From bfe53b5fc2939f6cbed08b165055907c59befa26 Mon Sep 17 00:00:00 2001 From: Hadi Qureshi Date: Mon, 23 Feb 2026 09:04:33 +0000 Subject: [PATCH 1/4] feat: iam user and key rotation --- terraform/batch/main.tf | 43 ++++++++++++++++++++++++++++++++++++++ terraform/batch/secrets.tf | 11 ++++++++++ 2 files changed, 54 insertions(+) create mode 100644 terraform/batch/secrets.tf diff --git a/terraform/batch/main.tf b/terraform/batch/main.tf index d9682a3..bcd464c 100644 --- a/terraform/batch/main.tf +++ b/terraform/batch/main.tf @@ -70,3 +70,46 @@ resource "aws_iam_role_policy_attachment" "s3_policy_attachment" { role = split("/", module.batch_eventbridge.batch_job_role_arn)[1] policy_arn = aws_iam_policy.s3_access.arn } + +# IAM User Group +resource "aws_iam_group" "group" { + name = "${var.domain}-${var.service_subdomain}-group" + path = "/" +} + +# Attach S3 policy to group +resource "aws_iam_group_policy_attachment" "group_s3_access_attachment" { + group = aws_iam_group.group.name + policy_arn = aws_iam_policy.s3_access.arn +} + +# Attach Secrets Manager policy to group +resource "aws_iam_group_policy_attachment" "group_secrets_attachment" { + group = aws_iam_group.group.name + policy_arn = aws_iam_policy.secrets_access.arn +} + +# IAM User +resource "aws_iam_user" "user" { + name = "${var.domain}-${var.service_subdomain}" + path = "/" +} + +# Assign IAM User to group +resource "aws_iam_user_group_membership" "user_group_attach" { + user = aws_iam_user.user.name + + groups = [ + aws_iam_group.group.name + ] +} + +# IAM Key Rotation Module +module "iam_key_rotation" { + source = "git::https://github.com/ONS-Innovation/keh-aws-iam-key-rotation.git?ref=v0.1.0" + + iam_username = aws_iam_user.user.name + access_key_secret_arn = aws_secretsmanager_secret.access_key.arn + secret_key_secret_arn = aws_secretsmanager_secret.secret_key.arn + rotation_in_days = 90 +} diff --git a/terraform/batch/secrets.tf b/terraform/batch/secrets.tf new file mode 100644 index 0000000..0c7d201 --- /dev/null +++ b/terraform/batch/secrets.tf @@ -0,0 +1,11 @@ +# Secrets Manager resources for IAM user access keys + +resource "aws_secretsmanager_secret" "access_key" { + name = "${var.domain}-${var.service_subdomain}-access-key" + description = "Access Key ID for github statistics scraper IAM user" +} + +resource "aws_secretsmanager_secret" "secret_key" { + name = "${var.domain}-${var.service_subdomain}-secret-key" + description = "Secret Access Key for github stastics scraper IAM user" +} From e78c5d64b389514b072f61315500bb01d0e6f82c Mon Sep 17 00:00:00 2001 From: Hadi Qureshi Date: Mon, 23 Feb 2026 11:17:45 +0000 Subject: [PATCH 2/4] update: change name of iam group --- terraform/batch/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/batch/main.tf b/terraform/batch/main.tf index bcd464c..e05a606 100644 --- a/terraform/batch/main.tf +++ b/terraform/batch/main.tf @@ -73,7 +73,7 @@ resource "aws_iam_role_policy_attachment" "s3_policy_attachment" { # IAM User Group resource "aws_iam_group" "group" { - name = "${var.domain}-${var.service_subdomain}-group" + name = "${var.domain}-${var.service_subdomain}-user-group" path = "/" } From 00df091762330db50896ab67b1618c80488819c0 Mon Sep 17 00:00:00 2001 From: Hadi Qureshi Date: Mon, 23 Feb 2026 12:52:36 +0000 Subject: [PATCH 3/4] update: set recov window to 0 for secret deletion --- terraform/batch/secrets.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/batch/secrets.tf b/terraform/batch/secrets.tf index 0c7d201..0e5f109 100644 --- a/terraform/batch/secrets.tf +++ b/terraform/batch/secrets.tf @@ -3,9 +3,13 @@ resource "aws_secretsmanager_secret" "access_key" { name = "${var.domain}-${var.service_subdomain}-access-key" description = "Access Key ID for github statistics scraper IAM user" + recovery_window_in_days = 0 // Secret will be deleted immediately + force_overwrite_replica_secret = true // Allow overwriting the secret in case of changes } resource "aws_secretsmanager_secret" "secret_key" { name = "${var.domain}-${var.service_subdomain}-secret-key" description = "Secret Access Key for github stastics scraper IAM user" + recovery_window_in_days = 0 // Secret will be deleted immediately + force_overwrite_replica_secret = true // Allow overwriting the secret in case of changes } From d0c3192f1d4d2d7f273c43db0cca146a1ae4a552 Mon Sep 17 00:00:00 2001 From: Hadi Qureshi Date: Thu, 26 Feb 2026 16:05:46 +0000 Subject: [PATCH 4/4] feat: add checkov.yml --- checkov.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 checkov.yml diff --git a/checkov.yml b/checkov.yml new file mode 100644 index 0000000..d2c3004 --- /dev/null +++ b/checkov.yml @@ -0,0 +1,4 @@ +skip-check: + - CKV_AWS_273 # IAM user required for local development + - CKV_AWS_149 # AWS-managed key encryption is sufficient and CMK not required for this service + - CKV2_AWS_57 # Key rotation is already provisioned by external module \ No newline at end of file