sts:AssumeRole" - - SplunkDeliveryStreamBackupBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref SplunkDeliveryStreamBackupBucket - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt SplunkDeliveryStreamBackupBucket.Arn, "/*"]] - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - !Join # Access to bucket contents - - "" - - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - "/*" - Principal: - AWS: - - !GetAtt SplunkDeliveryStreamBackupBucketRole.Arn - - SplunkDeliveryStreamBackupBucketRoleKMSPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-SplunkDeliveryStreamBackupKMSKey-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - kms:DescribeKey - - kms:GenerateDataKey* - - kms:Encrypt - - kms:ReEncrypt* - Resource: - - !GetAtt SplunkDeliveryStreamBackupKMSKey.Arn - Roles: - - !Ref SplunkDeliveryStreamBackupBucketRole - - SplunkDeliveryStreamBackupBucketIAMPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-backup-bucket-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - !Join # Access to bucket contents - - "" - - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - "/*" - Roles: - - !Ref SplunkDeliveryStreamBackupBucketRole - - SecretsKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SecretsKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/SecretsKMSKeyAlias - TargetKeyId: !Ref SecretsKMSKey - - CAKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - CACertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA certificate - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientCertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxCertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePrivateKey: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Private key for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePublicCertificate: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Public certificate for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineASID: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: ASID for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePartyKey: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: PartyKey for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineCAChain: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA chain for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - -Outputs: - CloudFormationDeployRole: - Description: ARN of the IAM Role(CloudFormationDeployRole) - Value: !GetAtt CloudFormationDeployRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationDeployRole"]] - CloudFormationExecutionRole: - Description: ARN of the IAM Role(CloudFormationExecutionRole) - Value: !GetAtt CloudFormationExecutionRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRole"]] - - ArtifactsBucket: - Description: ARN of the Artifacts bucket - Value: "arn:aws:s3:::ci-resources-artifactsbucket-1q5cgjvlusl0g" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "ArtifactsBucket"]] - TrustStoreBucket: - Description: ARN of the Truststore bucket - Value: "arn:aws:s3:::ci-resources-truststorebucket-12enzhmcfaene" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "TrustStoreBucket"]] - CAKeySecret: - Description: ARN of the CA key secret - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:CAKeySecret-pokWcF9Ao6Dp-znkmP4" - CACertSecret: - Description: ARN of the CA cert secret - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:CACertSecret-wW0A6VziYzay-0SYdwN" - ClientKeySecret: - Description: ARN of the client key secret - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:ClientKeySecret-m0aM51kGzG5d-VPTB8h" - ClientCertSecret: - Description: ARN of the client cert secret - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:ClientCertSecret-bRjkFZHZerfn-eCwbgG" - ClientSandboxKeySecret: - Description: ARN of the client key secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:ClientSandboxKeySecret-8xfmFoGFdnjy-6E43Sd" - ClientSandboxCertSecret: - Description: ARN of the client cert secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:ClientSandboxCertSecret-8o6Tn9UUfwtJ-gyC8UD" - SpinePrivateKey: - Description: ARN of the private key for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:SpinePrivateKey-QRDDCTNvpSpd-k2owvm" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePrivateKey"]] - SpinePublicCertificate: - Description: ARN of the public certificate for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:SpinePublicCertificate-nRxjEs7KJJNj-spMlgK" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePublicCertificate"]] - SpineASID: - Description: ASID for spine - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:SpineASID-YA1O1qSsQDxe-fOy8jN" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineASID"]] - SpinePartyKey: - Description: PartyKey for spine - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:SpinePartyKey-kZuJfCrZwjdG-wuZQN7" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePartyKey"]] - SecretsKMSKey: - Description: SecretsKMSKey - Value: "arn:aws:kms:eu-west-2:434629240718:key/9c0a42ec-2d75-4249-8557-49762074e0d4" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SecretsKMSKey"]] - SpineCAChain: - Description: SpineCAChain - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:SpineCAChain-i0zCQjuLlXeD-H4AaNq" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineCAChain"]] - AuditLoggingBucket: - Description: ARN of the audit logging bucket - Value: "arn:aws:s3:::ci-resources-auditloggingbucket-xdzoeka33gt" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "AuditLoggingBucket"]] - SplunkDeliveryStreamBackupBucketRole: - Description: The splunk delivery stream role - Value: "ci-resources-SplunkDeliveryStreamBackupBucketRole-1VZ65OCNASVOM" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRole"], - ] - SplunkDeliveryStreamBackupBucketRoleArn: - Description: The splunk delivery stream role - Value: "arn:aws:iam::434629240718:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-1VZ65OCNASVOM" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRoleArn"], - ] - SplunkDeliveryStreamBackupBucket: - Description: ARN of the splunk delivery stream backup bucket - Value: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-eqcc8r050a1o" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucket"]] - SplunkDeliveryStreamBackupKMSKey: - Description: SplunkDeliveryStreamBackupKMSKey - Value: "arn:aws:kms:eu-west-2:434629240718:key/39fd1f88-44d4-4f37-bb3c-16317e66c872" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupKMSKey"]] diff --git a/cloudformation/ci_resources_prod_2.yml b/cloudformation/ci_resources_prod_2.yml deleted file mode 100644 index 592854a6a..000000000 --- a/cloudformation/ci_resources_prod_2.yml +++ /dev/null @@ -1,566 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Parameters: - SubjectClaimFilters: - Type: CommaDelimitedList - Default: "repo:NHSDigital/prescriptionsforpatients:*" - Description: > - Subject claim filter for valid tokens. - Default allows only pull requests of the NHSDigital/prescriptionsforpatients to assume the role. - See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims - for examples of filtering by branch or deployment environment. - -Resources: - GitHubIdentityProvider: - Type: AWS::IAM::OIDCProvider - Properties: - Url: https://token.actions.githubusercontent.com - ThumbprintList: - - 6938fd4d98bab03faadb97b34396831e3780aea1 - ClientIdList: - - sts.amazonaws.com - - CloudFormationDeployRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Action: sts:AssumeRoleWithWebIdentity - Principal: - Federated: !GetAtt GitHubIdentityProvider.Arn - Condition: - StringEquals: - token.actions.githubusercontent.com:aud: sts.amazonaws.com - StringLike: - token.actions.githubusercontent.com:sub: !Ref SubjectClaimFilters - Policies: - - PolicyName: CreateCloudFormationStack - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateStack" - - "cloudformation:UpdateStack" - - "cloudformation:DeleteStack" - - "cloudformation:DescribeStacks" - - "cloudformation:ListExports" - - "cloudformation:CreateChangeSet" - - "cloudformation:DescribeChangeSet" - - "cloudformation:ExecuteChangeSet" - - "cloudformation:DescribeStackEvents" - - "cloudformation:GetTemplateSummary" - - "cloudformation:ListStacks" - Resource: "*" - - PolicyName: AssumeExecutionRole - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "iam:PassRole" - Resource: !GetAtt CloudFormationExecutionRole.Arn - - PolicyName: UseArtifactBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: "arn:aws:kms:eu-west-2:434629240718:key/0175b61d-311c-41e1-a0cc-1b98aaa6fd5b" - - CloudFormationExecutionRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - "sts:AssumeRole" - # see https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for permissions - Policies: - - PolicyName: GrantCloudFormationDeployAccess - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateChangeSet" - - "iam:Attach*" - - "iam:Create*" - - "iam:Delete*" - - "iam:Detach*" - - "iam:Get*" - - "iam:List*" - - "iam:Put*" - - "iam:Remove*" - - "iam:Tag*" - - "iam:Untag*" - - "iam:Update*" - - "iam:PassRole" - - "logs:AssociateKmsKey" - - "logs:DisassociateKmsKey" - - "logs:CreateLogGroup" - - "logs:DeleteLogGroup" - - "logs:TagLogGroup" - - "logs:CreateLogStream" - - "logs:DeleteLogStream" - - "logs:PutRetentionPolicy" - - "logs:DeleteRetentionPolicy" - - "logs:PutSubscriptionFilter" - - "logs:DescribeSubscriptionFilters" - - "logs:DeleteSubscriptionFilter" - - "logs:DescribeLogGroups" - - "logs:CreateLogDelivery" - - "logs:DeleteLogDelivery" - - "logs:ListLogDeliveries" - - "logs:GetLogDelivery" - - "logs:UpdateLogDelivery" - - "logs:ListTagsLogGroup" - - "logs:UntagLogGroup" - - "lambda:Add*" - - "lambda:CreateFunction" - - "lambda:Delete*" - - "lambda:Get*" - - "lambda:List*" - - "lambda:Publish*" - - "lambda:Put*" - - "lambda:Remove*" - - "lambda:Tag*" - - "lambda:Untag*" - - "lambda:Update*" - - "kms:Create*" - - "kms:Delete*" - - "kms:Describe*" - - "kms:Get*" - - "kms:List*" - - "kms:Put*" - - "kms:ScheduleKeyDeletion*" - - "kms:Tag*" - - "kms:Untag*" - - "kms:Update*" - - "apigateway:DELETE" - - "apigateway:GET" - - "apigateway:POST" - - "apigateway:PATCH" - - "apigateway:PUT" - - "apigateway:AddCertificateToDomain" - - "apigateway:RemoveCertificateFromDomain" - - "apigateway:TagResource" - # s3 permissions can be removed once https://github.com/NHSDigital/prescriptionsforpatients/pull/165 is merged - - "s3:CreateBucket" - - "s3:DeleteBucket" - - "s3:SetBucketEncryption" - - "s3:PutEncryptionConfiguration" - - "s3:PutBucketVersioning" - - "s3:GetBucketTagging" - - "s3:PutBucketTagging" - - "firehose:CreateDeliveryStream" - - "firehose:DescribeDeliveryStream" - - "firehose:DeleteDeliveryStream" - - "firehose:UpdateDestination" - - "firehose:ListTagsForDeliveryStream" - - "firehose:TagDeliveryStream" - - "firehose:UntagDeliveryStream" - - "acm:AddTagsToCertificate" - - "acm:DeleteCertificate" - - "acm:DescribeCertificate" - - "acm:GetCertificate" - - "acm:ListCertificates" - - "acm:ListTagsForCertificate" - - "acm:RemoveTagsFromCertificate" - - "acm:RenewCertificate" - - "acm:RequestCertificate" - - "route53:ChangeResourceRecordSets" - - "route53:GetHostedZone" - - "route53:ListResourceRecordSets" - - "route53:GetChange" - Resource: "*" - - PolicyName: UseTrustStoreBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: "arn:aws:kms:eu-west-2:434629240718:key/aa7183fd-8726-4474-88fa-2dac545b6c9c" - - ArtifactsBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-artifactsbucket-1q5cgjvlusl0g" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-artifactsbucket-1q5cgjvlusl0g/*" - - "arn:aws:s3:::ci-resources-artifactsbucket-1q5cgjvlusl0g" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - "arn:aws:s3:::ci-resources-artifactsbucket-1q5cgjvlusl0g/*" - - "arn:aws:s3:::ci-resources-artifactsbucket-1q5cgjvlusl0g" - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - TrustStoreBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-truststorebucket-12enzhmcfaene" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-truststorebucket-12enzhmcfaene/*" - - "arn:aws:s3:::ci-resources-truststorebucket-12enzhmcfaene" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - "arn:aws:s3:::ci-resources-truststorebucket-12enzhmcfaene/*" - - "arn:aws:s3:::ci-resources-truststorebucket-12enzhmcfaene" - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - AuditLoggingBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-auditloggingbucket-xdzoeka33gt" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-xdzoeka33gt/*" - - "arn:aws:s3:::ci-resources-auditloggingbucket-xdzoeka33gt" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-xdzoeka33gt/splunkDeliveryStreamBackup/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-eqcc8r050a1o" - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-xdzoeka33gt/artifact/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-artifactsbucket-1q5cgjvlusl0g" - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-xdzoeka33gt/truststore/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-truststorebucket-12enzhmcfaene" - - SplunkDeliveryStreamBackupBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-splunkdeliverystreambackupbucket-eqcc8r050a1o" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-eqcc8r050a1o/*" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-eqcc8r050a1o" - Condition: - Bool: - aws:SecureTransport: false - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-eqcc8r050a1o" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-eqcc8r050a1o/*" - Principal: - AWS: - - "arn:aws:iam::434629240718:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-1VZ65OCNASVOM" - - SplunkDeliveryStreamBackupBucketRoleKMSPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-SplunkDeliveryStreamBackupKMSKey-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - kms:DescribeKey - - kms:GenerateDataKey* - - kms:Encrypt - - kms:ReEncrypt* - Resource: - - "arn:aws:kms:eu-west-2:434629240718:key/39fd1f88-44d4-4f37-bb3c-16317e66c872" - Roles: - - "ci-resources-SplunkDeliveryStreamBackupBucketRole-1VZ65OCNASVOM" - - SplunkDeliveryStreamBackupBucketIAMPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-backup-bucket-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-eqcc8r050a1o" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-eqcc8r050a1o/*" - Roles: - - "ci-resources-SplunkDeliveryStreamBackupBucketRole-1VZ65OCNASVOM" - - CAKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - CACertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA certificate - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientCertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxCertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePrivateKey: - Type: AWS::SecretsManager::Secret - Properties: - Description: Private key for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePublicCertificate: - Type: AWS::SecretsManager::Secret - Properties: - Description: Public certificate for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineASID: - Type: AWS::SecretsManager::Secret - Properties: - Description: ASID for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePartyKey: - Type: AWS::SecretsManager::Secret - Properties: - Description: PartyKey for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineCAChain: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA chain for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - -Outputs: - CloudFormationDeployRole: - Description: ARN of the IAM Role(CloudFormationDeployRole) - Value: !GetAtt CloudFormationDeployRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationDeployRole"]] - CloudFormationExecutionRole: - Description: ARN of the IAM Role(CloudFormationExecutionRole) - Value: !GetAtt CloudFormationExecutionRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRole"]] - CloudFormationExecutionRoleName: - Description: Name of the IAM Role(CloudFormationExecutionRole) - Value: !Ref CloudFormationExecutionRole - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRoleName"]] - - ArtifactsBucket: - Description: ARN of the Artifacts bucket - Value: "arn:aws:s3:::ci-resources-artifactsbucket-1q5cgjvlusl0g" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "ArtifactsBucket"]] - TrustStoreBucket: - Description: ARN of the Truststore bucket - Value: "arn:aws:s3:::ci-resources-truststorebucket-12enzhmcfaene" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "TrustStoreBucket"]] - CAKeySecret: - Description: ARN of the CA key secret - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:CAKeySecret-pokWcF9Ao6Dp-znkmP4" - CACertSecret: - Description: ARN of the CA cert secret - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:CACertSecret-wW0A6VziYzay-0SYdwN" - ClientKeySecret: - Description: ARN of the client key secret - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:ClientKeySecret-m0aM51kGzG5d-VPTB8h" - ClientCertSecret: - Description: ARN of the client cert secret - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:ClientCertSecret-bRjkFZHZerfn-eCwbgG" - ClientSandboxKeySecret: - Description: ARN of the client key secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:ClientSandboxKeySecret-8xfmFoGFdnjy-6E43Sd" - ClientSandboxCertSecret: - Description: ARN of the client cert secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:ClientSandboxCertSecret-8o6Tn9UUfwtJ-gyC8UD" - SpinePrivateKey: - Description: ARN of the private key for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:SpinePrivateKey-QRDDCTNvpSpd-k2owvm" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePrivateKey"]] - SpinePublicCertificate: - Description: ARN of the public certificate for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:SpinePublicCertificate-nRxjEs7KJJNj-spMlgK" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePublicCertificate"]] - SpineASID: - Description: ASID for spine - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:SpineASID-YA1O1qSsQDxe-fOy8jN" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineASID"]] - SpinePartyKey: - Description: PartyKey for spine - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:SpinePartyKey-kZuJfCrZwjdG-wuZQN7" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePartyKey"]] - SecretsKMSKey: - Description: SecretsKMSKey - Value: "arn:aws:kms:eu-west-2:434629240718:key/9c0a42ec-2d75-4249-8557-49762074e0d4" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SecretsKMSKey"]] - SpineCAChain: - Description: SpineCAChain - Value: "arn:aws:secretsmanager:eu-west-2:434629240718:secret:SpineCAChain-i0zCQjuLlXeD-H4AaNq" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineCAChain"]] - AuditLoggingBucket: - Description: ARN of the audit logging bucket - Value: "arn:aws:s3:::ci-resources-auditloggingbucket-xdzoeka33gt" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "AuditLoggingBucket"]] - SplunkDeliveryStreamBackupBucketRole: - Description: The splunk delivery stream role - Value: "ci-resources-SplunkDeliveryStreamBackupBucketRole-1VZ65OCNASVOM" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRole"], - ] - SplunkDeliveryStreamBackupBucketRoleArn: - Description: The splunk delivery stream role - Value: "arn:aws:iam::434629240718:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-1VZ65OCNASVOM" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRoleArn"], - ] - SplunkDeliveryStreamBackupBucket: - Description: ARN of the splunk delivery stream backup bucket - Value: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-eqcc8r050a1o" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucket"]] - SplunkDeliveryStreamBackupKMSKey: - Description: SplunkDeliveryStreamBackupKMSKey - Value: "arn:aws:kms:eu-west-2:434629240718:key/39fd1f88-44d4-4f37-bb3c-16317e66c872" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupKMSKey"]] diff --git a/cloudformation/ci_resources_qa_1.yml b/cloudformation/ci_resources_qa_1.yml deleted file mode 100644 index 128544408..000000000 --- a/cloudformation/ci_resources_qa_1.yml +++ /dev/null @@ -1,789 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Parameters: - SubjectClaimFilters: - Type: CommaDelimitedList - Default: "repo:NHSDigital/prescriptionsforpatients:*" - Description: > - Subject claim filter for valid tokens. - Default allows only pull requests of the NHSDigital/prescriptionsforpatients to assume the role. - See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims - for examples of filtering by branch or deployment environment. - -Resources: - GitHubIdentityProvider: - Type: AWS::IAM::OIDCProvider - Properties: - Url: https://token.actions.githubusercontent.com - ThumbprintList: - - 6938fd4d98bab03faadb97b34396831e3780aea1 - ClientIdList: - - sts.amazonaws.com - - CloudFormationDeployRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Action: sts:AssumeRoleWithWebIdentity - Principal: - Federated: !GetAtt GitHubIdentityProvider.Arn - Condition: - StringEquals: - token.actions.githubusercontent.com:aud: sts.amazonaws.com - StringLike: - token.actions.githubusercontent.com:sub: !Ref SubjectClaimFilters - Policies: - - PolicyName: CreateCloudFormationStack - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateStack" - - "cloudformation:UpdateStack" - - "cloudformation:DeleteStack" - - "cloudformation:DescribeStacks" - - "cloudformation:ListExports" - - "cloudformation:CreateChangeSet" - - "cloudformation:DescribeChangeSet" - - "cloudformation:ExecuteChangeSet" - - "cloudformation:DescribeStackEvents" - - "cloudformation:GetTemplateSummary" - - "cloudformation:ListStacks" - Resource: "*" - - PolicyName: AssumeExecutionRole - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "iam:PassRole" - Resource: !GetAtt CloudFormationExecutionRole.Arn - - PolicyName: UseArtifactBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: !GetAtt ArtifactsBucketKMSKey.Arn - - CloudFormationExecutionRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - "sts:AssumeRole" - # see https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for permissions - Policies: - - PolicyName: GrantCloudFormationDeployAccess - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateChangeSet" - - "iam:Attach*" - - "iam:Create*" - - "iam:Delete*" - - "iam:Detach*" - - "iam:Get*" - - "iam:List*" - - "iam:Put*" - - "iam:Remove*" - - "iam:Tag*" - - "iam:Untag*" - - "iam:Update*" - - "iam:PassRole" - - "logs:AssociateKmsKey" - - "logs:DisassociateKmsKey" - - "logs:CreateLogGroup" - - "logs:DeleteLogGroup" - - "logs:TagLogGroup" - - "logs:CreateLogStream" - - "logs:DeleteLogStream" - - "logs:PutRetentionPolicy" - - "logs:DeleteRetentionPolicy" - - "logs:PutSubscriptionFilter" - - "logs:DescribeSubscriptionFilters" - - "logs:DeleteSubscriptionFilter" - - "logs:DescribeLogGroups" - - "logs:CreateLogDelivery" - - "logs:DeleteLogDelivery" - - "logs:ListLogDeliveries" - - "logs:GetLogDelivery" - - "logs:UpdateLogDelivery" - - "logs:ListTagsLogGroup" - - "logs:UntagLogGroup" - - "lambda:Add*" - - "lambda:CreateFunction" - - "lambda:Delete*" - - "lambda:Get*" - - "lambda:List*" - - "lambda:Publish*" - - "lambda:Put*" - - "lambda:Remove*" - - "lambda:Tag*" - - "lambda:Untag*" - - "lambda:Update*" - - "kms:Create*" - - "kms:Delete*" - - "kms:Describe*" - - "kms:Get*" - - "kms:List*" - - "kms:Put*" - - "kms:ScheduleKeyDeletion*" - - "kms:Tag*" - - "kms:Untag*" - - "kms:Update*" - - "apigateway:DELETE" - - "apigateway:GET" - - "apigateway:POST" - - "apigateway:PATCH" - - "apigateway:PUT" - - "apigateway:AddCertificateToDomain" - - "apigateway:RemoveCertificateFromDomain" - - "apigateway:TagResource" - # s3 permissions can be removed once https://github.com/NHSDigital/prescriptionsforpatients/pull/165 is merged - - "s3:CreateBucket" - - "s3:DeleteBucket" - - "s3:SetBucketEncryption" - - "s3:PutEncryptionConfiguration" - - "s3:PutBucketVersioning" - - "s3:GetBucketTagging" - - "s3:PutBucketTagging" - - "firehose:CreateDeliveryStream" - - "firehose:DescribeDeliveryStream" - - "firehose:DeleteDeliveryStream" - - "firehose:UpdateDestination" - - "firehose:ListTagsForDeliveryStream" - - "firehose:TagDeliveryStream" - - "firehose:UntagDeliveryStream" - - "acm:AddTagsToCertificate" - - "acm:DeleteCertificate" - - "acm:DescribeCertificate" - - "acm:GetCertificate" - - "acm:ListCertificates" - - "acm:ListTagsForCertificate" - - "acm:RemoveTagsFromCertificate" - - "acm:RenewCertificate" - - "acm:RequestCertificate" - - "route53:ChangeResourceRecordSets" - - "route53:GetHostedZone" - - "route53:ListResourceRecordSets" - - "route53:GetChange" - Resource: "*" - - PolicyName: UseTrustStoreBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: !GetAtt TrustStoreBucketKMSKey.Arn - - ArtifactsBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - ArtifactsBucketKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/ArtifactsBucketKMSKeyAlias - TargetKeyId: !Ref