Merge branch 'master' into VED-358-github-actions-for-int

robertnovac1 · robertnovac1 · commit 2be3314c103d · 2025-07-24T13:35:04.000+01:00
diff --git a/infra/environments/int/variables.tfvars b/infra/environments/int/variables.tfvars
@@ -1,9 +1,11 @@
 imms_account_id          = "084828561157"
 dspp_account_id          = "603871901111"
+mns_account_id           = "631615744739"
 admin_role               = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Admin_acce656dcacf6f4c"
 dev_ops_role             = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Devops_1d28e4f37b940bcd"
 auto_ops_role            = "role/auto-ops"
 dspp_admin_role          = "root"
+mns_admin_role           = "role/nhs-mns-events-lambda-delivery"
 environment              = "int"
 parent_route53_zone_name = "int.vds.platform.nhs.uk"
 child_route53_zone_name  = "imms.int.vds.platform.nhs.uk"
diff --git a/infra/environments/non-prod/variables.tfvars b/infra/environments/non-prod/variables.tfvars
@@ -1,9 +1,11 @@
 imms_account_id          = "345594581768"
 dspp_account_id          = "603871901111"
+mns_account_id           = "631615744739"
 admin_role               = "root" # We shouldn't be using the root account. There should be an Admin role
 dev_ops_role             = "role/DevOps"
 auto_ops_role            = "role/auto-ops"
 dspp_admin_role          = "root"
+mns_admin_role           = "role/nhs-mns-events-lambda-delivery"
 environment              = "dev"
 parent_route53_zone_name = "dev.vds.platform.nhs.uk"
 child_route53_zone_name  = "imms.dev.vds.platform.nhs.uk"
diff --git a/infra/environments/prod/variables.tfvars b/infra/environments/prod/variables.tfvars
@@ -1,9 +1,11 @@
 imms_account_id          = "664418956997"
 dspp_account_id          = "232116723729"
+mns_account_id           = "758334270304"
 admin_role               = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PROD-IMMS-Admin_edd6691e4b74064e"
 dev_ops_role             = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PROD-IMMS-Devops_8f32c62195d56b76"
 auto_ops_role            = "role/auto-ops"
 dspp_admin_role          = "root"
+mns_admin_role           = "role/nhs-mns-events-lambda-delivery"
 environment              = "prod"
 parent_route53_zone_name = "prod.vds.platform.nhs.uk"
 child_route53_zone_name  = "imms.prod.vds.platform.nhs.uk"
diff --git a/infra/kms.tf b/infra/kms.tf
@@ -66,6 +66,16 @@ locals {
     ],
     Resource = "*"
   }
+
+  policy_statement_allow_mns = {
+    Sid    = "AllowMNSLambdaDelivery",
+    Effect = "Allow",
+    Principal = {
+      AWS = "arn:aws:iam::${var.mns_account_id}:${var.mns_admin_role}"
+    },
+    Action = "kms:GenerateDataKey",
+    Resource = "*"
+  }
 }
 
 
@@ -147,3 +157,25 @@ resource "aws_kms_alias" "s3_shared_key" {
   name          = "alias/imms-batch-s3-shared-key"
   target_key_id = aws_kms_key.s3_shared_key.key_id
 }
+
+resource "aws_kms_key" "id_sync_sqs_encryption" {
+  description         = "KMS key for MNS service access"
+  key_usage           = "ENCRYPT_DECRYPT"
+  enable_key_rotation = true
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Id      = "key-consolepolicy-3",
+    Statement = [
+      local.policy_statement_allow_administration,
+      local.policy_statement_allow_auto_ops,
+      local.policy_statement_allow_devops,
+      local.policy_statement_allow_mns
+    ]
+  })
+}
+
+resource "aws_kms_alias" "id_sync_sqs_encryption" {
+  name          = "alias/imms-event-id-sync-encryption"
+  target_key_id = aws_kms_key.id_sync_sqs_encryption.key_id
+}
+
diff --git a/infra/variables.tf b/infra/variables.tf
@@ -16,3 +16,6 @@ variable "build_agent_account_id" {
 variable "environment" {
   default = "non-prod"
 }
+
+variable "mns_account_id" {}
+variable "mns_admin_role" {}
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -97,6 +97,10 @@ data "aws_kms_key" "existing_kinesis_encryption_key" {
   key_id = "alias/imms-batch-kinesis-stream-encryption"
 }
 
+data "aws_kms_key" "existing_id_sync_sqs_encryption_key" {
+  key_id = "alias/imms-event-id-sync-encryption"
+}
+
 data "aws_kms_key" "mesh_s3_encryption_key" {
   key_id = "alias/local-immunisation-mesh"
 }
diff --git a/terraform/sqs_id_sync.tf b/terraform/sqs_id_sync.tf
@@ -0,0 +1,47 @@
+resource "aws_sqs_queue" "id_sync_queue" {
+  name                        = "${local.short_prefix}-id-sync-queue"
+  kms_master_key_id           = data.aws_kms_key.existing_id_sync_sqs_encryption_key.arn
+  visibility_timeout_seconds  = 60
+  redrive_policy = jsonencode({
+    deadLetterTargetArn = aws_sqs_queue.id_sync_dlq.arn
+    maxReceiveCount     = 4
+  })
+}
+
+resource "aws_sqs_queue" "id_sync_dlq" {
+  name = "${local.short_prefix}-id-sync-dlq"
+}
+
+resource "aws_sqs_queue_redrive_allow_policy" "id_sync_queue_redrive_allow_policy" {
+  queue_url = aws_sqs_queue.id_sync_dlq.id
+
+  redrive_allow_policy = jsonencode({
+    redrivePermission = "byQueue",
+    sourceQueueArns   = [aws_sqs_queue.id_sync_queue.arn]
+  })
+}
+
+data "aws_iam_policy_document" "id_sync_sqs_policy" {
+  statement {
+    sid    = "id-sync-queue SQS statement"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "sqs:SendMessage",
+      "sqs:ReceiveMessage"
+    ]
+    resources = [
+      aws_sqs_queue.id_sync_queue.arn
+    ]
+  }
+}
+
+resource "aws_sqs_queue_policy" "id_sync_sqs_policy" {
+  queue_url = aws_sqs_queue.id_sync_queue.id
+  policy    = data.aws_iam_policy_document.id_sync_sqs_policy.json
+}

Original file line number	Diff line number	Diff line change
`@@ -16,3 +16,6 @@ variable "build_agent_account_id" {`
`16`	`16`	`variable "environment" {`
`17`	`17`	`default = "non-prod"`
`18`	`18`	`}`
	`19`	`+`
	`20`	`+variable "mns_account_id" {}`
	`21`	`+variable "mns_admin_role" {}`
Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,10 @@ data "aws_kms_key" "existing_kinesis_encryption_key" {`
`97`	`97`	`key_id = "alias/imms-batch-kinesis-stream-encryption"`
`98`	`98`	`}`
`99`	`99`
	`100`	`+data "aws_kms_key" "existing_id_sync_sqs_encryption_key" {`
	`101`	`+ key_id = "alias/imms-event-id-sync-encryption"`
	`102`	`+}`
	`103`	`+`
`100`	`104`	`data "aws_kms_key" "mesh_s3_encryption_key" {`
`101`	`105`	`key_id = "alias/local-immunisation-mesh"`
`102`	`106`	`}`