feat: DBTP-1738 Attach secret rotation lambda to correct VPC to ensure rotation tests pass

application-load-balancer/main.tf

@@ -1,3 +1,7 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
 data "aws_ssm_parameter" "slack_token" {
   name = "/codebuild/slack_oauth_token"
 }
@@ -16,6 +20,17 @@ data "aws_subnets" "public-subnets" {
   }
 }
 
+data "aws_subnets" "private-subnets" {
+  filter {
+    name   = "tag:Name"
+    values = ["${var.vpc_name}-private-*"]
+  }
+}
+
+data "aws_security_group" "vpc_base_sg" {
+  name = "${data.aws_vpc.vpc.tags["Name"]}-base-sg"
+}
+
 resource "aws_lb" "this" {
   # checkov:skip=CKV2_AWS_20: Redirects for HTTP requests into HTTPS happens on the CDN
   # checkov:skip=CKV2_AWS_28: WAF is outside of terraform-platform-modules
@@ -173,7 +188,13 @@ output "alb-arn" {
 
 
 ## This section configures WAF on ALB to attach security token.
-data "aws_caller_identity" "current" {}
+
+# Random password for the secret value
+resource "random_password" "origin-secret" {
+  length           = 32
+  special          = false
+  override_special = "_%@"
+}
 
 resource "aws_wafv2_web_acl" "waf-acl" {
   # checkov:skip=CKV2_AWS_31: Ensure WAF2 has a Logging Configuration to be done new ticket
@@ -339,15 +360,41 @@ data "aws_iam_policy_document" "origin_verify_rotate_policy" {
       aws_kms_key.origin_verify_secret_key[""].arn
     ]
   }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "ec2:CreateNetworkInterface",
+      "ec2:DeleteNetworkInterface",
+      "ec2:DescribeInstances",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:AttachNetworkInterface",
+      "ec2:DescribeSubnets",
+      "ec2:DescribeSecurityGroups"
+    ]
+
+    resources = [
+      "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:network-interface/*",
+      "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:instance/*",
+      "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:security-group/${data.aws_security_group.vpc_base_sg.id}",
+      "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:security-group/${aws_security_group.alb-security-group["http"].id}",
+      "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:subnet/*"
+    ]
+  }
 }
 
+
 resource "aws_iam_role_policy" "origin_secret_rotate_policy" {
   for_each = toset(local.cdn_enabled ? [""] : [])
   name     = "OriginVerifyRotatePolicy"
   role     = aws_iam_role.origin-secret-rotate-execution-role[""].name
   policy   = data.aws_iam_policy_document.origin_verify_rotate_policy[""].json
 }
 
+resource "aws_iam_role_policy_attachment" "lambda_vpc_access" {
+  role       = aws_iam_role.origin-secret-rotate-execution-role[""].name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
 
 # This file needs to exist, but it's not directly used in the Terraform so...
 # tflint-ignore: terraform_unused_declarations
@@ -366,7 +413,6 @@ data "archive_file" "lambda" {
   ]
 }
 
-
 # Secrets Manager Rotation Lambda Function
 resource "aws_lambda_function" "origin-secret-rotate-function" {
   # Precedence in the Postgres Lambda to skip first 2 checks
@@ -408,7 +454,13 @@ resource "aws_lambda_function" "origin-secret-rotate-function" {
 
   layers           = ["arn:aws:lambda:eu-west-2:763451185160:layer:python-requests:1"]
   source_code_hash = data.archive_file.lambda.output_base64sha256
-  tags             = local.tags
+
+  vpc_config {
+    security_group_ids = [aws_security_group.alb-security-group["http"].id, data.aws_security_group.vpc_base_sg.id]
+    subnet_ids         = tolist(data.aws_subnets.private-subnets.ids)
+  }
+
+  tags = local.tags
 }
 
 # Lambda Permission for Secrets Manager Rotation

application-load-balancer/tests/unit.tftest.hcl

@@ -27,6 +27,7 @@ override_data {
   values = {
     id         = "vpc-00112233aabbccdef"
     cidr_block = "10.0.0.0/16"
+    tags       = { "Name" : "vpc-name" }
   }
 }
 override_data {
@@ -35,6 +36,14 @@ override_data {
     ids = ["subnet-000111222aaabbb01"]
   }
 }
+
+override_data {
+  target = data.aws_subnets.private-subnets
+  values = {
+    ids = ["subnet-aaa111", "subnet-bbb222"]
+  }
+}
+
 override_data {
   target = data.aws_route53_zone.domain-root
   values = {
@@ -56,6 +65,12 @@ override_data {
     json = "{\"Sid\": \"LambdaExecutionRolePolicy\"}"
   }
 }
+override_data {
+  target = data.aws_security_group.vpc_base_sg
+  values = {
+    id = "!abcd5f"
+  }
+}
 
