VED-270: Terraform fixes. (#408)

* VED-270: WIP: Resolve duplication in infra terraform.

* VED-270: WIP: Add removed blocks to prevent destruction of unmanaged resources.

* VED-270: Only create environment-level sources bucket in prod. Make comments clearer.

* VED-270: Move DynamoDB resources from infra to instance Terraform.

* VED-270: Remove some data sources for managed resources. Some tidying up.

* VED-270: Replace some of the longhand table / index ARNs.

* VED-270: Format.

* VED-270: More issues found.

* VED-270: Move config and batch destination buckets to instance terraform. Add missing BatchGetItem permission for testing in non-prod.

* VED-270: Rename environment in infra terraform for clarity.

* VED-270: Remove old infra terraform. Move new infra terraform up a level.

* VED-270: Inline some policy documents for clarity.

* VED-270: Add more imports.

* VED-270: Add mystery KMS key to non-prod KMS endpoint policy for now.

* VED-270: Fix float serialisation issue.

* VED-270: Look up prefix lists by name.

* VED-270: Resolve some of the Sonar warnings.

* VED-270: Resolve more Sonar warnings. Rename account id locals.

* VED-270: Fix incorrect account in endpoint policies. Remove unused docker provider.

Author: mfjarvis

infra/.terraform.lock.hcl

@@ -1,3 +1,13 @@
+data "aws_ec2_managed_prefix_list" "egress" {
+  for_each = toset([
+    "com.amazonaws.global.cloudfront.origin-facing",
+    "com.amazonaws.eu-west-2.dynamodb",
+    "com.amazonaws.eu-west-2.s3"
+  ])
+
+  name = each.value
+}
+
 resource "aws_security_group" "lambda_redis_sg" {
   vpc_id = data.aws_vpc.default.id
   name   = "immunisation-security-group"
@@ -12,22 +22,20 @@ resource "aws_security_group" "lambda_redis_sg" {
 
   # Outbound rules to specific AWS services using prefix lists
   egress {
-    from_port       = 0
-    to_port         = 0
-    protocol        = "-1"
+    from_port = 0
+    to_port   = 0
+    protocol  = "-1"
     prefix_list_ids = [
-      "pl-7ca54015",
-      "pl-93a247fa",
-      "pl-b3a742da"
+      for pl in data.aws_ec2_managed_prefix_list.egress : pl.id
     ]
   }
 
   # Egress rule to allow communication within the same security group
   egress {
-    from_port       = 0
-    to_port         = 0
-    protocol        = "-1"
-    self            = true
+    from_port = 0
+    to_port   = 0
+    protocol  = "-1"
+    self      = true
   }
 }
 
@@ -44,18 +52,16 @@ resource "aws_vpc_endpoint" "sqs_endpoint" {
     Version = "2012-10-17",
     Statement = [
       {
-        Effect    = "Allow"
+        Effect = "Allow"
         Principal = {
-          "AWS": [
-            "*"
-          ]
+          AWS = "arn:aws:iam::${local.immunisation_account_id}:root"
         },
-        Action    = [
+        Action = [
           "sqs:SendMessage",
           "sqs:ReceiveMessage",
           "kms:Decrypt"
         ]
-        Resource  = "*"
+        Resource = "*"
       }
     ]
   })
@@ -76,18 +82,18 @@ resource "aws_vpc_endpoint" "s3_endpoint" {
     Version = "2012-10-17",
     Statement = [
       {
-        Effect    = "Allow"
+        Effect = "Allow"
         Principal = {
-          "AWS": "*"
+          AWS = "arn:aws:iam::${local.immunisation_account_id}:root"
         },
-        Action    = [
+        Action = [
           "s3:GetObject",
           "s3:PutObject",
           "s3:ListBucket",
           "s3:CopyObject",
           "s3:DeleteObject"
         ]
-        Resource  = "*"
+        Resource = "*"
       }
     ]
   })
@@ -110,7 +116,9 @@ resource "aws_vpc_endpoint" "kinesis_endpoint" {
     Statement = [
       {
         Effect = "Allow",
-        Principal =  "*",
+        Principal = {
+          AWS = "arn:aws:iam::${local.immunisation_account_id}:root"
+        },
         Action = [
           "firehose:ListDeliveryStreams",
           "firehose:PutRecord",
@@ -137,18 +145,18 @@ resource "aws_vpc_endpoint" "dynamodb" {
     Version = "2012-10-17",
     Statement = [
       {
-        "Effect": "Allow",
-        "Principal": "*",
-        "Action": "*",
-        "Resource": "*"
+        "Effect" : "Allow",
+        "Principal" : {
+          AWS = "arn:aws:iam::${local.immunisation_account_id}:root"
+        },
+        "Action" : "*",
+        "Resource" : "*"
       }
     ]
   })
   tags = {
     Name = "immunisation-dynamo-endpoint"
   }
-
-
 }
 