ArtifactsBucketKMSKey - - ArtifactsBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: artifact/ - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${ArtifactsBucketKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - ArtifactsBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref ArtifactsBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt ArtifactsBucket.Arn, "/*"]] - - !GetAtt ArtifactsBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - !Join ["", [!GetAtt ArtifactsBucket.Arn, "/*"]] - - !GetAtt ArtifactsBucket.Arn - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - TrustStoreBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - TrustStoreBucketKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/TrustStoreBucketKMSKeyAlias - TargetKeyId: !Ref TrustStoreBucketKMSKey - - TrustStoreBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: truststore/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - VersioningConfiguration: - Status: Enabled - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${TrustStoreBucketKMSKeyKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - TrustStoreBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref TrustStoreBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt TrustStoreBucket.Arn, "/*"]] - - !GetAtt TrustStoreBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - !Join ["", [!GetAtt TrustStoreBucket.Arn, "/*"]] - - !GetAtt TrustStoreBucket.Arn - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - AuditLoggingBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: "AES256" - - AuditLoggingBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref AuditLoggingBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/*"]] - - !GetAtt AuditLoggingBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join [ - "", - [ - !GetAtt AuditLoggingBucket.Arn, - "/splunkDeliveryStreamBackup/*", - ], - ] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/artifact/*"]] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt ArtifactsBucket.Arn - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/truststore/*"]] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt TrustStoreBucket.Arn - - SplunkDeliveryStreamBackupKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SplunkDeliveryStreamBackupKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/SplunkDeliveryStreamBackupKMSKeyAlias - TargetKeyId: !Ref SplunkDeliveryStreamBackupKMSKey - - SplunkDeliveryStreamBackupBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: splunkDeliveryStreamBackup/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - BucketKeyEnabled: false - ServerSideEncryptionByDefault: - SSEAlgorithm: aws:kms - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${SplunkDeliveryStreamBackupKMSKeyAlias}" - - SplunkDeliveryStreamBackupBucketRole: - Type: "AWS::IAM::Role" - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Principal: - Service: "firehose.amazonaws.com" - Action: "sts:AssumeRole" - - SplunkDeliveryStreamBackupBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref SplunkDeliveryStreamBackupBucket - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt SplunkDeliveryStreamBackupBucket.Arn, "/*"]] - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - !Join # Access to bucket contents - - "" - - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - "/*" - Principal: - AWS: - - !GetAtt SplunkDeliveryStreamBackupBucketRole.Arn - - SplunkDeliveryStreamBackupBucketRoleKMSPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-SplunkDeliveryStreamBackupKMSKey-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - kms:DescribeKey - - kms:GenerateDataKey* - - kms:Encrypt - - kms:ReEncrypt* - Resource: - - !GetAtt SplunkDeliveryStreamBackupKMSKey.Arn - Roles: - - !Ref SplunkDeliveryStreamBackupBucketRole - - SplunkDeliveryStreamBackupBucketIAMPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-backup-bucket-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - !Join # Access to bucket contents - - "" - - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - "/*" - Roles: - - !Ref SplunkDeliveryStreamBackupBucketRole - - SecretsKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SecretsKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/SecretsKMSKeyAlias - TargetKeyId: !Ref SecretsKMSKey - - CAKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - CACertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA certificate - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientCertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxCertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePrivateKey: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Private key for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePublicCertificate: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Public certificate for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineASID: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: ASID for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePartyKey: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: PartyKey for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineCAChain: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA chain for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - -Outputs: - CloudFormationDeployRole: - Description: ARN of the IAM Role(CloudFormationDeployRole) - Value: !GetAtt CloudFormationDeployRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationDeployRole"]] - CloudFormationExecutionRole: - Description: ARN of the IAM Role(CloudFormationExecutionRole) - Value: !GetAtt CloudFormationExecutionRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRole"]] - - ArtifactsBucket: - Description: ARN of the Artifacts bucket - Value: "arn:aws:s3:::ci-resources-artifactsbucket-1qldqrx1rpxbs" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "ArtifactsBucket"]] - TrustStoreBucket: - Description: ARN of the Truststore bucket - Value: "arn:aws:s3:::ci-resources-truststorebucket-qcoogm3bx7q8" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "TrustStoreBucket"]] - CAKeySecret: - Description: ARN of the CA key secret - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:CAKeySecret-FGRkdzEKNSr9-dF5uUX" - CACertSecret: - Description: ARN of the CA cert secret - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:CACertSecret-cWhiu08enzJ0-4hDAw8" - ClientKeySecret: - Description: ARN of the client key secret - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:ClientKeySecret-KXD80SHrCVkW-aLEi7M" - ClientCertSecret: - Description: ARN of the client cert secret - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:ClientCertSecret-OVemrGdiL8ER-0ZDsuB" - ClientSandboxKeySecret: - Description: ARN of the client key secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:ClientSandboxKeySecret-Nputlsk3ekkf-r1PLQC" - ClientSandboxCertSecret: - Description: ARN of the client cert secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:ClientSandboxCertSecret-JgDyPGQ9OaRK-0a6zkI" - SpinePrivateKey: - Description: ARN of the private key for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:SpinePrivateKey-5TIiK9eMGGVg-SaneIe" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePrivateKey"]] - SpinePublicCertificate: - Description: ARN of the public certificate for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:SpinePublicCertificate-4z3BnBAdHSYB-Ujb8zb" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePublicCertificate"]] - SpineASID: - Description: ASID for spine - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:SpineASID-1elMzJL9GAHp-o4CST7" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineASID"]] - SpinePartyKey: - Description: PartyKey for spine - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:SpinePartyKey-jCav4euIogIi-bbE2sw" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePartyKey"]] - SecretsKMSKey: - Description: SecretsKMSKey - Value: "arn:aws:kms:eu-west-2:394382261442:key/c74d9e49-030b-4ed9-a882-9336dc54bbea" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SecretsKMSKey"]] - SpineCAChain: - Description: SpineCAChain - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:SpineCAChain-Rz2BZZs95pQD-MZ62d8" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineCAChain"]] - AuditLoggingBucket: - Description: ARN of the audit logging bucket - Value: "arn:aws:s3:::ci-resources-auditloggingbucket-172cr1kpwj6qo" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "AuditLoggingBucket"]] - SplunkDeliveryStreamBackupBucketRole: - Description: The splunk delivery stream role - Value: "ci-resources-SplunkDeliveryStreamBackupBucketRole-QNK1EPLK4VM4" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRole"], - ] - SplunkDeliveryStreamBackupBucketRoleArn: - Description: The splunk delivery stream role - Value: "arn:aws:iam::394382261442:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-QNK1EPLK4VM4" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRoleArn"], - ] - SplunkDeliveryStreamBackupBucket: - Description: ARN of the splunk delivery stream backup bucket - Value: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-1dqjc0fc9d9k5" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucket"]] - SplunkDeliveryStreamBackupKMSKey: - Description: SplunkDeliveryStreamBackupKMSKey - Value: "arn:aws:kms:eu-west-2:394382261442:key/af6414de-0cdc-454a-83eb-c306e2a0e062" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupKMSKey"]] diff --git a/cloudformation/ci_resources_qa_2.yml b/cloudformation/ci_resources_qa_2.yml deleted file mode 100644 index 192178b97..000000000 --- a/cloudformation/ci_resources_qa_2.yml +++ /dev/null @@ -1,566 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Parameters: - SubjectClaimFilters: - Type: CommaDelimitedList - Default: "repo:NHSDigital/prescriptionsforpatients:*" - Description: > - Subject claim filter for valid tokens. - Default allows only pull requests of the NHSDigital/prescriptionsforpatients to assume the role. - See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims - for examples of filtering by branch or deployment environment. - -Resources: - GitHubIdentityProvider: - Type: AWS::IAM::OIDCProvider - Properties: - Url: https://token.actions.githubusercontent.com - ThumbprintList: - - 6938fd4d98bab03faadb97b34396831e3780aea1 - ClientIdList: - - sts.amazonaws.com - - CloudFormationDeployRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Action: sts:AssumeRoleWithWebIdentity - Principal: - Federated: !GetAtt GitHubIdentityProvider.Arn - Condition: - StringEquals: - token.actions.githubusercontent.com:aud: sts.amazonaws.com - StringLike: - token.actions.githubusercontent.com:sub: !Ref SubjectClaimFilters - Policies: - - PolicyName: CreateCloudFormationStack - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateStack" - - "cloudformation:UpdateStack" - - "cloudformation:DeleteStack" - - "cloudformation:DescribeStacks" - - "cloudformation:ListExports" - - "cloudformation:CreateChangeSet" - - "cloudformation:DescribeChangeSet" - - "cloudformation:ExecuteChangeSet" - - "cloudformation:DescribeStackEvents" - - "cloudformation:GetTemplateSummary" - - "cloudformation:ListStacks" - Resource: "*" - - PolicyName: AssumeExecutionRole - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "iam:PassRole" - Resource: !GetAtt CloudFormationExecutionRole.Arn - - PolicyName: UseArtifactBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: "arn:aws:kms:eu-west-2:394382261442:key/d64a6c3c-08be-4a0b-919b-5714e3796f55" - - CloudFormationExecutionRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - "sts:AssumeRole" - # see https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for permissions - Policies: - - PolicyName: GrantCloudFormationDeployAccess - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateChangeSet" - - "iam:Attach*" - - "iam:Create*" - - "iam:Delete*" - - "iam:Detach*" - - "iam:Get*" - - "iam:List*" - - "iam:Put*" - - "iam:Remove*" - - "iam:Tag*" - - "iam:Untag*" - - "iam:Update*" - - "iam:PassRole" - - "logs:AssociateKmsKey" - - "logs:DisassociateKmsKey" - - "logs:CreateLogGroup" - - "logs:DeleteLogGroup" - - "logs:TagLogGroup" - - "logs:CreateLogStream" - - "logs:DeleteLogStream" - - "logs:PutRetentionPolicy" - - "logs:DeleteRetentionPolicy" - - "logs:PutSubscriptionFilter" - - "logs:DescribeSubscriptionFilters" - - "logs:DeleteSubscriptionFilter" - - "logs:DescribeLogGroups" - - "logs:CreateLogDelivery" - - "logs:DeleteLogDelivery" - - "logs:ListLogDeliveries" - - "logs:GetLogDelivery" - - "logs:UpdateLogDelivery" - - "logs:ListTagsLogGroup" - - "logs:UntagLogGroup" - - "lambda:Add*" - - "lambda:CreateFunction" - - "lambda:Delete*" - - "lambda:Get*" - - "lambda:List*" - - "lambda:Publish*" - - "lambda:Put*" - - "lambda:Remove*" - - "lambda:Tag*" - - "lambda:Untag*" - - "lambda:Update*" - - "kms:Create*" - - "kms:Delete*" - - "kms:Describe*" - - "kms:Get*" - - "kms:List*" - - "kms:Put*" - - "kms:ScheduleKeyDeletion*" - - "kms:Tag*" - - "kms:Untag*" - - "kms:Update*" - - "apigateway:DELETE" - - "apigateway:GET" - - "apigateway:POST" - - "apigateway:PATCH" - - "apigateway:PUT" - - "apigateway:AddCertificateToDomain" - - "apigateway:RemoveCertificateFromDomain" - - "apigateway:TagResource" - # s3 permissions can be removed once https://github.com/NHSDigital/prescriptionsforpatients/pull/165 is merged - - "s3:CreateBucket" - - "s3:DeleteBucket" - - "s3:SetBucketEncryption" - - "s3:PutEncryptionConfiguration" - - "s3:PutBucketVersioning" - - "s3:GetBucketTagging" - - "s3:PutBucketTagging" - - "firehose:CreateDeliveryStream" - - "firehose:DescribeDeliveryStream" - - "firehose:DeleteDeliveryStream" - - "firehose:UpdateDestination" - - "firehose:ListTagsForDeliveryStream" - - "firehose:TagDeliveryStream" - - "firehose:UntagDeliveryStream" - - "acm:AddTagsToCertificate" - - "acm:DeleteCertificate" - - "acm:DescribeCertificate" - - "acm:GetCertificate" - - "acm:ListCertificates" - - "acm:ListTagsForCertificate" - - "acm:RemoveTagsFromCertificate" - - "acm:RenewCertificate" - - "acm:RequestCertificate" - - "route53:ChangeResourceRecordSets" - - "route53:GetHostedZone" - - "route53:ListResourceRecordSets" - - "route53:GetChange" - Resource: "*" - - PolicyName: UseTrustStoreBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: "arn:aws:kms:eu-west-2:394382261442:key/7ce43a79-1a08-4906-91c1-53fd007cb237" - - ArtifactsBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-artifactsbucket-1qldqrx1rpxbs" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-artifactsbucket-1qldqrx1rpxbs/*" - - "arn:aws:s3:::ci-resources-artifactsbucket-1qldqrx1rpxbs" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - "arn:aws:s3:::ci-resources-artifactsbucket-1qldqrx1rpxbs/*" - - "arn:aws:s3:::ci-resources-artifactsbucket-1qldqrx1rpxbs" - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - TrustStoreBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: ci-resources-truststorebucket-qcoogm3bx7q8 - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-truststorebucket-qcoogm3bx7q8/*" - - "arn:aws:s3:::ci-resources-truststorebucket-qcoogm3bx7q8" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - "arn:aws:s3:::ci-resources-truststorebucket-qcoogm3bx7q8/*" - - "arn:aws:s3:::ci-resources-truststorebucket-qcoogm3bx7q8" - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - AuditLoggingBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-auditloggingbucket-172cr1kpwj6qo" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-172cr1kpwj6qo/*" - - "arn:aws:s3:::ci-resources-auditloggingbucket-172cr1kpwj6qo" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-172cr1kpwj6qo/splunkDeliveryStreamBackup/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-1dqjc0fc9d9k5" - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-172cr1kpwj6qo/artifact/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-artifactsbucket-1qldqrx1rpxbs" - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-172cr1kpwj6qo/truststore/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-truststorebucket-qcoogm3bx7q8" - - SplunkDeliveryStreamBackupBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-splunkdeliverystreambackupbucket-1dqjc0fc9d9k5" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-1dqjc0fc9d9k5/*" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-1dqjc0fc9d9k5" - Condition: - Bool: - aws:SecureTransport: false - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-1dqjc0fc9d9k5" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-1dqjc0fc9d9k5/*" - Principal: - AWS: - - "arn:aws:iam::394382261442:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-QNK1EPLK4VM4" - - SplunkDeliveryStreamBackupBucketRoleKMSPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-SplunkDeliveryStreamBackupKMSKey-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - kms:DescribeKey - - kms:GenerateDataKey* - - kms:Encrypt - - kms:ReEncrypt* - Resource: - - "arn:aws:kms:eu-west-2:394382261442:key/af6414de-0cdc-454a-83eb-c306e2a0e062" - Roles: - - "ci-resources-SplunkDeliveryStreamBackupBucketRole-QNK1EPLK4VM4" - - SplunkDeliveryStreamBackupBucketIAMPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-backup-bucket-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-1dqjc0fc9d9k5" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-1dqjc0fc9d9k5/*" - Roles: - - "ci-resources-SplunkDeliveryStreamBackupBucketRole-QNK1EPLK4VM4" - - CAKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - CACertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA certificate - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientCertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxCertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePrivateKey: - Type: AWS::SecretsManager::Secret - Properties: - Description: Private key for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePublicCertificate: - Type: AWS::SecretsManager::Secret - Properties: - Description: Public certificate for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineASID: - Type: AWS::SecretsManager::Secret - Properties: - Description: ASID for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePartyKey: - Type: AWS::SecretsManager::Secret - Properties: - Description: PartyKey for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineCAChain: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA chain for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - -Outputs: - CloudFormationDeployRole: - Description: ARN of the IAM Role(CloudFormationDeployRole) - Value: !GetAtt CloudFormationDeployRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationDeployRole"]] - CloudFormationExecutionRole: - Description: ARN of the IAM Role(CloudFormationExecutionRole) - Value: !GetAtt CloudFormationExecutionRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRole"]] - CloudFormationExecutionRoleName: - Description: Name of the IAM Role(CloudFormationExecutionRole) - Value: !Ref CloudFormationExecutionRole - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRoleName"]] - - ArtifactsBucket: - Description: ARN of the Artifacts bucket - Value: "arn:aws:s3:::ci-resources-artifactsbucket-1qldqrx1rpxbs" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "ArtifactsBucket"]] - TrustStoreBucket: - Description: ARN of the Truststore bucket - Value: "arn:aws:s3:::ci-resources-truststorebucket-qcoogm3bx7q8" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "TrustStoreBucket"]] - CAKeySecret: - Description: ARN of the CA key secret - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:CAKeySecret-FGRkdzEKNSr9-dF5uUX" - CACertSecret: - Description: ARN of the CA cert secret - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:CACertSecret-cWhiu08enzJ0-4hDAw8" - ClientKeySecret: - Description: ARN of the client key secret - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:ClientKeySecret-KXD80SHrCVkW-aLEi7M" - ClientCertSecret: - Description: ARN of the client cert secret - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:ClientCertSecret-OVemrGdiL8ER-0ZDsuB" - ClientSandboxKeySecret: - Description: ARN of the client key secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:ClientSandboxKeySecret-Nputlsk3ekkf-r1PLQC" - ClientSandboxCertSecret: - Description: ARN of the client cert secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:ClientSandboxCertSecret-JgDyPGQ9OaRK-0a6zkI" - SpinePrivateKey: - Description: ARN of the private key for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:SpinePrivateKey-5TIiK9eMGGVg-SaneIe" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePrivateKey"]] - SpinePublicCertificate: - Description: ARN of the public certificate for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:SpinePublicCertificate-4z3BnBAdHSYB-Ujb8zb" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePublicCertificate"]] - SpineASID: - Description: ASID for spine - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:SpineASID-1elMzJL9GAHp-o4CST7" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineASID"]] - SpinePartyKey: - Description: PartyKey for spine - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:SpinePartyKey-jCav4euIogIi-bbE2sw" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePartyKey"]] - SecretsKMSKey: - Description: SecretsKMSKey - Value: "arn:aws:kms:eu-west-2:394382261442:key/c74d9e49-030b-4ed9-a882-9336dc54bbea" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SecretsKMSKey"]] - SpineCAChain: - Description: SpineCAChain - Value: "arn:aws:secretsmanager:eu-west-2:394382261442:secret:SpineCAChain-Rz2BZZs95pQD-MZ62d8" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineCAChain"]] - AuditLoggingBucket: - Description: ARN of the audit logging bucket - Value: "arn:aws:s3:::ci-resources-auditloggingbucket-172cr1kpwj6qo" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "AuditLoggingBucket"]] - SplunkDeliveryStreamBackupBucketRole: - Description: The splunk delivery stream role - Value: "ci-resources-SplunkDeliveryStreamBackupBucketRole-QNK1EPLK4VM4" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRole"], - ] - SplunkDeliveryStreamBackupBucketRoleArn: - Description: The splunk delivery stream role - Value: "arn:aws:iam::394382261442:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-QNK1EPLK4VM4" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRoleArn"], - ] - SplunkDeliveryStreamBackupBucket: - Description: ARN of the splunk delivery stream backup bucket - Value: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-1dqjc0fc9d9k5" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucket"]] - SplunkDeliveryStreamBackupKMSKey: - Description: SplunkDeliveryStreamBackupKMSKey - Value: "arn:aws:kms:eu-west-2:394382261442:key/af6414de-0cdc-454a-83eb-c306e2a0e062" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupKMSKey"]] diff --git a/cloudformation/ci_resources_ref_1.yml b/cloudformation/ci_resources_ref_1.yml deleted file mode 100644 index fc2c2bab0..000000000 --- a/cloudformation/ci_resources_ref_1.yml +++ /dev/null @@ -1,789 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Parameters: - SubjectClaimFilters: - Type: CommaDelimitedList - Default: "repo:NHSDigital/prescriptionsforpatients:*" - Description: > - Subject claim filter for valid tokens. - Default allows only pull requests of the NHSDigital/prescriptionsforpatients to assume the role. - See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims - for examples of filtering by branch or deployment environment. - -Resources: - GitHubIdentityProvider: - Type: AWS::IAM::OIDCProvider - Properties: - Url: https://token.actions.githubusercontent.com - ThumbprintList: - - 6938fd4d98bab03faadb97b34396831e3780aea1 - ClientIdList: - - sts.amazonaws.com - - CloudFormationDeployRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Action: sts:AssumeRoleWithWebIdentity - Principal: - Federated: !GetAtt GitHubIdentityProvider.Arn - Condition: - StringEquals: - token.actions.githubusercontent.com:aud: sts.amazonaws.com - StringLike: - token.actions.githubusercontent.com:sub: !Ref SubjectClaimFilters - Policies: - - PolicyName: CreateCloudFormationStack - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateStack" - - "cloudformation:UpdateStack" - - "cloudformation:DeleteStack" - - "cloudformation:DescribeStacks" - - "cloudformation:ListExports" - - "cloudformation:CreateChangeSet" - - "cloudformation:DescribeChangeSet" - - "cloudformation:ExecuteChangeSet" - - "cloudformation:DescribeStackEvents" - - "cloudformation:GetTemplateSummary" - - "cloudformation:ListStacks" - Resource: "*" - - PolicyName: AssumeExecutionRole - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "iam:PassRole" - Resource: !GetAtt CloudFormationExecutionRole.Arn - - PolicyName: UseArtifactBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: !GetAtt ArtifactsBucketKMSKey.Arn - - CloudFormationExecutionRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - "sts:AssumeRole" - # see https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for permissions - Policies: - - PolicyName: GrantCloudFormationDeployAccess - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateChangeSet" - - "iam:Attach*" - - "iam:Create*" - - "iam:Delete*" - - "iam:Detach*" - - "iam:Get*" - - "iam:List*" - - "iam:Put*" - - "iam:Remove*" - - "iam:Tag*" - - "iam:Untag*" - - "iam:Update*" - - "iam:PassRole" - - "logs:AssociateKmsKey" - - "logs:DisassociateKmsKey" - - "logs:CreateLogGroup" - - "logs:DeleteLogGroup" - - "logs:TagLogGroup" - - "logs:CreateLogStream" - - "logs:DeleteLogStream" - - "logs:PutRetentionPolicy" - - "logs:DeleteRetentionPolicy" - - "logs:PutSubscriptionFilter" - - "logs:DescribeSubscriptionFilters" - - "logs:DeleteSubscriptionFilter" - - "logs:DescribeLogGroups" - - "logs:CreateLogDelivery" - - "logs:DeleteLogDelivery" - - "logs:ListLogDeliveries" - - "logs:GetLogDelivery" - - "logs:UpdateLogDelivery" - - "logs:ListTagsLogGroup" - - "logs:UntagLogGroup" - - "lambda:Add*" - - "lambda:CreateFunction" - - "lambda:Delete*" - - "lambda:Get*" - - "lambda:List*" - - "lambda:Publish*" - - "lambda:Put*" - - "lambda:Remove*" - - "lambda:Tag*" - - "lambda:Untag*" - - "lambda:Update*" - - "kms:Create*" - - "kms:Delete*" - - "kms:Describe*" - - "kms:Get*" - - "kms:List*" - - "kms:Put*" - - "kms:ScheduleKeyDeletion*" - - "kms:Tag*" - - "kms:Untag*" - - "kms:Update*" - - "apigateway:DELETE" - - "apigateway:GET" - - "apigateway:POST" - - "apigateway:PATCH" - - "apigateway:PUT" - - "apigateway:AddCertificateToDomain" - - "apigateway:RemoveCertificateFromDomain" - - "apigateway:TagResource" - # s3 permissions can be removed once https://github.com/NHSDigital/prescriptionsforpatients/pull/165 is merged - - "s3:CreateBucket" - - "s3:DeleteBucket" - - "s3:SetBucketEncryption" - - "s3:PutEncryptionConfiguration" - - "s3:PutBucketVersioning" - - "s3:GetBucketTagging" - - "s3:PutBucketTagging" - - "firehose:CreateDeliveryStream" - - "firehose:DescribeDeliveryStream" - - "firehose:DeleteDeliveryStream" - - "firehose:UpdateDestination" - - "firehose:ListTagsForDeliveryStream" - - "firehose:TagDeliveryStream" - - "firehose:UntagDeliveryStream" - - "acm:AddTagsToCertificate" - - "acm:DeleteCertificate" - - "acm:DescribeCertificate" - - "acm:GetCertificate" - - "acm:ListCertificates" - - "acm:ListTagsForCertificate" - - "acm:RemoveTagsFromCertificate" - - "acm:RenewCertificate" - - "acm:RequestCertificate" - - "route53:ChangeResourceRecordSets" - - "route53:GetHostedZone" - - "route53:ListResourceRecordSets" - - "route53:GetChange" - Resource: "*" - - PolicyName: UseTrustStoreBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: !GetAtt TrustStoreBucketKMSKey.Arn - - ArtifactsBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - ArtifactsBucketKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/ArtifactsBucketKMSKeyAlias - TargetKeyId: !Ref ArtifactsBucketKMSKey - - ArtifactsBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: artifact/ - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${ArtifactsBucketKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - ArtifactsBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref ArtifactsBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt ArtifactsBucket.Arn, "/*"]] - - !GetAtt ArtifactsBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - !Join ["", [!GetAtt ArtifactsBucket.Arn, "/*"]] - - !GetAtt ArtifactsBucket.Arn - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - TrustStoreBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - TrustStoreBucketKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/TrustStoreBucketKMSKeyAlias - TargetKeyId: !Ref TrustStoreBucketKMSKey - - TrustStoreBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: truststore/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - VersioningConfiguration: - Status: Enabled - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${TrustStoreBucketKMSKeyKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - TrustStoreBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref TrustStoreBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt TrustStoreBucket.Arn, "/*"]] - - !GetAtt TrustStoreBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - !Join ["", [!GetAtt TrustStoreBucket.Arn, "/*"]] - - !GetAtt TrustStoreBucket.Arn - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - AuditLoggingBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: "AES256" - - AuditLoggingBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref AuditLoggingBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/*"]] - - !GetAtt AuditLoggingBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join [ - "", - [ - !GetAtt AuditLoggingBucket.Arn, - "/splunkDeliveryStreamBackup/*", - ], - ] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/artifact/*"]] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt ArtifactsBucket.Arn - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/truststore/*"]] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt TrustStoreBucket.Arn - - SplunkDeliveryStreamBackupKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SplunkDeliveryStreamBackupKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/SplunkDeliveryStreamBackupKMSKeyAlias - TargetKeyId: !Ref SplunkDeliveryStreamBackupKMSKey - - SplunkDeliveryStreamBackupBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: splunkDeliveryStreamBackup/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - BucketKeyEnabled: false - ServerSideEncryptionByDefault: - SSEAlgorithm: aws:kms - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${SplunkDeliveryStreamBackupKMSKeyAlias}" - - SplunkDeliveryStreamBackupBucketRole: - Type: "AWS::IAM::Role" - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Principal: - Service: "firehose.amazonaws.com" - Action: "sts:AssumeRole" - - SplunkDeliveryStreamBackupBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: !Ref SplunkDeliveryStreamBackupBucket - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt SplunkDeliveryStreamBackupBucket.Arn, "/*"]] - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - !Join # Access to bucket contents - - "" - - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - "/*" - Principal: - AWS: - - !GetAtt SplunkDeliveryStreamBackupBucketRole.Arn - - SplunkDeliveryStreamBackupBucketRoleKMSPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-SplunkDeliveryStreamBackupKMSKey-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - kms:DescribeKey - - kms:GenerateDataKey* - - kms:Encrypt - - kms:ReEncrypt* - Resource: - - !GetAtt SplunkDeliveryStreamBackupKMSKey.Arn - Roles: - - !Ref SplunkDeliveryStreamBackupBucketRole - - SplunkDeliveryStreamBackupBucketIAMPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-backup-bucket-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - !Join # Access to bucket contents - - "" - - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - "/*" - Roles: - - !Ref SplunkDeliveryStreamBackupBucketRole - - SecretsKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SecretsKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - UpdateReplacePolicy: "Retain" - Properties: - AliasName: alias/SecretsKMSKeyAlias - TargetKeyId: !Ref SecretsKMSKey - - CAKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - CACertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA certificate - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientCertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxCertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePrivateKey: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Private key for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePublicCertificate: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: Public certificate for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineASID: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: ASID for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePartyKey: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: PartyKey for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineCAChain: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - Properties: - Description: CA chain for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - -Outputs: - CloudFormationDeployRole: - Description: ARN of the IAM Role(CloudFormationDeployRole) - Value: !GetAtt CloudFormationDeployRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationDeployRole"]] - CloudFormationExecutionRole: - Description: ARN of the IAM Role(CloudFormationExecutionRole) - Value: !GetAtt CloudFormationExecutionRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRole"]] - - ArtifactsBucket: - Description: ARN of the Artifacts bucket - Value: "arn:aws:s3:::ci-resources-artifactsbucket-197tpxmwhvin8" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "ArtifactsBucket"]] - TrustStoreBucket: - Description: ARN of the Truststore bucket - Value: "arn:aws:s3:::ci-resources-truststorebucket-1q9yub6qofamp" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "TrustStoreBucket"]] - CAKeySecret: - Description: ARN of the CA key secret - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:CAKeySecret-DEziVke7BYcq-jPpDPf" - CACertSecret: - Description: ARN of the CA cert secret - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:CACertSecret-7GSLlGtXLOPd-eS2ueh" - ClientKeySecret: - Description: ARN of the client key secret - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:ClientKeySecret-vHisKhSQfmvh-hrY9ni" - ClientCertSecret: - Description: ARN of the client cert secret - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:ClientCertSecret-jaqK9t8SI613-uyywXj" - ClientSandboxKeySecret: - Description: ARN of the client key secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:ClientSandboxKeySecret-lSHVc8zXAREu-D4HlIn" - ClientSandboxCertSecret: - Description: ARN of the client cert secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:ClientSandboxCertSecret-0SlZLHdQn6ka-XhxPpJ" - SpinePrivateKey: - Description: ARN of the private key for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:SpinePrivateKey-r2R7lEsTDmaG-bq6aNy" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePrivateKey"]] - SpinePublicCertificate: - Description: ARN of the public certificate for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:SpinePublicCertificate-YQPyMJQ71dc3-xbvtGF" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePublicCertificate"]] - SpineASID: - Description: ASID for spine - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:SpineASID-ezvJhLuxZxug-OhOuNe" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineASID"]] - SpinePartyKey: - Description: PartyKey for spine - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:SpinePartyKey-qljJbIDuAGzO-1UqROC" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePartyKey"]] - SecretsKMSKey: - Description: SecretsKMSKey - Value: "arn:aws:kms:eu-west-2:158471595810:key/6a6560b7-186f-4795-9711-a7615f3794de" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SecretsKMSKey"]] - SpineCAChain: - Description: SpineCAChain - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:SpineCAChain-9vBpCCzx1cSn-Zmhxl0" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineCAChain"]] - AuditLoggingBucket: - Description: ARN of the audit logging bucket - Value: "arn:aws:s3:::ci-resources-auditloggingbucket-t5w9ycwwsqsu" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "AuditLoggingBucket"]] - SplunkDeliveryStreamBackupBucketRole: - Description: The splunk delivery stream role - Value: "ci-resources-SplunkDeliveryStreamBackupBucketRole-R6WEIZKT8DSU" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRole"], - ] - SplunkDeliveryStreamBackupBucketRoleArn: - Description: The splunk delivery stream role - Value: "arn:aws:iam::158471595810:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-R6WEIZKT8DSU" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRoleArn"], - ] - SplunkDeliveryStreamBackupBucket: - Description: ARN of the splunk delivery stream backup bucket - Value: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-ef9ngo7tlpsn" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucket"]] - SplunkDeliveryStreamBackupKMSKey: - Description: SplunkDeliveryStreamBackupKMSKey - Value: "arn:aws:kms:eu-west-2:158471595810:key/57c62141-7a41-4ce7-afe5-bf1b4addfb82" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupKMSKey"]] diff --git a/cloudformation/ci_resources_ref_2.yml b/cloudformation/ci_resources_ref_2.yml deleted file mode 100644 index 003f6d3b4..000000000 --- a/cloudformation/ci_resources_ref_2.yml +++ /dev/null @@ -1,566 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Parameters: - SubjectClaimFilters: - Type: CommaDelimitedList - Default: "repo:NHSDigital/prescriptionsforpatients:*" - Description: > - Subject claim filter for valid tokens. - Default allows only pull requests of the NHSDigital/prescriptionsforpatients to assume the role. - See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims - for examples of filtering by branch or deployment environment. - -Resources: - GitHubIdentityProvider: - Type: AWS::IAM::OIDCProvider - Properties: - Url: https://token.actions.githubusercontent.com - ThumbprintList: - - 6938fd4d98bab03faadb97b34396831e3780aea1 - ClientIdList: - - sts.amazonaws.com - - CloudFormationDeployRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Action: sts:AssumeRoleWithWebIdentity - Principal: - Federated: !GetAtt GitHubIdentityProvider.Arn - Condition: - StringEquals: - token.actions.githubusercontent.com:aud: sts.amazonaws.com - StringLike: - token.actions.githubusercontent.com:sub: !Ref SubjectClaimFilters - Policies: - - PolicyName: CreateCloudFormationStack - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateStack" - - "cloudformation:UpdateStack" - - "cloudformation:DeleteStack" - - "cloudformation:DescribeStacks" - - "cloudformation:ListExports" - - "cloudformation:CreateChangeSet" - - "cloudformation:DescribeChangeSet" - - "cloudformation:ExecuteChangeSet" - - "cloudformation:DescribeStackEvents" - - "cloudformation:GetTemplateSummary" - - "cloudformation:ListStacks" - Resource: "*" - - PolicyName: AssumeExecutionRole - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "iam:PassRole" - Resource: !GetAtt CloudFormationExecutionRole.Arn - - PolicyName: UseArtifactBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: "arn:aws:kms:eu-west-2:158471595810:key/fdcbdae8-40ec-4cc6-a8ce-7a9411a60f8c" - - CloudFormationExecutionRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - "sts:AssumeRole" - # see https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for permissions - Policies: - - PolicyName: GrantCloudFormationDeployAccess - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "cloudformation:CreateChangeSet" - - "iam:Attach*" - - "iam:Create*" - - "iam:Delete*" - - "iam:Detach*" - - "iam:Get*" - - "iam:List*" - - "iam:Put*" - - "iam:Remove*" - - "iam:Tag*" - - "iam:Untag*" - - "iam:Update*" - - "iam:PassRole" - - "logs:AssociateKmsKey" - - "logs:DisassociateKmsKey" - - "logs:CreateLogGroup" - - "logs:DeleteLogGroup" - - "logs:TagLogGroup" - - "logs:CreateLogStream" - - "logs:DeleteLogStream" - - "logs:PutRetentionPolicy" - - "logs:DeleteRetentionPolicy" - - "logs:PutSubscriptionFilter" - - "logs:DescribeSubscriptionFilters" - - "logs:DeleteSubscriptionFilter" - - "logs:DescribeLogGroups" - - "logs:CreateLogDelivery" - - "logs:DeleteLogDelivery" - - "logs:ListLogDeliveries" - - "logs:GetLogDelivery" - - "logs:UpdateLogDelivery" - - "logs:ListTagsLogGroup" - - "logs:UntagLogGroup" - - "lambda:Add*" - - "lambda:CreateFunction" - - "lambda:Delete*" - - "lambda:Get*" - - "lambda:List*" - - "lambda:Publish*" - - "lambda:Put*" - - "lambda:Remove*" - - "lambda:Tag*" - - "lambda:Untag*" - - "lambda:Update*" - - "kms:Create*" - - "kms:Delete*" - - "kms:Describe*" - - "kms:Get*" - - "kms:List*" - - "kms:Put*" - - "kms:ScheduleKeyDeletion*" - - "kms:Tag*" - - "kms:Untag*" - - "kms:Update*" - - "apigateway:DELETE" - - "apigateway:GET" - - "apigateway:POST" - - "apigateway:PATCH" - - "apigateway:PUT" - - "apigateway:AddCertificateToDomain" - - "apigateway:RemoveCertificateFromDomain" - - "apigateway:TagResource" - # s3 permissions can be removed once https://github.com/NHSDigital/prescriptionsforpatients/pull/165 is merged - - "s3:CreateBucket" - - "s3:DeleteBucket" - - "s3:SetBucketEncryption" - - "s3:PutEncryptionConfiguration" - - "s3:PutBucketVersioning" - - "s3:GetBucketTagging" - - "s3:PutBucketTagging" - - "firehose:CreateDeliveryStream" - - "firehose:DescribeDeliveryStream" - - "firehose:DeleteDeliveryStream" - - "firehose:UpdateDestination" - - "firehose:ListTagsForDeliveryStream" - - "firehose:TagDeliveryStream" - - "firehose:UntagDeliveryStream" - - "acm:AddTagsToCertificate" - - "acm:DeleteCertificate" - - "acm:DescribeCertificate" - - "acm:GetCertificate" - - "acm:ListCertificates" - - "acm:ListTagsForCertificate" - - "acm:RemoveTagsFromCertificate" - - "acm:RenewCertificate" - - "acm:RequestCertificate" - - "route53:ChangeResourceRecordSets" - - "route53:GetHostedZone" - - "route53:ListResourceRecordSets" - - "route53:GetChange" - Resource: "*" - - PolicyName: UseTrustStoreBucketKMSKey - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - "kms:DescribeKey" - - "kms:GenerateDataKey*" - - "kms:Encrypt" - - "kms:ReEncrypt*" - - "kms:Decrypt" - Resource: "arn:aws:kms:eu-west-2:158471595810:key/854405c3-bd0a-4952-b558-05ddef46847a" - - ArtifactsBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-artifactsbucket-197tpxmwhvin8" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-artifactsbucket-197tpxmwhvin8/*" - - "arn:aws:s3:::ci-resources-artifactsbucket-197tpxmwhvin8" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - "arn:aws:s3:::ci-resources-artifactsbucket-197tpxmwhvin8/*" - - "arn:aws:s3:::ci-resources-artifactsbucket-197tpxmwhvin8" - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - TrustStoreBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-truststorebucket-1q9yub6qofamp" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-truststorebucket-1q9yub6qofamp/*" - - "arn:aws:s3:::ci-resources-truststorebucket-1q9yub6qofamp" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - "arn:aws:s3:::ci-resources-truststorebucket-1q9yub6qofamp/*" - - "arn:aws:s3:::ci-resources-truststorebucket-1q9yub6qofamp" - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - AuditLoggingBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-auditloggingbucket-t5w9ycwwsqsu" - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-t5w9ycwwsqsu/*" - - "arn:aws:s3:::ci-resources-auditloggingbucket-t5w9ycwwsqsu" - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-t5w9ycwwsqsu/splunkDeliveryStreamBackup/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-ef9ngo7tlpsn" - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-t5w9ycwwsqsu/artifact/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-artifactsbucket-197tpxmwhvin8" - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - "arn:aws:s3:::ci-resources-auditloggingbucket-t5w9ycwwsqsu/truststore/*" - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: "arn:aws:s3:::ci-resources-truststorebucket-1q9yub6qofamp" - - SplunkDeliveryStreamBackupBucketPolicy: - Type: AWS::S3::BucketPolicy - Properties: - Bucket: "ci-resources-splunkdeliverystreambackupbucket-ef9ngo7tlpsn" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-ef9ngo7tlpsn/*" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-ef9ngo7tlpsn" - Condition: - Bool: - aws:SecureTransport: false - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-ef9ngo7tlpsn" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-ef9ngo7tlpsn/*" - Principal: - AWS: - - "arn:aws:iam::158471595810:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-R6WEIZKT8DSU" - - SplunkDeliveryStreamBackupBucketRoleKMSPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-SplunkDeliveryStreamBackupKMSKey-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - kms:DescribeKey - - kms:GenerateDataKey* - - kms:Encrypt - - kms:ReEncrypt* - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-ef9ngo7tlpsn" - Roles: - - "ci-resources-SplunkDeliveryStreamBackupBucketRole-R6WEIZKT8DSU" - - SplunkDeliveryStreamBackupBucketIAMPolicy: - Type: "AWS::IAM::Policy" - Properties: - PolicyName: "allow-backup-bucket-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-ef9ngo7tlpsn" - - "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-ef9ngo7tlpsn/*" - Roles: - - "ci-resources-SplunkDeliveryStreamBackupBucketRole-R6WEIZKT8DSU" - - CAKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - CACertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA certificate - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientCertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxKeySecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxCertSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: Client sandbox cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePrivateKey: - Type: AWS::SecretsManager::Secret - Properties: - Description: Private key for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePublicCertificate: - Type: AWS::SecretsManager::Secret - Properties: - Description: Public certificate for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineASID: - Type: AWS::SecretsManager::Secret - Properties: - Description: ASID for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePartyKey: - Type: AWS::SecretsManager::Secret - Properties: - Description: PartyKey for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineCAChain: - Type: AWS::SecretsManager::Secret - Properties: - Description: CA chain for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - -Outputs: - CloudFormationDeployRole: - Description: ARN of the IAM Role(CloudFormationDeployRole) - Value: !GetAtt CloudFormationDeployRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationDeployRole"]] - CloudFormationExecutionRole: - Description: ARN of the IAM Role(CloudFormationExecutionRole) - Value: !GetAtt CloudFormationExecutionRole.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRole"]] - CloudFormationExecutionRoleName: - Description: Name of the IAM Role(CloudFormationExecutionRole) - Value: !Ref CloudFormationExecutionRole - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "CloudFormationExecutionRoleName"]] - - ArtifactsBucket: - Description: ARN of the Artifacts bucket - Value: "arn:aws:s3:::ci-resources-artifactsbucket-197tpxmwhvin8" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "ArtifactsBucket"]] - TrustStoreBucket: - Description: ARN of the Truststore bucket - Value: "arn:aws:s3:::ci-resources-truststorebucket-1q9yub6qofamp" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "TrustStoreBucket"]] - CAKeySecret: - Description: ARN of the CA key secret - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:CAKeySecret-DEziVke7BYcq-jPpDPf" - CACertSecret: - Description: ARN of the CA cert secret - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:CACertSecret-7GSLlGtXLOPd-eS2ueh" - ClientKeySecret: - Description: ARN of the client key secret - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:ClientKeySecret-vHisKhSQfmvh-hrY9ni" - ClientCertSecret: - Description: ARN of the client cert secret - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:ClientCertSecret-jaqK9t8SI613-uyywXj" - ClientSandboxKeySecret: - Description: ARN of the client key secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:ClientSandboxKeySecret-lSHVc8zXAREu-D4HlIn" - ClientSandboxCertSecret: - Description: ARN of the client cert secret for sandbox - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:ClientSandboxCertSecret-0SlZLHdQn6ka-XhxPpJ" - SpinePrivateKey: - Description: ARN of the private key for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:SpinePrivateKey-r2R7lEsTDmaG-bq6aNy" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePrivateKey"]] - SpinePublicCertificate: - Description: ARN of the public certificate for spine mutual TLS - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:SpinePublicCertificate-YQPyMJQ71dc3-xbvtGF" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePublicCertificate"]] - SpineASID: - Description: ASID for spine - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:SpineASID-ezvJhLuxZxug-OhOuNe" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineASID"]] - SpinePartyKey: - Description: PartyKey for spine - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:SpinePartyKey-qljJbIDuAGzO-1UqROC" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePartyKey"]] - SecretsKMSKey: - Description: SecretsKMSKey - Value: "arn:aws:kms:eu-west-2:158471595810:key/6a6560b7-186f-4795-9711-a7615f3794de" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SecretsKMSKey"]] - SpineCAChain: - Description: SpineCAChain - Value: "arn:aws:secretsmanager:eu-west-2:158471595810:secret:SpineCAChain-9vBpCCzx1cSn-Zmhxl0" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineCAChain"]] - AuditLoggingBucket: - Description: ARN of the audit logging bucket - Value: "arn:aws:s3:::ci-resources-auditloggingbucket-t5w9ycwwsqsu" - Export: - Name: !Join [":", [!Ref "AWS::StackName", "AuditLoggingBucket"]] - SplunkDeliveryStreamBackupBucketRole: - Description: The splunk delivery stream role - Value: "ci-resources-SplunkDeliveryStreamBackupBucketRole-R6WEIZKT8DSU" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRole"], - ] - SplunkDeliveryStreamBackupBucketRoleArn: - Description: The splunk delivery stream role - Value: "arn:aws:iam::158471595810:role/ci-resources-SplunkDeliveryStreamBackupBucketRole-R6WEIZKT8DSU" - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRoleArn"], - ] - SplunkDeliveryStreamBackupBucket: - Description: ARN of the splunk delivery stream backup bucket - Value: "arn:aws:s3:::ci-resources-splunkdeliverystreambackupbucket-ef9ngo7tlpsn" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucket"]] - SplunkDeliveryStreamBackupKMSKey: - Description: SplunkDeliveryStreamBackupKMSKey - Value: "arn:aws:kms:eu-west-2:158471595810:key/57c62141-7a41-4ce7-afe5-bf1b4addfb82" - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupKMSKey"]] diff --git a/cloudformation/resources_to_import.ref b/cloudformation/resources_to_import.ref deleted file mode 100644 index 7b304e1a3..000000000 --- a/cloudformation/resources_to_import.ref +++ /dev/null @@ -1,590 +0,0 @@ -Resources: - ArtifactsBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - ArtifactsBucketKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - Properties: - AliasName: alias/ArtifactsBucketKMSKeyAlias - TargetKeyId: !Ref ArtifactsBucketKMSKey - - ArtifactsBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: artifact/ - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${ArtifactsBucketKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - ArtifactsBucketPolicy: - Type: AWS::S3::BucketPolicy - DeletionPolicy: "Retain" - Properties: - Bucket: !Ref ArtifactsBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt ArtifactsBucket.Arn, "/*"]] - - !GetAtt ArtifactsBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - !Join ["", [!GetAtt ArtifactsBucket.Arn, "/*"]] - - !GetAtt ArtifactsBucket.Arn - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - # KMS S3 encryption key - TrustStoreBucketKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - TrustStoreBucketKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - Properties: - AliasName: alias/TrustStoreBucketKMSKeyAlias - TargetKeyId: !Ref TrustStoreBucketKMSKey - - TrustStoreBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - Properties: - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: truststore/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - VersioningConfiguration: - Status: Enabled - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${TrustStoreBucketKMSKeyKMSKeyAlias}" - SSEAlgorithm: "aws:kms" - - TrustStoreBucketPolicy: - Type: AWS::S3::BucketPolicy - DeletionPolicy: "Retain" - Properties: - Bucket: !Ref TrustStoreBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt TrustStoreBucket.Arn, "/*"]] - - !GetAtt TrustStoreBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:GetObject*" - - "s3:PutObject*" - - "s3:GetBucket*" - - "s3:List*" - Resource: - - !Join ["", [!GetAtt TrustStoreBucket.Arn, "/*"]] - - !GetAtt TrustStoreBucket.Arn - Principal: - AWS: - - !GetAtt CloudFormationDeployRole.Arn - - !GetAtt CloudFormationExecutionRole.Arn - - # Note we can not use KMS key for encryption on this bucket - AuditLoggingBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: "AES256" - - AuditLoggingBucketPolicy: - Type: AWS::S3::BucketPolicy - DeletionPolicy: "Retain" - Properties: - Bucket: !Ref AuditLoggingBucket - PolicyDocument: - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/*"]] - - !GetAtt AuditLoggingBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join [ - "", - [ - !GetAtt AuditLoggingBucket.Arn, - "/splunkDeliveryStreamBackup/*", - ], - ] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/artifact/*"]] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt ArtifactsBucket.Arn - - Effect: "Allow" - Action: - - "s3:PutObject*" - Resource: - - !Join ["", [!GetAtt AuditLoggingBucket.Arn, "/truststore/*"]] - Principal: - Service: logging.s3.amazonaws.com - Condition: - StringEquals: - aws:SourceAccount: !Ref "AWS::AccountId" - ArnLike: - aws:SourceArn: !GetAtt TrustStoreBucket.Arn - - # Backup bucket, roles and policies - # KMS S3 encryption key - SplunkDeliveryStreamBackupKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SplunkDeliveryStreamBackupKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - Properties: - AliasName: alias/SplunkDeliveryStreamBackupKMSKeyAlias - TargetKeyId: !Ref SplunkDeliveryStreamBackupKMSKey - - SplunkDeliveryStreamBackupBucket: - Type: AWS::S3::Bucket - DeletionPolicy: "Retain" - Properties: - VersioningConfiguration: - Status: Enabled - LoggingConfiguration: - DestinationBucketName: !Ref AuditLoggingBucket - LogFilePrefix: splunkDeliveryStreamBackup/ - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - BucketEncryption: - ServerSideEncryptionConfiguration: - - BucketKeyEnabled: false - ServerSideEncryptionByDefault: - SSEAlgorithm: aws:kms - KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${SplunkDeliveryStreamBackupKMSKeyAlias}" - - # Delivery stream uses the backup bucket role for non-destination permissions - SplunkDeliveryStreamBackupBucketRole: - Type: "AWS::IAM::Role" - DeletionPolicy: "Retain" - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Principal: - Service: "firehose.amazonaws.com" - Action: "sts:AssumeRole" - - SplunkDeliveryStreamBackupBucketPolicy: - Type: AWS::S3::BucketPolicy - DeletionPolicy: "Retain" - Properties: - Bucket: !Ref SplunkDeliveryStreamBackupBucket - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Deny" - Action: "s3:*" - Principal: "*" - Resource: - - !Join ["", [!GetAtt SplunkDeliveryStreamBackupBucket.Arn, "/*"]] - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - Condition: - Bool: - aws:SecureTransport: false - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - !Join # Access to bucket contents - - "" - - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - "/*" - Principal: - AWS: - - !GetAtt SplunkDeliveryStreamBackupBucketRole.Arn - - SplunkDeliveryStreamBackupBucketRoleKMSPolicy: - Type: "AWS::IAM::Policy" - DeletionPolicy: "Retain" - Properties: - PolicyName: "allow-SplunkDeliveryStreamBackupKMSKey-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - kms:DescribeKey - - kms:GenerateDataKey* - - kms:Encrypt - - kms:ReEncrypt* - Resource: - - !GetAtt SplunkDeliveryStreamBackupKMSKey.Arn - Roles: - - !Ref SplunkDeliveryStreamBackupBucketRole - - SplunkDeliveryStreamBackupBucketIAMPolicy: - Type: "AWS::IAM::Policy" - DeletionPolicy: "Retain" - Properties: - PolicyName: "allow-backup-bucket-access" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Action: - - s3:AbortMultipartUpload - - s3:GetBucketLocation - - s3:GetObject - - s3:ListBucket - - s3:ListBucketMultipartUploads - - s3:PutObject - Resource: - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - !Join # Access to bucket contents - - "" - - - !GetAtt SplunkDeliveryStreamBackupBucket.Arn - - "/*" - Roles: - - !Ref SplunkDeliveryStreamBackupBucketRole - - # KMS secrets encryption key - SecretsKMSKey: - Type: AWS::KMS::Key - DeletionPolicy: "Retain" - Properties: - KeyPolicy: - Version: 2012-10-17 - Id: key-s3 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Join - - "" - - - "arn:aws:iam::" - - !Ref "AWS::AccountId" - - ":root" - Action: "kms:*" - Resource: "*" - - SecretsKMSKeyKMSKeyAlias: - Type: AWS::KMS::Alias - DeletionPolicy: "Retain" - Properties: - AliasName: alias/SecretsKMSKeyAlias - TargetKeyId: !Ref SecretsKMSKey - CAKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - DeletionPolicy: "Retain" - Properties: - Description: CA private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - CACertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - DeletionPolicy: "Retain" - Properties: - Description: CA certificate - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - DeletionPolicy: "Retain" - Properties: - Description: Client private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientCertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - DeletionPolicy: "Retain" - Properties: - Description: Client cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxKeySecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - DeletionPolicy: "Retain" - Properties: - Description: Client sandbox private key - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - ClientSandboxCertSecret: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - DeletionPolicy: "Retain" - Properties: - Description: Client sandbox cert - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePrivateKey: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - DeletionPolicy: "Retain" - Properties: - Description: Private key for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePublicCertificate: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - DeletionPolicy: "Retain" - Properties: - Description: Public certificate for spine mutual TLS - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineASID: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - DeletionPolicy: "Retain" - Properties: - Description: ASID for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpinePartyKey: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - DeletionPolicy: "Retain" - Properties: - Description: PartyKey for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - - SpineCAChain: - DependsOn: SecretsKMSKeyKMSKeyAlias - Type: AWS::SecretsManager::Secret - DeletionPolicy: "Retain" - Properties: - Description: CA chain for spine - KmsKeyId: alias/SecretsKMSKeyAlias - SecretString: ChangeMe - -Outputs: - ArtifactsBucket: - Description: ARN of the Artifacts bucket - Value: !GetAtt ArtifactsBucket.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "ArtifactsBucket"]] - TrustStoreBucket: - Description: ARN of the Truststore bucket - Value: !GetAtt TrustStoreBucket.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "TrustStoreBucket"]] - CAKeySecret: - Description: ARN of the CA key secret - Value: !GetAtt CAKeySecret.Id - CACertSecret: - Description: ARN of the CA cert secret - Value: !GetAtt CACertSecret.Id - ClientKeySecret: - Description: ARN of the client key secret - Value: !GetAtt ClientKeySecret.Id - ClientCertSecret: - Description: ARN of the client cert secret - Value: !GetAtt ClientCertSecret.Id - ClientSandboxKeySecret: - Description: ARN of the client key secret for sandbox - Value: !GetAtt ClientSandboxKeySecret.Id - ClientSandboxCertSecret: - Description: ARN of the client cert secret for sandbox - Value: !GetAtt ClientSandboxCertSecret.Id - SpinePrivateKey: - Description: ARN of the private key for spine mutual TLS - Value: !GetAtt SpinePrivateKey.Id - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePrivateKey"]] - SpinePublicCertificate: - Description: ARN of the public certificate for spine mutual TLS - Value: !GetAtt SpinePublicCertificate.Id - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePublicCertificate"]] - SpineASID: - Description: ASID for spine - Value: !GetAtt SpineASID.Id - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineASID"]] - SpinePartyKey: - Description: PartyKey for spine - Value: !GetAtt SpinePartyKey.Id - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpinePartyKey"]] - SecretsKMSKey: - Description: SecretsKMSKey - Value: !GetAtt SecretsKMSKey.