GOVSI-680: Provision KMS key and creds for account mgmt app

- Provision a KMS CMK for account management
- Generate a random client ID
- Add client to DynamoDB table with placeholder for public key (workaround until hashicorp/terraform-provider-aws#20595 is resolved)
- Output details so they can be injected into the account management PaaS app

ci/terraform/.terraform-version

@@ -1 +1 @@
-1.0.0
+1.0.4

ci/terraform/aws/account-management-client.tf

@@ -0,0 +1,55 @@
+resource "random_string" "account_management_client_id" {
+  lower   = true
+  upper   = true
+  special = false
+  number  = true
+  length = 32
+}
+
+data "aws_kms_public_key" "account_management_jwt_key" {
+  depends_on = [aws_kms_key.account_management_jwt_key]
+  key_id = aws_kms_key.account_management_jwt_key.arn
+}
+
+resource "aws_dynamodb_table_item" "account_management_client" {
+  table_name = aws_dynamodb_table.client_registry_table.name
+  hash_key   = aws_dynamodb_table.client_registry_table.hash_key
+
+  item     = jsonencode({
+    ClientID = {
+      S = random_string.account_management_client_id.result
+    }
+    ClientName = {
+      S = "${var.environment}-account-managment"
+    }
+    Contacts = {
+      L = []
+    }
+    PostLogoutRedirectUrls = {
+      L = []
+    }
+    RedirectUrls = {
+      L = [
+        {
+          S = "https://account-management.${var.environment}.${var.service_domain_name}/auth/callback"
+        }
+      ]
+    }
+    Scopes = {
+      L = [
+        {
+          S = "openid"
+        },
+        {
+          S = "phone"
+        },
+        {
+          S = "email"
+        },
+      ]
+    }
+    PublicKey = {
+      S = "paste me manually until Terraform provider bug is fixed"
+    }
+  })
+}

ci/terraform/aws/account-management-kms.tf

@@ -0,0 +1,72 @@
+resource "aws_kms_key" "account_management_jwt_key" {
+  description              = "KMS key for Account Management JWT Authentication (${var.environment})"
+  deletion_window_in_days  = 30
+  key_usage                = "SIGN_VERIFY"
+  customer_master_key_spec = "RSA_2048"
+}
+
+resource "aws_kms_alias" "account_management_jwt_alias" {
+  name          = "alias/${var.environment}-account-management-jwt-key-alias"
+  target_key_id = aws_kms_key.account_management_jwt_key.key_id
+}
+
+data "aws_iam_policy_document" "account_management_jwt_kms_policy_document" {
+  count = var.use_localstack ? 0 : 1
+  statement {
+    sid    = "AllowAccessToKmsSigningKey"
+    effect = "Allow"
+
+    actions = [
+      "kms:Sign",
+      "kms:GetPublicKey",
+    ]
+    resources = [
+      aws_kms_key.account_management_jwt_key.arn,
+    ]
+  }
+}
+
+resource "aws_iam_policy" "account_management_jwt_lambda_kms_policy" {
+  count       = var.use_localstack ? 0 : 1
+  name        = "${var.environment}-account-managment-jwt-kms-policy"
+  path        = "/"
+  description = "IAM policy for managing KMS connection for account management application"
+
+  policy = data.aws_iam_policy_document.account_management_jwt_kms_policy_document[0].json
+}
+
+resource "aws_iam_user" "account_management_app" {
+  name = "${var.environment}-account-managment-application"
+}
+
+resource "aws_iam_access_key" "account_management_app_access_keys" {
+  user = aws_iam_user.account_management_app.name
+}
+
+data "aws_iam_policy_document" "account_management_app_role_assume_policy" {
+  version = "2012-10-17"
+
+  statement {
+    effect = "Allow"
+    principals {
+      identifiers = [
+        aws_iam_user.account_management_app.arn
+      ]
+      type = "AWS"
+    }
+
+    actions = [
+      "sts:AssumeRole"
+    ]
+  }
+}
+
+resource "aws_iam_role" "account_management_app_role" {
+  assume_role_policy = data.aws_iam_policy_document.account_management_app_role_assume_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "account_management_app_kms" {
+  count      = var.use_localstack ? 0 : 1
+  role       = aws_iam_role.account_management_app_role.name
+  policy_arn = aws_iam_policy.account_management_jwt_lambda_kms_policy[0].arn
+}

ci/terraform/aws/outputs.tf

@@ -14,4 +14,16 @@ output "stub_rp_client_credentials" {
     public_key  = tls_private_key.stub_rp_client_private_key[i].public_key_pem
   }]
   sensitive = true
-}
+}
+
+output "account_management_client_details" {
+  value = {
+    client_id             = random_string.account_management_client_id.result
+    client_name           = "${var.environment}-account-managment"
+    AWS_ACCESS_KEY_ID     = aws_iam_access_key.account_management_app_access_keys.id
+    AWS_SECRET_ACCESS_KEY = aws_iam_access_key.account_management_app_access_keys.id
+    AWS_REGION            = var.aws_region
+    KMS_KEY_ID            = aws_kms_key.account_management_jwt_key.id
+    KMS_KEY_ALIAS         = aws_kms_alias.account_management_jwt_alias.name
+  }
+}

ci/terraform/aws/site.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.0.4"
 
   required_providers {
     aws = {
-      source  = "hashicorp/aws"
-      version = ">= 3.45.0"
+      source = "hashicorp/aws"
+      version = ">= 3.54.0"
     }
     time = {
       source  = "hashicorp/time"
@@ -14,14 +14,18 @@ terraform {
       source  = "hashicorp/random"
       version = ">= 3.1.0"
     }
+    cloudfoundry = {
+      source  = "cloudfoundry-community/cloudfoundry"
+      version = "0.14.2"
+    }
   }
 
   backend "s3" {
   }
 }
 
 provider "aws" {
-  region = "eu-west-2"
+  region = var.aws_region
 
   assume_role {
     role_arn = var.deployer_role_arn
@@ -47,4 +51,4 @@ provider "aws" {
     kms         = var.aws_endpoint
     dynamodb    = var.aws_dynamodb_endpoint
   }
-}
+}

ci/terraform/aws/variables.tf

@@ -112,3 +112,7 @@ variable "stub_rp_clients" {
   type        = list(object({ client_name : string, callback_urls : list(string), logout_urls : list(string) }))
   description = "The details of RP clients to provision in the Client table"
 }
+
+variable "aws_region" {
+  default = "eu-west-2"
+}