feat: RDS and DynamoDB with CMK

infrastructure/modules/dynamodb/main.tf

@@ -14,7 +14,8 @@ module "dynamodb_table" {
   ttl_enabled                    = var.ttl_enabled
   ttl_attribute_name             = var.ttl_attribute_name
 
-  server_side_encryption_enabled = true
+  server_side_encryption_enabled     = true
+  server_side_encryption_kms_key_arn = var.kms_key_arn
 
   global_secondary_indexes = var.global_secondary_indexes
 

infrastructure/modules/dynamodb/variables.tf

@@ -92,3 +92,9 @@ variable "ttl_attribute_name" {
   type        = string
   default     = ""
 }
+
+variable "kms_key_arn" {
+  description = "The ARN of the CMK to use for encryption at rest. If not specified, uses AWS managed key."
+  type        = string
+  default     = null
+}

infrastructure/stacks/artefact_management/data.tf

@@ -2,6 +2,10 @@ data "aws_iam_role" "app_github_runner_iam_role" {
   name = "${var.repo_name}-${var.app_github_runner_role_name}"
 }
 
+data "aws_iam_role" "account_github_runner_iam_role" {
+  name = "${var.repo_name}-${var.account_github_runner_role_name}"
+}
+
 data "aws_ssm_parameter" "aws_account_id_dev" {
   name = "/dos/aws_account_id_dev"
 }

infrastructure/stacks/artefact_management/s3.tf

@@ -59,11 +59,17 @@ data "aws_iam_policy_document" "artefacts_bucket_policy" {
         "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_dev.value}:role/aws-reserved/sso.amazonaws.com/${var.aws_region}/AWSReservedSSO_DOS-FtRS-RW-Developer_b0ffd523c3b8ddb9",
         "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_dev.value}:role/aws-reserved/sso.amazonaws.com/${var.aws_region}/AWSReservedSSO_DOS-FtRS-RW-Infrastructure_e5f5de072b3e7cf8",
         "${data.aws_iam_role.app_github_runner_iam_role.arn}",
+        "${data.aws_iam_role.account_github_runner_iam_role.arn}",
         "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_prod.value}:role/${var.repo_name}-${var.app_github_runner_role_name}",
+        "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_prod.value}:role/${var.repo_name}-${var.account_github_runner_role_name}",
         "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_test.value}:role/${var.repo_name}-ref-${var.app_github_runner_role_name}",
+        "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_test.value}:role/${var.repo_name}-ref-${var.account_github_runner_role_name}",
         "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_test.value}:role/${var.repo_name}-int-${var.app_github_runner_role_name}",
+        "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_test.value}:role/${var.repo_name}-int-${var.account_github_runner_role_name}",
         "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_test.value}:role/${var.repo_name}-test-${var.app_github_runner_role_name}",
-        "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_dev.value}:role/${var.repo_name}-dev-${var.app_github_runner_role_name}"
+        "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_test.value}:role/${var.repo_name}-test-${var.account_github_runner_role_name}",
+        "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_dev.value}:role/${var.repo_name}-dev-${var.app_github_runner_role_name}",
+        "arn:aws:iam::${data.aws_ssm_parameter.aws_account_id_dev.value}:role/${var.repo_name}-dev-${var.account_github_runner_role_name}"
       ]
     }
     actions = [

infrastructure/stacks/crud_apis/data.tf

@@ -61,6 +61,10 @@ data "aws_iam_policy_document" "s3_access_policy" {
   }
 }
 
+data "aws_kms_key" "dynamodb_kms_key" {
+  key_id = local.kms_aliases.dynamodb
+}
+
 data "aws_iam_policy_document" "dynamodb_access_policy" {
   statement {
     effect = "Allow"
@@ -80,6 +84,16 @@ data "aws_iam_policy_document" "dynamodb_access_policy" {
       ]
     ])
   }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey"
+    ]
+    resources = [data.aws_kms_key.dynamodb_kms_key.arn]
+  }
 }
 
 data "aws_prefix_list" "dynamodb" {

infrastructure/stacks/data_migration/data.tf

@@ -121,6 +121,10 @@ data "aws_iam_policy_document" "secrets_access_policy_for_dms" {
   }
 }
 
+data "aws_kms_key" "dynamodb_kms_key" {
+  key_id = local.kms_aliases.dynamodb
+}
+
 data "aws_iam_policy_document" "dynamodb_access_policy" {
   statement {
     effect = "Allow"
@@ -154,6 +158,16 @@ data "aws_iam_policy_document" "dynamodb_access_policy" {
       "${module.state_table.dynamodb_table_arn}/index/*"
     ]
   }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey"
+    ]
+    resources = [data.aws_kms_key.dynamodb_kms_key.arn]
+  }
 }
 
 data "aws_iam_policy_document" "sqs_access_policy" {
@@ -260,6 +274,10 @@ data "aws_kms_key" "dms_kms_alias" {
   key_id = local.kms_aliases.dms
 }
 
+data "aws_kms_key" "rds_kms_alias" {
+  key_id = local.kms_aliases.rds
+}
+
 # AppConfig SSM Parameters
 data "aws_ssm_parameter" "appconfig_application_id" {
   name = "/${var.project}/${var.environment}/appconfig/application_id${local.workspace_suffix}"

infrastructure/stacks/data_migration/dynamodb.tf

@@ -5,6 +5,7 @@ module "state_table" {
   hash_key                       = "source_record_id"
   billing_mode                   = "PAY_PER_REQUEST"
   point_in_time_recovery_enabled = true
+  kms_key_arn                    = data.aws_kms_key.dynamodb_kms_key.arn
 
   attributes = [
     {

infrastructure/stacks/data_migration/rds.tf

@@ -93,6 +93,9 @@ module "rds_replication_target_db" {
   create_cloudwatch_log_group            = true
   cloudwatch_log_group_retention_in_days = var.rds_cloudwatch_logs_retention
 
