Merge pull request #15 from ONS-Innovation/credential-refactor-and-key-rotation

hadiqur · web-flow · commit 858bae58e107 · 2026-03-03T13:46:04.000Z
KEH 1706 &amp; 1708: Credential Refactor and Key Rotation
diff --git a/checkov.yml b/checkov.yml
@@ -0,0 +1,4 @@
+skip-check:
+  - CKV_AWS_273 # IAM user required for local development
+  - CKV_AWS_149 # AWS-managed key encryption is sufficient and CMK not required for this service
+  - CKV2_AWS_57 # Key rotation is already provisioned by external module
diff --git a/terraform/batch/main.tf b/terraform/batch/main.tf
@@ -70,3 +70,46 @@ resource "aws_iam_role_policy_attachment" "s3_policy_attachment" {
   role       = split("/", module.batch_eventbridge.batch_job_role_arn)[1]
   policy_arn = aws_iam_policy.s3_access.arn
 }
+
+# IAM User Group
+resource "aws_iam_group" "group" {
+  name = "${var.domain}-${var.service_subdomain}-user-group"
+  path = "/"
+}
+
+# Attach S3 policy to group
+resource "aws_iam_group_policy_attachment" "group_s3_access_attachment" {
+  group      = aws_iam_group.group.name
+  policy_arn = aws_iam_policy.s3_access.arn
+}
+
+# Attach Secrets Manager policy to group
+resource "aws_iam_group_policy_attachment" "group_secrets_attachment" {
+  group      = aws_iam_group.group.name
+  policy_arn = aws_iam_policy.secrets_access.arn
+}
+
+# IAM User
+resource "aws_iam_user" "user" {
+  name = "${var.domain}-${var.service_subdomain}"
+  path = "/"
+}
+
+# Assign IAM User to group
+resource "aws_iam_user_group_membership" "user_group_attach" {
+  user = aws_iam_user.user.name
+
+  groups = [
+    aws_iam_group.group.name
+  ]
+}
+
+# IAM Key Rotation Module
+module "iam_key_rotation" {
+  source = "git::https://github.com/ONS-Innovation/keh-aws-iam-key-rotation.git?ref=v0.1.0"
+
+  iam_username          = aws_iam_user.user.name
+  access_key_secret_arn = aws_secretsmanager_secret.access_key.arn
+  secret_key_secret_arn = aws_secretsmanager_secret.secret_key.arn
+  rotation_in_days      = 90
+}
diff --git a/terraform/batch/secrets.tf b/terraform/batch/secrets.tf
@@ -0,0 +1,15 @@
+# Secrets Manager resources for IAM user access keys
+
+resource "aws_secretsmanager_secret" "access_key" {
+  name        = "${var.domain}-${var.service_subdomain}-access-key"
+  description = "Access Key ID for github statistics scraper IAM user"
+  recovery_window_in_days        = 0    // Secret will be deleted immediately
+  force_overwrite_replica_secret = true // Allow overwriting the secret in case of changes
+}
+
+resource "aws_secretsmanager_secret" "secret_key" {
+  name        = "${var.domain}-${var.service_subdomain}-secret-key"
+  description = "Secret Access Key for github stastics scraper IAM user"
+  recovery_window_in_days        = 0    // Secret will be deleted immediately
+  force_overwrite_replica_secret = true // Allow overwriting the secret in case of changes
+}
