feat: add secret to hold Ingest server root CA certificate data

ministryofjustice · Oct 15, 2024 · cf88dea · cf88dea
1 parent c2ac904
commit cf88dea
Showing 1 changed file with 31 additions and 1 deletion.
diff --git a/terraform/environments/xhibit-portal/xp-secrets.tf b/terraform/environments/xhibit-portal/xp-secrets.tf
@@ -160,4 +160,34 @@ resource "aws_secretsmanager_secret" "domainadmin-aladmin" {
 POLICY
 
   tags = local.tags
-}
+}
+
+resource "aws_secretsmanager_secret" "ingest_root_ca_cert" {
+  name        = "${local.environment}/ingest-root-ca-cert"
+  description = "Root CA certificate data for the Ingest service"
+  policy      = <<POLICY
+{
+  "Version" : "2012-10-17",
+  "Statement" : [ {
+    "Sid" : "AdministratorFullAccess",
+    "Effect" : "Allow",
+    "Principal" : {
+      "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
+    },
+    "Action" : "secretsmanager:*",
+    "Resource" : "*"
+  },
+  {
+    "Sid" : "MPDeveloperFullAccess",
+    "Effect" : "Allow",
+    "Principal" : {
+       "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
+    },
+    "Action" : "secretsmanager:*",  
+    "Resource" : "*"
+  } ]
+}
+POLICY
+
+  tags = local.tags
+}