+  storage_encrypted = true
+  kms_key_id        = data.aws_kms_key.rds_kms_alias.arn
+
   deletion_protection = true
 }
 

infrastructure/stacks/database/data.tf

@@ -46,3 +46,6 @@ data "aws_s3_object" "data_layer" {
   bucket = local.artefacts_bucket
   key    = "${local.artefact_base_path}/${var.project}-python-packages-layer.zip"
 }
+data "aws_kms_key" "dynamodb_kms_key" {
+  key_id = local.kms_aliases.dynamodb
+}

infrastructure/stacks/database/dynamodb.tf

@@ -9,6 +9,7 @@ module "dynamodb_tables" {
   attributes                     = each.value.attributes
   point_in_time_recovery_enabled = true
   stream_enabled                 = lookup(each.value, "stream_enabled", true)
+  kms_key_arn                    = data.aws_kms_key.dynamodb_kms_key.arn
 
   global_secondary_indexes = lookup(each.value, "global_secondary_indexes", [])
 }

infrastructure/stacks/dos_search/data.tf

@@ -57,6 +57,10 @@ data "aws_s3_object" "truststore" {
   key    = local.trust_store_file_path
 }
 
+data "aws_kms_key" "dynamodb_kms_key" {
+  key_id = local.kms_aliases.dynamodb
+}
+
 data "aws_iam_policy_document" "vpc_access_policy" {
   # checkov:skip=CKV_AWS_111: TODO https://nhsd-jira.digital.nhs.uk/browse/FDOS-421
   # checkov:skip=CKV_AWS_356: TODO https://nhsd-jira.digital.nhs.uk/browse/FDOS-421
@@ -88,6 +92,15 @@ data "aws_iam_policy_document" "dynamodb_access_policy" {
       ]
     ])
   }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey"
+    ]
+    resources = [data.aws_kms_key.dynamodb_kms_key.arn]
+  }
 }
 
 data "aws_prefix_list" "dynamodb" {

infrastructure/stacks/dos_search/health_check_lambda.tf

@@ -57,4 +57,13 @@ data "aws_iam_policy_document" "health_check_dynamodb_access_policy" {
       "arn:aws:dynamodb:${var.aws_region}:${data.aws_caller_identity.current.account_id}:table/${local.project_prefix}-database-${var.organisation_table_name}*"
     ]
   }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey"
+    ]
+    resources = [data.aws_kms_key.dynamodb_kms_key.arn]
+  }
 }

infrastructure/stacks/github_runner/account_github_runner_policy_part2.json.tpl

@@ -56,7 +56,8 @@
                 "arn:aws:iam::*:role/dms-vpc-role",
                 "arn:aws:iam::*:role/${project}-*",
                 "arn:aws:iam::*:policy/${project}-*",
-                "arn:aws:iam::*:role/aws-service-role/shield.amazonaws.com/AWSServiceRoleForAWSShield"
+                "arn:aws:iam::*:role/aws-service-role/shield.amazonaws.com/AWSServiceRoleForAWSShield",
+                "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
             ]
         },
         {

infrastructure/stacks/opensearch/data.tf

@@ -6,6 +6,11 @@ data "aws_vpc" "vpc" {
   }
 }
 
+data "aws_kms_key" "dynamodb_kms_key" {
+  count  = local.stack_enabled
+  key_id = local.kms_aliases.dynamodb
+}
+
 data "aws_subnets" "private_subnets" {
   count = local.stack_enabled
   filter {

infrastructure/stacks/opensearch/iam.tf

@@ -48,6 +48,14 @@ resource "aws_iam_role_policy" "osis_pipelines_policy" {
           ]
         ])
       },
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Decrypt",
+          "kms:DescribeKey"
+        ]
+        Resource = data.aws_kms_key.dynamodb_kms_key[0].arn
+      },
       {
         Effect = "Allow"
         Action = [

infrastructure/stacks/ui/data.tf

@@ -141,6 +141,11 @@ data "aws_acm_certificate" "domain_cert" {
   most_recent = true
 }
 
+data "aws_kms_key" "dynamodb_kms_key" {
+  count  = local.stack_enabled
+  key_id = local.kms_aliases.dynamodb
+}
+
 data "aws_iam_policy_document" "dynamodb_session_store_policy" {
   count = local.stack_enabled
   statement {
@@ -157,6 +162,16 @@ data "aws_iam_policy_document" "dynamodb_session_store_policy" {
       "${module.ui_session_store[0].dynamodb_table_arn}/index/*"
     ]
   }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey"
+    ]
+    resources = [data.aws_kms_key.dynamodb_kms_key[0].arn]
+  }
 }
 
 data "aws_cloudfront_cache_policy" "caching_disabled" {

infrastructure/stacks/ui/dynamodb.tf

@@ -8,6 +8,7 @@ module "ui_session_store" {
   billing_mode       = "PAY_PER_REQUEST"
   ttl_attribute_name = "expiresAt"
   ttl_enabled        = true
+  kms_key_arn        = data.aws_kms_key.dynamodb_kms_key[0].arn
 
   attributes = [
     {