From 68e48d12a098bfcde5705472290a176888d213f2 Mon Sep 17 00:00:00 2001 From: Stephen Daly Date: Thu, 30 Apr 2026 12:41:42 +0100 Subject: [PATCH 1/2] Add secrets for One Login used by forms-runner --- infra/modules/forms-runner/main.tf | 8 ++++++ infra/modules/forms-runner/parameters.tf | 34 ++++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/infra/modules/forms-runner/main.tf b/infra/modules/forms-runner/main.tf index e82964ce8..9e8812318 100644 --- a/infra/modules/forms-runner/main.tf +++ b/infra/modules/forms-runner/main.tf @@ -250,6 +250,14 @@ module "ecs_service" { { name = "SETTINGS__SUBMISSION_STATUS_API__SECRET" valueFrom = "arn:aws:ssm:eu-west-2:${data.aws_caller_identity.current.account_id}:parameter/forms-runner-${var.env_name}/submission_status_api_shared_secret" + }, + { + name = "SETTINGS__GOVUK_ONE_LOGIN__CLIENT_ID" + valueFrom = "arn:aws:ssm:eu-west-2:${data.aws_caller_identity.current.account_id}:parameter/forms-runner-${var.env_name}/govuk_one_login/client_id" + }, + { + name = "SETTINGS__GOVUK_ONE_LOGIN__PRIVATE_KEY" + valueFrom = "arn:aws:ssm:eu-west-2:${data.aws_caller_identity.current.account_id}:parameter/forms-runner-${var.env_name}/govuk_one_login/private_key" } ] } diff --git a/infra/modules/forms-runner/parameters.tf b/infra/modules/forms-runner/parameters.tf index b3a71261c..d2c6eb7dc 100644 --- a/infra/modules/forms-runner/parameters.tf +++ b/infra/modules/forms-runner/parameters.tf @@ -47,3 +47,37 @@ resource "aws_ssm_parameter" "sentry_dsn" { ] } } + +# GOV.UK One Login client ID +# The client ID for the GOV.UK One Login service +resource "aws_ssm_parameter" "govuk_one_login_client_id" { + #checkov:skip=CKV_AWS_337:KMS managed key is fine + + name = "/forms-runner-${var.env_name}/govuk_one_login/client_id" + description = "The GOV.UK One Login client ID for forms-runner in the ${var.env_name} environment" + type = "SecureString" + value = "dummy-value" + + lifecycle { + ignore_changes = [ + value + ] + } +} + +# GOV.UK One Login private key +# The base64 encoded private key for the GOV.UK One Login service +resource "aws_ssm_parameter" "govuk_one_login_private_key" { + #checkov:skip=CKV_AWS_337:KMS managed key is fine + + name = "/forms-runner-${var.env_name}/govuk_one_login/private_key" + description = "The base64 encoded GOV.UK One Login private key for forms-runner in the ${var.env_name} environment" + type = "SecureString" + value = "" + + lifecycle { + ignore_changes = [ + value + ] + } +} From 9afd9ec823432f0b697a3a08a7298f6694de3266 Mon Sep 17 00:00:00 2001 From: Stephen Daly Date: Thu, 30 Apr 2026 15:24:41 +0100 Subject: [PATCH 2/2] Set One Login base URL environment variable for forms-runner --- infra/deployments/forms/forms-runner/main.tf | 1 + infra/deployments/forms/inputs.tf | 1 + infra/deployments/forms/tfvars/dev.tfvars | 1 + infra/deployments/forms/tfvars/production.tfvars | 1 + infra/deployments/forms/tfvars/staging.tfvars | 1 + infra/deployments/forms/tfvars/user-research.tfvars | 1 + infra/modules/forms-runner/main.tf | 4 ++++ infra/modules/forms-runner/variables.tf | 5 +++++ 8 files changed, 15 insertions(+) diff --git a/infra/deployments/forms/forms-runner/main.tf b/infra/deployments/forms/forms-runner/main.tf index 365d6c0fd..655038d89 100644 --- a/infra/deployments/forms/forms-runner/main.tf +++ b/infra/deployments/forms/forms-runner/main.tf @@ -55,6 +55,7 @@ module "forms_runner" { ses_submission_email_from_email_address = var.forms_runner_settings.ses_submission_email_from_email_address ses_submission_email_reply_to_email_address = var.forms_runner_settings.ses_submission_email_reply_to_email_address ses_submission_configuration_set_name = data.terraform_remote_state.forms_ses.outputs.form_submissions_configuration_set_name + govuk_one_login_base_url = var.forms_runner_settings.govuk_one_login_base_url additional_submissions_to_s3_role_assumers = local.allowed_submissions_to_s3_role_assumers additional_forms_runner_role_assumers = local.allowed_forms_runner_role_assumers elasticache_port = data.terraform_remote_state.redis.outputs.elasticache_port diff --git a/infra/deployments/forms/inputs.tf b/infra/deployments/forms/inputs.tf index 34e4267cf..e4bad1041 100644 --- a/infra/deployments/forms/inputs.tf +++ b/infra/deployments/forms/inputs.tf @@ -175,6 +175,7 @@ variable "forms_runner_settings" { allow_human_readonly_roles_to_assume_submissions_to_runner_role = bool ses_submission_email_from_email_address = string ses_submission_email_reply_to_email_address = string + govuk_one_login_base_url = string queue_worker_capacity = string disable_builtin_solidqueue_worker = bool filler_answer_email_enabled = bool diff --git a/infra/deployments/forms/tfvars/dev.tfvars b/infra/deployments/forms/tfvars/dev.tfvars index 4113af74d..189fbab41 100644 --- a/infra/deployments/forms/tfvars/dev.tfvars +++ b/infra/deployments/forms/tfvars/dev.tfvars @@ -105,6 +105,7 @@ forms_runner_settings = { allow_human_readonly_roles_to_assume_submissions_to_runner_role = true ses_submission_email_from_email_address = "no-reply@dev.forms.service.gov.uk" ses_submission_email_reply_to_email_address = "no-reply@dev.forms.service.gov.uk" + govuk_one_login_base_url = "https://oidc.integration.account.gov.uk/" queue_worker_capacity = 1 disable_builtin_solidqueue_worker = true filler_answer_email_enabled = false diff --git a/infra/deployments/forms/tfvars/production.tfvars b/infra/deployments/forms/tfvars/production.tfvars index 9359f6ccc..8b76a1d11 100644 --- a/infra/deployments/forms/tfvars/production.tfvars +++ b/infra/deployments/forms/tfvars/production.tfvars @@ -161,6 +161,7 @@ forms_runner_settings = { allow_human_readonly_roles_to_assume_submissions_to_runner_role = false ses_submission_email_from_email_address = "no-reply@forms.service.gov.uk" ses_submission_email_reply_to_email_address = "no-reply@forms.service.gov.uk" + govuk_one_login_base_url = "https://oidc.account.gov.uk/" queue_worker_capacity = 6 disable_builtin_solidqueue_worker = true filler_answer_email_enabled = false diff --git a/infra/deployments/forms/tfvars/staging.tfvars b/infra/deployments/forms/tfvars/staging.tfvars index 603c5d10d..09394d35b 100644 --- a/infra/deployments/forms/tfvars/staging.tfvars +++ b/infra/deployments/forms/tfvars/staging.tfvars @@ -70,6 +70,7 @@ forms_runner_settings = { allow_human_readonly_roles_to_assume_submissions_to_runner_role = false ses_submission_email_from_email_address = "no-reply@staging.forms.service.gov.uk" ses_submission_email_reply_to_email_address = "no-reply@staging.forms.service.gov.uk" + govuk_one_login_base_url = "https://oidc.integration.account.gov.uk/" queue_worker_capacity = 1 disable_builtin_solidqueue_worker = true filler_answer_email_enabled = false diff --git a/infra/deployments/forms/tfvars/user-research.tfvars b/infra/deployments/forms/tfvars/user-research.tfvars index ed5d90c5e..39476d088 100644 --- a/infra/deployments/forms/tfvars/user-research.tfvars +++ b/infra/deployments/forms/tfvars/user-research.tfvars @@ -66,6 +66,7 @@ forms_runner_settings = { opentelemetry_head_sampler_ratio = "0.1" ses_submission_email_from_email_address = "no-reply@research.forms.service.gov.uk" ses_submission_email_reply_to_email_address = "no-reply@research.forms.service.gov.uk" + govuk_one_login_base_url = "https://oidc.integration.account.gov.uk/" allow_human_readonly_roles_to_assume_submissions_to_s3_role = false allow_human_readonly_roles_to_assume_submissions_to_runner_role = false queue_worker_capacity = 0 diff --git a/infra/modules/forms-runner/main.tf b/infra/modules/forms-runner/main.tf index 9e8812318..90837969d 100644 --- a/infra/modules/forms-runner/main.tf +++ b/infra/modules/forms-runner/main.tf @@ -211,6 +211,10 @@ module "ecs_service" { name = "SETTINGS__SES_SUBMISSION_EMAIL__REPLY_TO_EMAIL_ADDRESS", value = var.ses_submission_email_reply_to_email_address }, + { + name = "SETTINGS__GOVUK_ONE_LOGIN_BASE_URL", + value = var.govuk_one_login_base_url + }, { name = "KMS_KEY_ID", value = aws_kms_alias.active_record_alias.name diff --git a/infra/modules/forms-runner/variables.tf b/infra/modules/forms-runner/variables.tf index 38c0d6197..9bd152b44 100644 --- a/infra/modules/forms-runner/variables.tf +++ b/infra/modules/forms-runner/variables.tf @@ -110,6 +110,11 @@ variable "ses_submission_configuration_set_name" { description = "The name of the configuration set to use when sending form submissions" } +variable "govuk_one_login_base_url" { + type = string + description = "The base URL for GOV.UK One Login authentication requests" +} + variable "elasticache_port" { type = number description = "The port number for the Redis ElastiCache cluster"