ELI-154 - firehose , s3 audit setup (#192)

* firehose and audit bucket fixture

* modified test to check if the data is written to audit

* firehose terraform code

* code clean up and fixes

* Update Kinesis Firehose config

* added env for stream name

* fix

* Add firehose to vpc endpoints

* firehose endpoint

* firehose cloudwatch logs

* firehose kms key

* audit kms s3 policy fix

* kms encryption 🔐 for firehose & cleanup 🧹

* key name change

* key name change

* key name change

* test

* kms encryption

* checkov

* logs encruption

* cleanup

* checkov

* checkov

* checkov

* checkov

* lint

* sonar fixed

---------

Co-authored-by: Robert <[email protected]>

Author: Karthikeyannhs

infrastructure/modules/kinesis_firehose/data.tf

@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}

infrastructure/modules/kinesis_firehose/default_variables.tf

@@ -0,0 +1 @@
+../_shared/default_variables.tf

infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf

@@ -0,0 +1,29 @@
+resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_delivery_stream" {
+  name        = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.audit_firehose_delivery_stream_name}"
+  destination = "extended_s3"
+
+  extended_s3_configuration {
+    role_arn   = var.audit_firehose_role_arn
+    bucket_arn = var.s3_audit_bucket_arn
+
+    buffering_size     = 1
+    buffering_interval = 60
+    compression_format = "UNCOMPRESSED"
+
+    kms_key_arn = aws_kms_key.firehose_cmk.arn
+
+    cloudwatch_logging_options {
+      enabled         = true
+      log_group_name  = var.kinesis_cloud_watch_log_group_name
+      log_stream_name = var.kinesis_cloud_watch_log_stream
+    }
+  }
+
+  server_side_encryption {
+    enabled  = true
+    key_arn  = aws_kms_key.firehose_cmk.arn
+    key_type = "CUSTOMER_MANAGED_CMK"
+  }
+
+  tags = var.tags
+}

infrastructure/modules/kinesis_firehose/kms.tf

@@ -0,0 +1,94 @@
+resource "aws_kms_key" "firehose_cmk" {
+  description             = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.audit_firehose_delivery_stream_name} Master Key"
+  deletion_window_in_days = 14
+  is_enabled              = true
+  enable_key_rotation     = true
+  tags                    = var.tags
+}
+
+
+resource "aws_kms_alias" "firehose_cmk" {
+  name          = "alias/${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.audit_firehose_delivery_stream_name}-cmk"
+  target_key_id = aws_kms_key.firehose_cmk.key_id
+}
+
+resource "aws_kms_key_policy" "firehose_key_policy" {
+  key_id = aws_kms_key.firehose_cmk.id
+  policy = data.aws_iam_policy_document.firehose_kms_key_policy.json
+}
+
+
+data "aws_iam_policy_document" "firehose_kms_key_policy" {
+  #checkov:skip=CKV_AWS_111: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_356: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_109: Root user needs full KMS key management
+  statement {
+    sid    = "EnableIamUserPermissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "EnableRootUserPermissions"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+
+  # Your existing statements below...
+  statement {
+    sid    = "AllowFirehoseAccess"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["firehose.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = [aws_kms_key.firehose_cmk.arn]
+  }
+
+  statement {
+    sid    = "AllowFirehoseRoleUsage"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [var.audit_firehose_role_arn]
+    }
+    actions   = ["kms:*"]
+    resources = [aws_kms_key.firehose_cmk.arn]
+  }
+
+  statement {
+    sid    = "AllowCloudWatchLogsUseOfTheKey"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logs.${var.region}.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = [aws_kms_key.firehose_cmk.arn]
+  }
+}
+
+

infrastructure/modules/kinesis_firehose/outputs.tf

@@ -0,0 +1,7 @@
+output "firehose_stream_name" {
+  value = aws_kinesis_firehose_delivery_stream.eligibility_audit_firehose_delivery_stream.name
+}
+
+output "kinesis_firehose_cmk_arn" {
+  value = aws_kms_key.firehose_cmk.arn
+}

infrastructure/modules/kinesis_firehose/variables.tf

@@ -0,0 +1,27 @@
+variable "audit_firehose_delivery_stream_name" {
+  description = "audit firehose delivery stream name"
+  type        = string
+}
+
+variable "audit_firehose_role_arn" {
+  description = "audit firehose role arn"
+  type        = string
+}
+
+variable "s3_audit_bucket_arn" {
+  description = "s3 audit bucket arn"
+  type        = string
+}
+
+variable "kinesis_cloud_watch_log_group_name" {
+  description = "kinesis cloud watch log group name"
+  type        = string
+}
+
+variable "kinesis_cloud_watch_log_stream" {
+  description = "kinesis cloud watch log stream"
+  type        = string
+}
+
+
+

infrastructure/modules/lambda/kms.tf

@@ -17,6 +17,19 @@ resource "aws_kms_key_policy" "lambda_cmk" {
 }
 
 data "aws_iam_policy_document" "lambda_cmk" {
+  #checkov:skip=CKV_AWS_111: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_356: Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_109: Root user needs full KMS key management
+  statement {
+    sid    = "EnableIamUserPermissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
   statement {
     sid    = "Enable IAM User Permissions for Lambda CMK"
     effect = "Allow"

infrastructure/modules/lambda/lambda.tf

@@ -17,10 +17,11 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
 
   environment {
     variables = {
-      PERSON_TABLE_NAME = var.eligibility_status_table_name,
-      RULES_BUCKET_NAME = var.eligibility_rules_bucket_name,
-      ENV               = var.environment
-      LOG_LEVEL         = var.log_level
+      PERSON_TABLE_NAME          = var.eligibility_status_table_name,
+      RULES_BUCKET_NAME          = var.eligibility_rules_bucket_name,
+      KINESIS_AUDIT_STREAM_TO_S3 = var.kinesis_audit_stream_to_s3_name
+      ENV                        = var.environment
+      LOG_LEVEL                  = var.log_level
     }
   }
 

infrastructure/modules/lambda/variables.tf

@@ -38,6 +38,11 @@ variable "eligibility_status_table_name" {
   type        = string
 }
 
+variable "kinesis_audit_stream_to_s3_name" {
+  description = "kinesis audit stream to s3 name"
+  type        = string
+}
+
 variable "log_level" {
   description = "log level"
   type        = string

infrastructure/stacks/api-layer/api_gateway.tf

@@ -46,9 +46,9 @@ resource "aws_api_gateway_deployment" "eligibility_signposting_api" {
 resource "aws_api_gateway_stage" "eligibility-signposting-api" {
   #checkov:skip=CKV2_AWS_51: mTLS is enforced at the custom domain, not at the stage level
   #checkov:skip=CKV_AWS_120: We're not enabling caching for this API Gateway, yet
-  deployment_id = aws_api_gateway_deployment.eligibility_signposting_api.id
-  rest_api_id   = module.eligibility_signposting_api_gateway.rest_api_id
-  stage_name    = "${local.workspace}-eligibility-signposting-api-live"
+  deployment_id        = aws_api_gateway_deployment.eligibility_signposting_api.id
+  rest_api_id          = module.eligibility_signposting_api_gateway.rest_api_id
+  stage_name           = "${local.workspace}-eligibility-signposting-api-live"
   xray_tracing_enabled = true
 
   access_log_settings {