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SecretsKMSKey"]] - SpineCAChain: - Description: SpineCAChain - Value: !GetAtt SpineCAChain.Id - Export: - Name: !Join [":", [!Ref "AWS::StackName", "SpineCAChain"]] - AuditLoggingBucket: - Description: ARN of the audit logging bucket - Value: !GetAtt AuditLoggingBucket.Arn - Export: - Name: !Join [":", [!Ref "AWS::StackName", "AuditLoggingBucket"]] - SplunkDeliveryStreamBackupBucketRole: - Description: The splunk delivery stream role - Value: !Ref SplunkDeliveryStreamBackupBucketRole - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRole"], - ] - SplunkDeliveryStreamBackupBucketRoleArn: - Description: The splunk delivery stream role - Value: !GetAtt SplunkDeliveryStreamBackupBucketRole.Arn - Export: - Name: - !Join [ - ":", - [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucketRoleArn"], - ] - SplunkDeliveryStreamBackupBucket: - Description: ARN of the splunk delivery stream backup bucket - Value: !GetAtt SplunkDeliveryStreamBackupBucket.Arn - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupBucket"]] - SplunkDeliveryStreamBackupKMSKey: - Description: SplunkDeliveryStreamBackupKMSKey - Value: !GetAtt SplunkDeliveryStreamBackupKMSKey.Arn - Export: - Name: - !Join [":", [!Ref "AWS::StackName", "SplunkDeliveryStreamBackupKMSKey"]] diff --git a/cloudformation/resources_to_import_dev.txt b/cloudformation/resources_to_import_dev.txt deleted file mode 100644 index 4fc10e4ff..000000000 --- a/cloudformation/resources_to_import_dev.txt +++ /dev/null @@ -1,93 +0,0 @@ -[ - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "ArtifactsBucketKMSKey", - "ResourceIdentifier": { - "KeyId": "91f11a0a-255d-4f25-9d5d-e2711d3c4b20" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "ArtifactsBucketKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/ArtifactsBucketKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "ArtifactsBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-artifactsbucket-8tfokumg8i3z" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "TrustStoreBucketKMSKey", - "ResourceIdentifier": { - "KeyId": "86bc22d8-391d-4597-b606-e366d1d4f069" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "TrustStoreBucketKMSKeyKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/TrustStoreBucketKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "TrustStoreBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-truststorebucket-1emm0xo65wil5" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "AuditLoggingBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-auditloggingbucket-qinzx9hzgs2j" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "SplunkDeliveryStreamBackupKMSKey", - "ResourceIdentifier": { - "KeyId": "01c6d877-d492-4000-8145-1cb0b626565a" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "SplunkDeliveryStreamBackupKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/SplunkDeliveryStreamBackupKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "SplunkDeliveryStreamBackupBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-splunkdeliverystreambackupbucket-moadbtfdist3" - } - }, - { - "ResourceType": "AWS::IAM::Role", - "LogicalResourceId": "SplunkDeliveryStreamBackupBucketRole", - "ResourceIdentifier": { - "RoleName": "ci-resources-SplunkDeliveryStreamBackupBucketRole-16K41IGY3PBER" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "SecretsKMSKey", - "ResourceIdentifier": { - "KeyId": "2bd1ac53-f6a5-4d95-9553-764c0cbe5b0f" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "SecretsKMSKeyKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/SecretsKMSKeyAlias" - } - } -] diff --git a/cloudformation/resources_to_import_int.json b/cloudformation/resources_to_import_int.json deleted file mode 100644 index 46d4ecd9f..000000000 --- a/cloudformation/resources_to_import_int.json +++ /dev/null @@ -1,93 +0,0 @@ -[ - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "ArtifactsBucketKMSKey", - "ResourceIdentifier": { - "KeyId": "15b9207c-bc32-4d5d-9910-628baf3deeef" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "ArtifactsBucketKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/ArtifactsBucketKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "ArtifactsBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-artifactsbucket-4687sfjwdxcw" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "TrustStoreBucketKMSKey", - "ResourceIdentifier": { - "KeyId": "9f53466d-e5d2-4d9e-938d-786db0a703c4" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "TrustStoreBucketKMSKeyKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/TrustStoreBucketKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "TrustStoreBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-truststorebucket-lz9g6bkko6tj" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "AuditLoggingBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-auditloggingbucket-1fuls8ilhv5wc" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "SplunkDeliveryStreamBackupKMSKey", - "ResourceIdentifier": { - "KeyId": "5750eeaa-de6d-47aa-aeb1-a8302c4fb198" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "SplunkDeliveryStreamBackupKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/SplunkDeliveryStreamBackupKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "SplunkDeliveryStreamBackupBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-splunkdeliverystreambackupbucket-tktdzdskuzex" - } - }, - { - "ResourceType": "AWS::IAM::Role", - "LogicalResourceId": "SplunkDeliveryStreamBackupBucketRole", - "ResourceIdentifier": { - "RoleName": "ci-resources-SplunkDeliveryStreamBackupBucketRole-B5P28150Z82" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "SecretsKMSKey", - "ResourceIdentifier": { - "KeyId": "2056234e-6476-4e18-a166-9f43bca567d7" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "SecretsKMSKeyKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/SecretsKMSKeyAlias" - } - } -] diff --git a/cloudformation/resources_to_import_prod.json b/cloudformation/resources_to_import_prod.json deleted file mode 100644 index ed903286e..000000000 --- a/cloudformation/resources_to_import_prod.json +++ /dev/null @@ -1,93 +0,0 @@ -[ - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "ArtifactsBucketKMSKey", - "ResourceIdentifier": { - "KeyId": "0175b61d-311c-41e1-a0cc-1b98aaa6fd5b" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "ArtifactsBucketKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/ArtifactsBucketKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "ArtifactsBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-artifactsbucket-1q5cgjvlusl0g" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "TrustStoreBucketKMSKey", - "ResourceIdentifier": { - "KeyId": "aa7183fd-8726-4474-88fa-2dac545b6c9c" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "TrustStoreBucketKMSKeyKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/TrustStoreBucketKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "TrustStoreBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-truststorebucket-12enzhmcfaene" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "AuditLoggingBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-auditloggingbucket-xdzoeka33g" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "SplunkDeliveryStreamBackupKMSKey", - "ResourceIdentifier": { - "KeyId": "39fd1f88-44d4-4f37-bb3c-16317e66c872" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "SplunkDeliveryStreamBackupKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/SplunkDeliveryStreamBackupKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "SplunkDeliveryStreamBackupBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-splunkdeliverystreambackupbucket-eqcc8r050a1o" - } - }, - { - "ResourceType": "AWS::IAM::Role", - "LogicalResourceId": "SplunkDeliveryStreamBackupBucketRole", - "ResourceIdentifier": { - "RoleName": "ci-resources-SplunkDeliveryStreamBackupBucketRole-1VZ65OCNASVOM" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "SecretsKMSKey", - "ResourceIdentifier": { - "KeyId": "9c0a42ec-2d75-4249-8557-49762074e0d4" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "SecretsKMSKeyKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/SecretsKMSKeyAlias" - } - } -] diff --git a/cloudformation/resources_to_import_qa.json b/cloudformation/resources_to_import_qa.json deleted file mode 100644 index 24e662526..000000000 --- a/cloudformation/resources_to_import_qa.json +++ /dev/null @@ -1,93 +0,0 @@ -[ - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "ArtifactsBucketKMSKey", - "ResourceIdentifier": { - "KeyId": "d64a6c3c-08be-4a0b-919b-5714e3796f55" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "ArtifactsBucketKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/ArtifactsBucketKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "ArtifactsBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-artifactsbucket-1qldqrx1rpxbs" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "TrustStoreBucketKMSKey", - "ResourceIdentifier": { - "KeyId": "7ce43a79-1a08-4906-91c1-53fd007cb237" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "TrustStoreBucketKMSKeyKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/TrustStoreBucketKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "TrustStoreBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-truststorebucket-qcoogm3bx7q8" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "AuditLoggingBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-auditloggingbucket-172cr1kpwj6qo" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "SplunkDeliveryStreamBackupKMSKey", - "ResourceIdentifier": { - "KeyId": "af6414de-0cdc-454a-83eb-c306e2a0e062" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "SplunkDeliveryStreamBackupKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/SplunkDeliveryStreamBackupKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "SplunkDeliveryStreamBackupBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-splunkdeliverystreambackupbucket-1dqjc0fc9d9k5" - } - }, - { - "ResourceType": "AWS::IAM::Role", - "LogicalResourceId": "SplunkDeliveryStreamBackupBucketRole", - "ResourceIdentifier": { - "RoleName": "ci-resources-SplunkDeliveryStreamBackupBucketRole-QNK1EPLK4VM4" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "SecretsKMSKey", - "ResourceIdentifier": { - "KeyId": "c74d9e49-030b-4ed9-a882-9336dc54bbea" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "SecretsKMSKeyKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/SecretsKMSKeyAlias" - } - } -] diff --git a/cloudformation/resources_to_import_ref.json b/cloudformation/resources_to_import_ref.json deleted file mode 100644 index 16652ad2f..000000000 --- a/cloudformation/resources_to_import_ref.json +++ /dev/null @@ -1,93 +0,0 @@ -[ - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "ArtifactsBucketKMSKey", - "ResourceIdentifier": { - "KeyId": "fdcbdae8-40ec-4cc6-a8ce-7a9411a60f8c" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "ArtifactsBucketKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/ArtifactsBucketKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "ArtifactsBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-artifactsbucket-197tpxmwhvin8" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "TrustStoreBucketKMSKey", - "ResourceIdentifier": { - "KeyId": "854405c3-bd0a-4952-b558-05ddef46847a" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "TrustStoreBucketKMSKeyKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/TrustStoreBucketKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "TrustStoreBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-truststorebucket-1q9yub6qofamp" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "AuditLoggingBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-auditloggingbucket-t5w9ycwwsqsu" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "SplunkDeliveryStreamBackupKMSKey", - "ResourceIdentifier": { - "KeyId": "57c62141-7a41-4ce7-afe5-bf1b4addfb82" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "SplunkDeliveryStreamBackupKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/SplunkDeliveryStreamBackupKMSKeyAlias" - } - }, - { - "ResourceType": "AWS::S3::Bucket", - "LogicalResourceId": "SplunkDeliveryStreamBackupBucket", - "ResourceIdentifier": { - "BucketName": "ci-resources-splunkdeliverystreambackupbucket-ef9ngo7tlpsn" - } - }, - { - "ResourceType": "AWS::IAM::Role", - "LogicalResourceId": "SplunkDeliveryStreamBackupBucketRole", - "ResourceIdentifier": { - "RoleName": "ci-resources-SplunkDeliveryStreamBackupBucketRole-R6WEIZKT8DSU" - } - }, - { - "ResourceType": "AWS::KMS::Key", - "LogicalResourceId": "SecretsKMSKey", - "ResourceIdentifier": { - "KeyId": "6a6560b7-186f-4795-9711-a7615f3794de" - } - }, - { - "ResourceType": "AWS::KMS::Alias", - "LogicalResourceId": "SecretsKMSKeyKMSKeyAlias", - "ResourceIdentifier": { - "AliasName": "alias/SecretsKMSKeyAlias" - } - } -]