Merge branch 'VED-80-id-sync-sqs' into VED-480-Number-Update-terraform

JamesW1-NHS · JamesW1-NHS · commit 34828b52cf33 · 2025-07-21T12:06:51.000+01:00
diff --git a/terraform/sqs_id_sync.tf b/terraform/sqs_id_sync.tf
@@ -0,0 +1,55 @@
+# Standard SQS Queue
+
+resource "aws_sqs_queue" "id_sync_queue" {
+  name                        = "${local.short_prefix}-id-sync-queue"
+  kms_master_key_id           = aws_kms_alias.id_sync_sqs_encryption.name
+  visibility_timeout_seconds  = 60
+  redrive_policy = jsonencode({
+    deadLetterTargetArn = aws_sqs_queue.id_sync_dlq.arn
+    maxReceiveCount     = 4
+  })
+}
+
+# DLQ for id-sync-queue
+
+resource "aws_sqs_queue" "id_sync_dlq" {
+  name = "${local.short_prefix}-id-sync-dlq"
+}
+
+resource "aws_sqs_queue_redrive_allow_policy" "id_sync_queue_redrive_allow_policy" {
+  queue_url = aws_sqs_queue.id_sync_dlq.id
+
+  redrive_allow_policy = jsonencode({
+    redrivePermission = "byQueue",
+    sourceQueueArns   = [aws_sqs_queue.id_sync_queue.arn]
+  })
+}
+
+# IAM policy.
+# TODO: this is currently a global allow policy.
+# Refine this to allow receive from our lambda, and send from MNS
+
+data "aws_iam_policy_document" "id_sync_sqs_policy" {
+  statement {
+    sid    = "id-sync-queue SQS statement"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "sqs:SendMessage",
+      "sqs:ReceiveMessage"
+    ]
+    resources = [
+      aws_sqs_queue.id_sync_queue.arn
+    ]
+  }
+}
+
+resource "aws_sqs_queue_policy" "id_sync_sqs_policy" {
+  queue_url = aws_sqs_queue.id_sync_queue.id
+  policy    = data.aws_iam_policy_document.id_sync_sqs_policy.json
+}
diff --git a/terraform/temp_id_sync_sqs_kms.tf b/terraform/temp_id_sync_sqs_kms.tf
@@ -0,0 +1,105 @@
+# NOTE. This is a temporary file.
+# Eventually the aws_kms_key "id_sync_sqs_key" will go into infra/kms.tf
+
+locals {
+
+  # from infra/environments/non-prod/variables.tfvars
+  # NOTE: this is only going to work in non-prod for now.
+
+  imms_account_id          = "345594581768"
+  admin_role               = "root"
+  dev_ops_role             = "role/DevOps"
+  auto_ops_role            = "role/auto-ops"
+
+  # from infra/kms.tf
+
+  policy_statement_allow_administration = {
+    Sid    = "AllowKeyAdministration",
+    Effect = "Allow",
+    Principal = {
+      AWS = "arn:aws:iam::${local.imms_account_id}:${local.admin_role}"
+    },
+    Action = [
+      "kms:Create*",
+      "kms:Describe*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion",
+      "kms:GenerateDataKey*",
+      "kms:Decrypt",
+      "kms:Tag*"
+    ],
+    Resource = "*"
+  }
+
+  policy_statement_allow_auto_ops = {
+    Sid    = "KMSKeyUserAccess",
+    Effect = "Allow",
+    Principal = {
+      AWS = "arn:aws:iam::${local.imms_account_id}:${local.auto_ops_role}"
+    },
+    Action = [
+      "kms:Encrypt",
+      "kms:GenerateDataKey*"
+    ],
+    Resource = "*"
+  }
+
+  policy_statement_allow_devops = {
+    Sid    = "KMSKeyUserAccessForDevOps",
+    Effect = "Allow",
+    Principal = {
+      AWS = "arn:aws:iam::${local.imms_account_id}:${local.dev_ops_role}"
+    },
+    Action = [
+      "kms:Encrypt",
+      "kms:GenerateDataKey*"
+    ],
+    Resource = "*"
+  }
+
+  # -- New elements relating to id_sync are below here
+
+  # MNS id/role: ultimately these should go in infra/environments/<env>/variables.tfvars
+
+  mns_account_id    = "631615744739"
+  mns_admin_role    = "role/nhs-mns-events-lambda-delivery"
+
+  policy_statement_allow_mns = {
+    Sid    = "AllowMNSLambdaDelivery",
+    Effect = "Allow",
+    Principal = {
+      AWS = "arn:aws:iam::${local.mns_account_id}:${local.mns_admin_role}"
+    },
+    Action = "kms:GenerateDataKey",
+    Resource = "*"
+  }
+}
+
+resource "aws_kms_key" "id_sync_sqs_encryption" {
+  description         = "KMS key for MNS service access"
+  key_usage           = "ENCRYPT_DECRYPT"
+  enable_key_rotation = true
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Id      = "key-consolepolicy-3",
+    Statement = [
+      local.policy_statement_allow_administration,
+      local.policy_statement_allow_auto_ops,
+      local.policy_statement_allow_devops,
+      local.policy_statement_allow_mns
+    ]
+  })
+}
+
+resource "aws_kms_alias" "id_sync_sqs_encryption" {
+  name          = "alias/imms-event-id-sync-sqs-encryption"
+  target_key_id = aws_kms_key.id_sync_sqs_encryption.key_id
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -94,3 +94,7 @@ data "aws_kms_key" "existing_lambda_encryption_key" {
 data "aws_kms_key" "existing_kinesis_encryption_key" {
   key_id = "alias/imms-batch-kinesis-stream-encryption"
 }
+
+data "aws_kms_key" "existing_id_sync_sqs_encryption_key" {
+  key_id = "alias/imms-event-id-sync-sqs-encryption"
+}

Original file line number	Diff line number	Diff line change
`@@ -94,3 +94,7 @@ data "aws_kms_key" "existing_lambda_encryption_key" {`
`94`	`94`	`data "aws_kms_key" "existing_kinesis_encryption_key" {`
`95`	`95`	`key_id = "alias/imms-batch-kinesis-stream-encryption"`
`96`	`96`	`}`
	`97`	`+`
	`98`	`+data "aws_kms_key" "existing_id_sync_sqs_encryption_key" {`
	`99`	`+ key_id = "alias/imms-event-id-sync-sqs-encryption"`
	`100`	`+}`