VED-80: SQS Queue: KMS key in infra (#674)

* vaccine_type -> upper case

* remove comments

* revert code changes (failed DPS)

* revert code changes (failed DPS)

* init: sqs_id_sync

* reworked to standard Q with DLQ

* reworked to standard Q with DLQ (II)

* add sqs queue policy

* local (temp) id_sync KMS key

* local (temp) id_sync KMS key II

* local (temp) id_sync KMS key III

* local (temp) id_sync KMS key IV non-prod only

* add temp KMS key to id_sync SQS queue

* move aws_kme_key.id_sync_sqs_encryption to infra

* fix: existing_id_sync_sqs_encryption_key

* Defined variables for MNS

* change: alias/imms-event-id-sync-encryption

* corrected merge conflict

* cleanup

---------

Co-authored-by: robertnovac1 <[email protected]>

Author: JamesW1-NHS

infra/environments/int/variables.tfvars

@@ -1,9 +1,11 @@
 imms_account_id          = "084828561157"
 dspp_account_id          = "603871901111"
+mns_account_id           = "631615744739"
 admin_role               = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Admin_acce656dcacf6f4c"
 dev_ops_role             = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Devops_1d28e4f37b940bcd"
 auto_ops_role            = "role/auto-ops"
 dspp_admin_role          = "root"
+mns_admin_role           = "role/nhs-mns-events-lambda-delivery"
 environment              = "int"
 parent_route53_zone_name = "int.vds.platform.nhs.uk"
 child_route53_zone_name  = "imms.int.vds.platform.nhs.uk"

infra/environments/non-prod/variables.tfvars

@@ -1,9 +1,11 @@
 imms_account_id          = "345594581768"
 dspp_account_id          = "603871901111"
+mns_account_id           = "631615744739"
 admin_role               = "root" # We shouldn't be using the root account. There should be an Admin role
 dev_ops_role             = "role/DevOps"
 auto_ops_role            = "role/auto-ops"
 dspp_admin_role          = "root"
+mns_admin_role           = "role/nhs-mns-events-lambda-delivery"
 environment              = "dev"
 parent_route53_zone_name = "dev.vds.platform.nhs.uk"
 child_route53_zone_name  = "imms.dev.vds.platform.nhs.uk"

infra/environments/prod/variables.tfvars

@@ -1,9 +1,11 @@
 imms_account_id          = "664418956997"
 dspp_account_id          = "232116723729"
+mns_account_id           = "758334270304"
 admin_role               = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PROD-IMMS-Admin_edd6691e4b74064e"
 dev_ops_role             = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PROD-IMMS-Devops_8f32c62195d56b76"
 auto_ops_role            = "role/auto-ops"
 dspp_admin_role          = "root"
+mns_admin_role           = "role/nhs-mns-events-lambda-delivery"
 environment              = "prod"
 parent_route53_zone_name = "prod.vds.platform.nhs.uk"
 child_route53_zone_name  = "imms.prod.vds.platform.nhs.uk"

infra/kms.tf

@@ -66,6 +66,16 @@ locals {
     ],
     Resource = "*"
   }
+
+  policy_statement_allow_mns = {
+    Sid    = "AllowMNSLambdaDelivery",
+    Effect = "Allow",
+    Principal = {
+      AWS = "arn:aws:iam::${var.mns_account_id}:${var.mns_admin_role}"
+    },
+    Action = "kms:GenerateDataKey",
+    Resource = "*"
+  }
 }
 
 
@@ -147,3 +157,25 @@ resource "aws_kms_alias" "s3_shared_key" {
   name          = "alias/imms-batch-s3-shared-key"
   target_key_id = aws_kms_key.s3_shared_key.key_id
 }
+
+resource "aws_kms_key" "id_sync_sqs_encryption" {
+  description         = "KMS key for MNS service access"
+  key_usage           = "ENCRYPT_DECRYPT"
+  enable_key_rotation = true
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Id      = "key-consolepolicy-3",
+    Statement = [
+      local.policy_statement_allow_administration,
+      local.policy_statement_allow_auto_ops,
+      local.policy_statement_allow_devops,
+      local.policy_statement_allow_mns
+    ]
+  })
+}
+
+resource "aws_kms_alias" "id_sync_sqs_encryption" {
+  name          = "alias/imms-event-id-sync-encryption"
+  target_key_id = aws_kms_key.id_sync_sqs_encryption.key_id
+}
+

infra/variables.tf

@@ -16,3 +16,6 @@ variable "build_agent_account_id" {
 variable "environment" {
   default = "non-prod"
 }
+
+variable "mns_account_id" {}
+variable "mns_admin_role" {}

terraform/main.tf

@@ -97,6 +97,10 @@ data "aws_kms_key" "existing_kinesis_encryption_key" {
   key_id = "alias/imms-batch-kinesis-stream-encryption"
 }
 
+data "aws_kms_key" "existing_id_sync_sqs_encryption_key" {
+  key_id = "alias/imms-event-id-sync-encryption"
+}
+
 data "aws_kms_key" "mesh_s3_encryption_key" {
   key_id = "alias/local-immunisation-mesh"
 }

terraform/sqs_id_sync.tf

@@ -0,0 +1,47 @@
+resource "aws_sqs_queue" "id_sync_queue" {
+  name                        = "${local.short_prefix}-id-sync-queue"
+  kms_master_key_id           = data.aws_kms_key.existing_id_sync_sqs_encryption_key.arn
+  visibility_timeout_seconds  = 60
+  redrive_policy = jsonencode({
+    deadLetterTargetArn = aws_sqs_queue.id_sync_dlq.arn
+    maxReceiveCount     = 4
+  })
+}
+
+resource "aws_sqs_queue" "id_sync_dlq" {
+  name = "${local.short_prefix}-id-sync-dlq"
+}
+
+resource "aws_sqs_queue_redrive_allow_policy" "id_sync_queue_redrive_allow_policy" {
+  queue_url = aws_sqs_queue.id_sync_dlq.id
+
+  redrive_allow_policy = jsonencode({
+    redrivePermission = "byQueue",
+    sourceQueueArns   = [aws_sqs_queue.id_sync_queue.arn]
+  })
+}
+
+data "aws_iam_policy_document" "id_sync_sqs_policy" {
+  statement {
+    sid    = "id-sync-queue SQS statement"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "sqs:SendMessage",
+      "sqs:ReceiveMessage"
+    ]
+    resources = [
+      aws_sqs_queue.id_sync_queue.arn
+    ]
+  }
+}
+
+resource "aws_sqs_queue_policy" "id_sync_sqs_policy" {
+  queue_url = aws_sqs_queue.id_sync_queue.id
+  policy    = data.aws_iam_policy_document.id_sync_sqs_policy.json
+}