VED-901: Add dps kms key on filenameproc lambda (#1068)

* add kms permission unto filenameprocessor lambda

Author: Akol125

infrastructure/instance/environments/prod/blue/variables.tfvars

@@ -5,3 +5,4 @@ pds_environment                   = "prod"
 batch_error_notifications_enabled = true
 create_mesh_processor             = true
 has_sub_environment_scope         = false
+dspp_kms_key_alias                = "nhsd-dspp-core-prod-extended-attributes-gdp-key"

infrastructure/instance/environments/prod/green/variables.tfvars

@@ -5,3 +5,4 @@ pds_environment                   = "prod"
 batch_error_notifications_enabled = true
 create_mesh_processor             = true
 has_sub_environment_scope         = false
+dspp_kms_key_alias                = "nhsd-dspp-core-prod-extended-attributes-gdp-key"

infrastructure/instance/file_name_processor.tf

@@ -253,13 +253,44 @@ resource "aws_iam_policy" "filenameprocessor_dynamo_access_policy" {
   })
 }
 
+# Kms policy setup on filenameprocessor lambda for dps cross account bucket access
+resource "aws_iam_policy" "filenameprocessor_dps_extended_attribute_kms_policy" {
+  name        = "${local.short_prefix}-filenameproc-dps-kms-policy"
+  description = "Allow Lambda to use DPS KMS key for SSE-KMS encrypted S3 bucket access"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "kms:Decrypt",
+          "kms:GenerateDataKey",
+          "kms:DescribeKey"
+        ],
+        Resource = "arn:aws:kms:eu-west-2:${var.dspp_core_account_id}:key/*",
+        "Condition" = {
+          "ForAnyValue:StringEquals" = {
+            "kms:ResourceAliases" = "alias/${var.dspp_kms_key_alias}"
+          }
+        }
+      }
+    ]
+  })
+}
 
 # Attach the execution policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "filenameprocessor_lambda_exec_policy_attachment" {
   role       = aws_iam_role.filenameprocessor_lambda_exec_role.name
   policy_arn = aws_iam_policy.filenameprocessor_lambda_exec_policy.arn
 }
 
+#Attach the dps kms policy to the Lambda role
+resource "aws_iam_role_policy_attachment" "filenameprocessor_lambda_dps_kms_ea_policy_attachment" {
+  role       = aws_iam_role.filenameprocessor_lambda_exec_role.name
+  policy_arn = aws_iam_policy.filenameprocessor_dps_extended_attribute_kms_policy.arn
+}
+
 # Attach the SQS policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "filenameprocessor_lambda_sqs_policy_attachment" {
   role       = aws_iam_role.filenameprocessor_lambda_exec_role.name

infrastructure/instance/variables.tf

@@ -10,6 +10,12 @@ variable "csoc_account_id" {
   default = "693466633220"
 }
 
+variable "dspp_kms_key_alias" {
+  description = "Alias name of the DPS KMS key allowed for SSE-KMS encryption"
+  type        = string
+  default     = "nhsd-dspp-core-ref-extended-attributes-gdp-key"
+}
+
 variable "create_mesh_processor" {
   default = false
 }