ATO-554: Add spot request queue cross account access

govuk-one-login · Apr 26, 2024 · 3830a7e · 3830a7e
1 parent fdf1bc3
commit 3830a7e
Show file tree

Hide file tree

Showing 3 changed files with 97 additions and 6 deletions.
diff --git a/ci/terraform/oidc/sandpit.tfvars b/ci/terraform/oidc/sandpit.tfvars
@@ -65,5 +65,6 @@ orch_account_id                                  = "816047645251"
 back_channel_logout_cross_account_access_enabled = true
 kms_cross_account_access_enabled                 = true
 cmk_for_back_channel_logout_enabled              = true
+spot_request_queue_cross_account_access_enabled  = true
 
 oidc_origin_domain_enabled = true
diff --git a/ci/terraform/oidc/spot-sqs.tf b/ci/terraform/oidc/spot-sqs.tf
@@ -27,6 +27,48 @@ resource "aws_sqs_queue" "spot_request_dead_letter_queue" {
   tags = local.default_tags
 }
 
+data "aws_iam_policy_document" "cross_account_spot_request_queue_policy_document" {
+  statement {
+    sid    = "AllowSpotAccountToReceive"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${aws_ssm_parameter.spot_account_number.value}:root"]
+    }
+
+    actions = [
+      "sqs:ReceiveMessage",
+      "sqs:ChangeMessageVisibility",
+      "sqs:DeleteMessage",
+      "sqs:GetQueueAttributes",
+    ]
+
+    resources = [
+      aws_sqs_queue.spot_request_queue.arn
+    ]
+  }
+
+  statement {
+    sid    = "AllowOrchAccountSendSQS-${var.environment}"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.orch_account_id}:root"]
+    }
+
+    actions = [
+      "sqs:SendMessage",
+      "sqs:ChangeMessageVisibility",
+      "sqs:GetQueueAttributes",
+    ]
+    resources = [
+      aws_sqs_queue.spot_request_queue.arn
+    ]
+  }
+}
+
 data "aws_iam_policy_document" "spot_request_queue_policy_document" {
   statement {
     sid    = "AllowSpotAccountToReceive"
@@ -51,12 +93,8 @@ data "aws_iam_policy_document" "spot_request_queue_policy_document" {
 }
 
 resource "aws_sqs_queue_policy" "spot_request_queue_policy" {
-  depends_on = [
-    data.aws_iam_policy_document.spot_request_queue_policy_document,
-  ]
-
   queue_url = aws_sqs_queue.spot_request_queue.id
-  policy    = data.aws_iam_policy_document.spot_request_queue_policy_document.json
+  policy    = var.spot_request_queue_cross_account_access_enabled ? data.aws_iam_policy_document.cross_account_spot_request_queue_policy_document.json : data.aws_iam_policy_document.spot_request_queue_policy_document.json
 }
 
 data "aws_iam_policy_document" "spot_request_dlq_queue_policy_document" {
@@ -119,10 +157,56 @@ data "aws_iam_policy_document" "spot_request_kms_key_policy" {
   }
 }
 
+data "aws_iam_policy_document" "cross_account_spot_request_kms_key_policy" {
+  policy_id = "cross-account-key-policy-ssm"
+
+  statement {
+    sid = "Enable IAM User Permissions for root user"
+    actions = [
+      "kms:*",
+    ]
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "Give SPOT permissions to SQS KMS key"
+    actions = [
+      "kms:Decrypt",
+    ]
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${aws_ssm_parameter.spot_account_number.value}:root"]
+    }
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "AllowOrchAccessToSpotRequestQueueEncryptionKey-${var.environment}"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey"
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.orch_account_id}:root"]
+    }
+  }
+}
+
 resource "aws_kms_key" "spot_request_sqs_key" {
   description             = "KMS key for SPOT request SQS queue encryption"
   deletion_window_in_days = 30
-  policy                  = data.aws_iam_policy_document.spot_request_kms_key_policy.json
+  policy                  = var.spot_request_queue_cross_account_access_enabled ? data.aws_iam_policy_document.cross_account_spot_request_kms_key_policy.json : data.aws_iam_policy_document.spot_request_kms_key_policy.json
 
   customer_master_key_spec = "SYMMETRIC_DEFAULT"
   key_usage                = "ENCRYPT_DECRYPT"

diff --git a/ci/terraform/oidc/variables.tf b/ci/terraform/oidc/variables.tf
@@ -605,6 +605,12 @@ variable "oidc_origin_domain_enabled" {
   description = "Feature flag to control the creation of DNS records for the origin.oidc domain"
 }
 
+variable "spot_request_queue_cross_account_access_enabled" {
+  default     = false
+  type        = bool
+  description = "Whether the service should allow cross-account access by orchestration to the SPoT request queue"
+}
+
 variable "txma_audit_encoded_enabled" {
   default     = false
   type        = bool