DPT-910 Add check spreadsheet workflow to data analytics quicksight (#…

…1088) Add new secretsmanager secret for google service account Add kms key to protect secretsmanager secret Add kms and secretsmanager permissions to sync role
govuk-one-login · Feb 12, 2025 · 0f49b66 · 0f49b66
1 parent bd82ead
commit 0f49b66
Showing 1 changed file with 40 additions and 0 deletions.
diff --git a/iac/quicksight-access/resources/quicksight-access.yml b/iac/quicksight-access/resources/quicksight-access.yml
@@ -443,3 +443,43 @@ DataAnalyticsQuicksightSyncRole:
                 - quicksight:DescribeUser
                 - quicksight:DeleteUser
               Resource: '*'
+            - Effect: Allow
+              Action: secretsmanager:GetSecretValue
+              Resource: !Ref GoogleCredentialsSecret
+            - Effect: Allow
+              Action:
+                - kms:Decrypt
+                - kms:DescribeKey
+                - kms:GenerateDataKey
+              Resource: !GetAtt QuicksightAccessKmsKey.Arn
+              Condition:
+                StringEquals:
+                  kms:EncryptionContext:SecretARN: !Ref GoogleCredentialsSecret
+
+QuicksightAccessKmsKey:
+  Type: AWS::KMS::Key
+  Condition: IsProduction
+  Properties:
+    EnableKeyRotation: true
+    KeyPolicy:
+      Version: '2012-10-17'
+      Statement:
+        - Effect: Allow
+          Principal:
+            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
+          Action: kms:*
+          Resource: '*'
+
+QuicksightAccessKmsKeyAlias:
+  Type: AWS::KMS::Alias
+  Condition: IsProduction
+  Properties:
+    AliasName: !Sub alias/${Environment}-dap-quicksight-access-key
+    TargetKeyId: !Ref QuicksightAccessKmsKey
+
+GoogleCredentialsSecret:
+  Type: AWS::SecretsManager::Secret
+  Condition: IsProduction
+  Properties:
+    Description: Credentials JSON for a service account that can access the Google Sheets API
+    KmsKeyId: !Ref QuicksightAccessKmsKey