 
 variables {
@@ -500,7 +515,41 @@ run "waf_and_rotate_lambda" {
   }
 
   assert {
-    condition     = aws_lambda_permission.rotate-function-invoke-permission[""].statement_id == "AllowSecretsManagerInvocation"
+    condition     = aws_lambda_function.origin-secret-rotate-function.environment[0].variables.WAF_SLEEP_DURATION == "75"
+    error_message = "WAF_SLEEP_DURATION should be 75"
+  }
+
+  assert {
+    condition     = contains(aws_lambda_function.origin-secret-rotate-function.vpc_config[0].security_group_ids, data.aws_security_group.vpc_base_sg.id)
+    error_message = "Security group should include VPC base security group"
+  }
+
+  # Requires executing run block with 'apply' to evaluate despite configuring with an override block
+  #  assert {
+  #   condition     = contains(aws_lambda_function.origin-secret-rotate-function.vpc_config[0].security_group_ids, aws_security_group.alb-security-group["http"].id)
+  #   error_message = "Security group should include ALB HTTP security group"
+  # }
+
+  assert {
+    condition     = length(aws_lambda_function.origin-secret-rotate-function.vpc_config[0].subnet_ids) == 2
+    error_message = "Lambda function should be associated with 2 subnets"
+  }
+
+  assert {
+    condition     = contains(aws_lambda_function.origin-secret-rotate-function.vpc_config[0].subnet_ids, "subnet-aaa111")
+    error_message = "Lambda function should be in subnet-aaa111"
+  }
+
+  assert {
+    condition     = contains(aws_lambda_function.origin-secret-rotate-function.vpc_config[0].subnet_ids, "subnet-bbb222")
+    error_message = "Lambda function should be in subnet-bbb222"
+  }
+
+
+  # ---- End of testing LAMBDA FUNCTION -----
+
+  assert {
+    condition     = aws_lambda_permission.rotate-function-invoke-permission.statement_id == "AllowSecretsManagerInvocation"
     error_message = "Invalid statement_id for aws_lambda_permission.rotate-function-invoke-permission"
   }
 
@@ -519,6 +568,8 @@ run "waf_and_rotate_lambda" {
     error_message = "Invalid principal for aws_lambda_permission.rotate-function-invoke-permission"
   }
 
+  # ---- End of testing LAMBDA PERMISSIONS -----
+
   assert {
     condition     = aws_iam_role.origin-secret-rotate-execution-role[""].name == "${var.application}-${var.environment}-origin-secret-rotate-role"
     error_message = "Invalid name for aws_iam_role.origin-secret-rotate-execution-role"
@@ -529,7 +580,172 @@ run "waf_and_rotate_lambda" {
     error_message = "Invalid assume_role_policy for aws_iam_role.origin-secret-rotate-execution-role"
   }
 