 
@@ -157,8 +165,8 @@ resource "aws_vpc_endpoint" "ecr_api" {
   service_name      = "com.amazonaws.${var.aws_region}.ecr.api"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids = data.aws_subnets.default.ids
-  security_group_ids = [aws_security_group.lambda_redis_sg.id]
+  subnet_ids          = data.aws_subnets.default.ids
+  security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
   tags = {
     Name = "immunisation-ecr-api-endpoint"
@@ -170,8 +178,8 @@ resource "aws_vpc_endpoint" "ecr_dkr" {
   service_name      = "com.amazonaws.${var.aws_region}.ecr.dkr"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids = data.aws_subnets.default.ids
-  security_group_ids = [aws_security_group.lambda_redis_sg.id]
+  subnet_ids          = data.aws_subnets.default.ids
+  security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
   tags = {
     Name = "immunisation-ecr-dkr-endpoint"
@@ -183,8 +191,8 @@ resource "aws_vpc_endpoint" "cloud_watch" {
   service_name      = "com.amazonaws.${var.aws_region}.logs"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids = data.aws_subnets.default.ids
-  security_group_ids = [aws_security_group.lambda_redis_sg.id]
+  subnet_ids          = data.aws_subnets.default.ids
+  security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
   tags = {
     Name = "immunisation-cloud-watch-endpoint"
@@ -207,9 +215,7 @@ resource "aws_vpc_endpoint" "kinesis_stream_endpoint" {
       {
         Effect = "Allow",
         Principal = {
-          "AWS":[
-            "*"
-        ]
+          AWS = "arn:aws:iam::${local.immunisation_account_id}:root"
         },
         Action = [
           "kinesis:ListShards",
@@ -226,6 +232,13 @@ resource "aws_vpc_endpoint" "kinesis_stream_endpoint" {
   }
 }
 
+# TODO - remove and use the key we manage in this Terraform workspace
+data "aws_kms_key" "existing_lambda_env_encryption" {
+  count = local.account != "prod" ? 1 : 0
+
+  key_id = "648c8c6f-54bf-4b79-ad72-0be6e8d72423"
+}
+
 resource "aws_vpc_endpoint" "kms_endpoint" {
   vpc_id            = data.aws_vpc.default.id
   service_name      = "com.amazonaws.${var.aws_region}.kms"
@@ -240,19 +253,26 @@ resource "aws_vpc_endpoint" "kms_endpoint" {
     Statement = [
       {
         Effect = "Allow",
-        Principal = "*",
+        Principal = {
+          AWS = "arn:aws:iam::${local.immunisation_account_id}:root"
+        },
         Action = [
           "kms:Decrypt",
           "kms:Encrypt",
           "kms:GenerateDataKey*"
         ],
-        Resource = [
-           "arn:aws:kms:eu-west-2:664418956997:key/4e643221-4cb8-49c5-9a78-ced991ff52ae",
-				   "arn:aws:kms:eu-west-2:664418956997:key/d7b3c213-3c05-4caf-bb95-fdb2a6e533b1"
+        Resource = local.account == "prod" ? [
+          aws_kms_key.lambda_env_encryption.arn,
+          aws_kms_key.s3_shared_key.arn
+          ] : [
+          aws_kms_key.lambda_env_encryption.arn,
+          aws_kms_key.s3_shared_key.arn,
+          data.aws_kms_key.existing_lambda_env_encryption[0].arn
         ]
       }
     ]
   })
+
   tags = {
     Name = "immunisation-kms-endpoint"
   }
@@ -263,11 +283,10 @@ resource "aws_vpc_endpoint" "lambda_endpoint" {
   service_name      = "com.amazonaws.${var.aws_region}.lambda"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids = data.aws_subnets.default.ids
-  security_group_ids = [aws_security_group.lambda_redis_sg.id]
+  subnet_ids          = data.aws_subnets.default.ids
+  security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
   tags = {
     Name = "immunisation-lambda-endpoint"
   }
 }
-

infra/prod/endpoints.tf infra/endpoints.tfinfra/prod/endpoints.tf renamed to infra/endpoints.tf

@@ -4,7 +4,7 @@ resource "aws_iam_role" "kinesis_role" {
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
     Statement = [{
-      Effect    = "Allow"
+      Effect = "Allow"
       Principal = {
         Service = "kinesis.amazonaws.com"
       }
@@ -20,8 +20,8 @@ resource "aws_iam_policy" "kinesis_kms_policy" {
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [{
-      Effect   = "Allow"
-      Action   = [
+      Effect = "Allow"
+      Action = [
         "kms:Encrypt",
         "kms:Decrypt",
         "kms:GenerateDataKey*",