Merge pull request #8526 from ministryofjustice/Update_311024_3

Update_311024_3
ministryofjustice · Oct 31, 2024 · 3eada15 · 3eada15
2 parents 68bac8b + a4aadbb
commit 3eada15
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 7 deletions.
diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf
@@ -324,11 +324,11 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_invoke_lambda_dev" {
         "lambda:InvokeFunction"
       ],
       "Resource": [
-      "arn:aws:ssm:eu-west-2:075585660276:*",
-      "arn:aws:cloudwatch:eu-west-2:075585660276:*",
-      "arn:aws:ssm:eu-west-2::document/AWS-RunPowerShellScript",
-      "arn:aws:lambda:eu-west-2:075585660276:*",
-      "arn:aws:ec2:eu-west-2:075585660276:*"
+      "arn:aws:ssm::${local.environment_management.account_ids["ppud-development"]}:*",
+      "arn:aws:cloudwatch::${local.environment_management.account_ids["ppud-development"]}:*",
+      "arn:aws:ssm::document/AWS-RunPowerShellScript",
+      "arn:aws:lambda::${local.environment_management.account_ids["ppud-development"]}:*",
+      "arn:aws:ec2::${local.environment_management.account_ids["ppud-development"]}:*"
       ]
    },
    {
@@ -343,8 +343,8 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_invoke_lambda_dev" {
       "sqs:SendMessage"
       ],
     "Resource": [
-      "arn:aws:sqs:eu-west-2:075585660276:Lambda-Queue-DEV",
-      "arn:aws:sqs:eu-west-2:075585660276:Lambda-Deadletter-Queue-DEV"
+      "arn:aws:sqs::${local.environment_management.account_ids["ppud-development"]}:Lambda-Queue-DEV",
+      "arn:aws:sqs::${local.environment_management.account_ids["ppud-development"]}:Lambda-Deadletter-Queue-DEV"
     ]
    }
  ]

diff --git a/terraform/environments/ppud/secrets.tf b/terraform/environments/ppud/secrets.tf
@@ -1,3 +1,6 @@
+#####################
+# AWS Secrets Manager
+#####################
 
 # Firstly create a random generated password to use in secrets.
 
@@ -12,6 +15,8 @@ resource "random_password" "password" {
 # Creating a AWS secret versions for AWS managed AD
 
 resource "aws_secretsmanager_secret" "secretdirectoryservice" {
+  # checkov:skip=CKV_AWS_149: "Secrets manager secrets are encrypted by an AWS managed key by default, a customer managed key is not required."
+  # checkov:skip=CKV2_AWS_57: "Secrets manager uses an AWS managed key which is automatically rotated every 365 days."
   name                    = "AWSADPASS"
   recovery_window_in_days = 0
 }