-  # Cannot assert against the arn in a plan. Requires an apply to evaluate.
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[0].effect == "Allow"
+    error_message = "First statement effect should be: Allow"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[0].actions == toset(["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams"])
+    error_message = "First statement actions incorrect"
+  }
+
+  assert {
+    condition     = one(data.aws_iam_policy_document.origin_verify_rotate_policy.statement[0].resources) == "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*origin-secret-rotate*"
+    error_message = "Unexpected resources"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[1].effect == "Allow"
+    error_message = "Second statement effect should be: Allow"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[1].actions == toset(["secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage"])
+    error_message = "Second statement actions incorrect"
+  }
+
+  assert {
+    condition     = one(data.aws_iam_policy_document.origin_verify_rotate_policy.statement[1].resources) == "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:${var.application}-${var.environment}-origin-verify-header-secret-*"
+    error_message = "Unexpected resources"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[2].effect == "Allow"
+    error_message = "Third statement effect should be: Allow"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[2].actions == toset(["secretsmanager:GetRandomPassword"])
+    error_message = "Third statement action should be: secretsmanager:GetRandomPassword"
+  }
+
+  assert {
+    condition     = one(data.aws_iam_policy_document.origin_verify_rotate_policy.statement[2].resources) == "*"
+    error_message = "Unexpected resources"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[3].effect == "Allow"
+    error_message = "Fourth statement effect should be: Allow"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[3].actions == toset(["cloudfront:GetDistribution", "cloudfront:GetDistributionConfig", "cloudfront:ListDistributions", "cloudfront:UpdateDistribution"])
+    error_message = "Fourth statement actions incorrect"
+  }
+
+  assert {
+    condition     = one(data.aws_iam_policy_document.origin_verify_rotate_policy.statement[3].resources) == "arn:aws:cloudfront::${var.dns_account_id}:distribution/*"
+    error_message = "Unexpected resources"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[4].effect == "Allow"
+    error_message = "Fifth statement effect should be: Allow"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[4].actions == toset(["wafv2:*"])
+    error_message = "Fifth statement action should be: wafv2:*"
+  }
+
+  # Requires executing run block with 'apply' to evaluate
+  # assert {
+  #   condition     = one(data.aws_iam_policy_document.origin_verify_rotate_policy.statement[4].resources) == aws_wafv2_web_acl.waf-acl.arn
+  #   error_message = "Unexpected resources"
+  # }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[5].effect == "Allow"
+    error_message = "Sixth statement effect should be: Allow"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[5].actions == toset(["wafv2:UpdateWebACL"])
+    error_message = "Sixth statement action should be: wafv2:UpdateWebACL"
+  }
+
+  assert {
+    condition     = one(data.aws_iam_policy_document.origin_verify_rotate_policy.statement[5].resources) == "arn:aws:wafv2:eu-west-2:${data.aws_caller_identity.current.account_id}:regional/managedruleset/*/*"
+    error_message = "Unexpected resources"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[6].effect == "Allow"
+    error_message = "Seventh statement effect should be: Allow"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[6].actions == toset(["sts:AssumeRole"])
+    error_message = "Seventh statement action should be: sts:AssumeRole"
+  }
+
+  assert {
+    condition     = one(data.aws_iam_policy_document.origin_verify_rotate_policy.statement[6].resources) == "arn:aws:iam::${var.dns_account_id}:role/dbt_platform_cloudfront_token_rotation"
+    error_message = "Unexpected resources"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[7].effect == "Allow"
+    error_message = "Eighth statement effect should be: Allow"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[7].actions == toset(["kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:GenerateDataKey"])
+    error_message = "Eighth statement actions incorrect"
+  }
+
+  # Requires executing run block with 'apply' to evaluate
+  # assert {
+  #   condition     = one(data.aws_iam_policy_document.origin_verify_rotate_policy.statement[7].resources) ==  aws_kms_key.origin_verify_secret_key.arn
+  #   error_message = "Unexpected resources"
+  # }
+
+  assert {
+    condition     = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[8].effect == "Allow"
+    error_message = "Ninth statement effect should be: Allow"
+  }
+
+  assert {
+    condition = data.aws_iam_policy_document.origin_verify_rotate_policy.statement[8].actions == toset([
+      "ec2:CreateNetworkInterface",
+      "ec2:DeleteNetworkInterface",
+      "ec2:DescribeInstances",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:AttachNetworkInterface",
+      "ec2:DescribeSubnets",
+      "ec2:DescribeSecurityGroups"
+    ])
+    error_message = "Ninth statement actions incorrect"
+  }
+
+  # Requires executing run block with 'apply' to evaluate "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:security-group/${aws_security_group.alb-security-group["http"].id}
+  assert {
+    condition = alltrue(
+      [
+        contains(
+          data.aws_iam_policy_document.origin_verify_rotate_policy.statement[8].resources,
+          "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:network-interface/*"
+        ),
+        contains(
+          data.aws_iam_policy_document.origin_verify_rotate_policy.statement[8].resources,
+          "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:instance/*"
+        ),
+        contains(
+          data.aws_iam_policy_document.origin_verify_rotate_policy.statement[8].resources,
+          "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:security-group/${data.aws_security_group.vpc_base_sg.id}"
+        ),
+        contains(
+          data.aws_iam_policy_document.origin_verify_rotate_policy.statement[8].resources,
+          "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:subnet/*"
+        )
+      ]
+    )
+    error_message = "Missing expected resources in IAM policy"
+  }
+
+  #  ---- End of testing LAMBDA DATA POLICY PERMISSIONS -----
 
   assert {
     condition     = aws_secretsmanager_secret_rotation.origin-verify-rotate-schedule[""].rotation_rules[0].automatically_after_days == 7

vpc/main.tf

@@ -118,7 +118,13 @@ resource "aws_ssm_parameter" "combined_nat_gateway_eips" {
   name  = "/${var.arg_name}/EGRESS_IPS"
   type  = "String"
   value = join(",", local.nat_gateway_eips)
-  tags  = local.tags
+  tags = merge(
+    local.tags,
+    {
+      "copilot-application" = "__all__"
+    }
+  )
+
 }