NHSDigital · Akol125 · Oct 8, 2025 · Aug 26, 2025 · Aug 26, 2025 · Oct 2, 2025
diff --git a/infra/csoc_role_creation.tf b/infra/csoc_role_creation.tf
@@ -0,0 +1,34 @@
+resource "aws_iam_role" "eventbridge_forwarder_role" {
+  name = "${local.short_prefix}-eventbridge-forwarder-role"
+  assume_role_policy = jsonencode({
+    Version : "2012-10-17",
+    Statement = [{
+      Sid      = "TrustEventBridgeService",
+      Effect   = "Allow",
+      Principal = { Service = "events.amazonaws.com" },
+      Action   = "sts:AssumeRole",
+      Condition = {
+        StringEquals = {
+          "aws:SourceAccount" = var.immunisation_account_id
+        }
+      }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "eventbridge_forwarder_policy" {
+  name = "${local.short_prefix}-eventbridge-forwarder-policy"
+  role = aws_iam_role.eventbridge_forwarder_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Sid    = "ActionsForResource",
+      Effect = "Allow",
+      Action = ["events:PutEvents"],
+      Resource = [
+        "arn:aws:events:eu-west-2:${var.csoc_account_id}:event-bus/shield-eventbus"
+      ]
+    }]
+  })
+}
diff --git a/infra/environments/dev/variables.tfvars b/infra/environments/dev/variables.tfvars
@@ -1,6 +1,7 @@
 imms_account_id          = "345594581768"
 dspp_account_id          = "603871901111"
 mns_account_id           = "631615744739"
+csoc_account_id          = "693466633220"
 admin_role               = "root" # We shouldn't be using the root account. There should be an Admin role
 dev_ops_role             = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DEV-IMMS-Devops_745af4f208886ecc"
 dspp_admin_role          = "root"

diff --git a/infra/environments/preprod/variables.tfvars b/infra/environments/preprod/variables.tfvars
@@ -1,6 +1,7 @@
 imms_account_id          = "084828561157"
 dspp_account_id          = "603871901111"
 mns_account_id           = "631615744739"
+csoc_account_id          = "693466633220"
 # admin_role               = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Admin_acce656dcacf6f4c"
 admin_role               = "root"
 dev_ops_role             = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Devops_1d28e4f37b940bcd"

diff --git a/infra/environments/prod/variables.tfvars b/infra/environments/prod/variables.tfvars
@@ -1,6 +1,7 @@
 imms_account_id          = "664418956997"
 dspp_account_id          = "232116723729"
 mns_account_id           = "758334270304"
+csoc_account_id          = "693466633220"
 # admin_role               = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PROD-IMMS-Admin_edd6691e4b74064e"
 admin_role               = "root"
 dev_ops_role             = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PROD-IMMS-Devops_8f32c62195d56b76"

diff --git a/infra/shield_protection.tf b/infra/shield_protection.tf
@@ -0,0 +1,150 @@
+
+# AWS Dynamic Lookups
+data "aws_availability_zones" "available" {}
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+provider "aws" {
+  alias  = "use1"
+  region = "us-east-1"
+}
+
+# Create all resources to Protect
+resource "aws_shield_protection" "nat_eip" {
+  name         = "shield_nat_eip"
+  resource_arn = "arn:aws:ec2:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.example.id}"
+
+  tags = {
+    Environment = "imms-${var.environment}-fhir-api-eip-shield"
+  }
+}
+
+resource "aws_shield_protection" "parent_dns" {
+  provider     = aws.use1
+  name         = "shield_ddos_parent_zone"
+  resource_arn = aws_route53_zone.parent_hosted_zone.arn
+
+  tags = {
+    Environment = "imms-${var.environment}-fhir-api-parent-dns-shield"
+  }
+}
+
+resource "aws_shield_protection" "child_dns" {
+  provider     = aws.use1
+  name         = "route53_shield_ddos_childzone"
+  resource_arn = aws_route53_zone.child_hosted_zone.arn
+
+  tags = {
+    Environment = "imms-${var.environment}-fhir-api-child-dns-shield"
+  }
+}
+
+
+
+locals {
+  regional_shield_arn = {
+    nat_gateway_eip = aws_shield_protection.nat_eip.resource_arn
+  }
+}
+
+locals {
+  global_shield_arn = {
+    route53_parent_zone = aws_shield_protection.parent_dns.resource_arn
+    route53_child_zone = aws_shield_protection.child_dns.resource_arn
+  }
+}
+
+
+# Create Metric Alarms for each of those resources
+resource "aws_cloudwatch_metric_alarm" "ddos_protection_regional" {
+  for_each = local.regional_shield_arn
+
+  alarm_name          = "shield_ddos_${each.key}"
+  alarm_description   = "Alarm when Shield detects DDoS on ${each.key}"
+
+  namespace           = "AWS/DDoSProtection"
+  metric_name         = "DDoSDetected"
+  statistic           = "Maximum"
+  period              = 60
+  evaluation_periods  = 20
+  datapoints_to_alarm = 1
+  threshold           = 0
+  comparison_operator = "GreaterThanThreshold"
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    ResourceArn = each.value
+  }
+}
+
+# Create Metric Alarms for Global Resources in us-east-1 Region
+resource "aws_cloudwatch_metric_alarm" "ddos_protection_global" {
+  for_each = locals.global_shield_arn
+
+  provider            = aws.use1
+  alarm_name          = "shield_ddos_${each.key}"
+  alarm_description   = "Alarm when Shield detects DDoS on ${each.key}"
+
+  namespace           = "AWS/DDoSProtection"
+  metric_name         = "DDoSDetected"
+  statistic           = "Maximum"
+  period              = 60
+  evaluation_periods  = 20
+  datapoints_to_alarm = 1
+  threshold           = 0
+  comparison_operator = "GreaterThanThreshold"
+  treat_missing_data  = "notBreaching"
+
+  dimensions = {
+    ResourceArn = each.value
+  }
+}
+
+
+# Event Bus Rule for eu-west-2 Region
+
+resource "aws_cloudwatch_event_rule" "shield_ddos_rule_regional" {
+  name        = "imms_${var.environment}_shield_ddos_rule_${data.aws_region.current.name}"
+  description = "Forward Shield DDoS CloudWatch alarms to CSOC event bus"
+
+  event_pattern = jsonencode({
+    "source"      = ["aws.cloudwatch"],
+    "detail-type" = ["CloudWatch Alarm State Change"],
+    "resources"   = [
+      for alarm in aws_cloudwatch_metric_alarm.ddos_protection_regional : alarm.arn
+    ]
+  })
+}
+
+
+
+resource "aws_cloudwatch_event_target" "shield_ddos_target_regional" {
+  rule      = aws_cloudwatch_event_rule.shield_ddos_rule_regional.name
+  target_id = "csoc-eventbus"
+  arn       = "arn:aws:events:eu-west-2:${var.csoc_account_id}:event-bus/shield-eventbus"
+  role_arn  = aws_iam_role.shield_ddos_forwarder.arn
+}
+
+# Event Bus Rule for us-east-1 Region
+
+resource "aws_cloudwatch_event_rule" "shield_ddos_rule_global" {
+  provider    = aws.use1
+  name        = "imms_${var.environment}_shield_ddos_rule_us-east-1"
+  description = "Forward Shield DDoS CloudWatch alarms (global) to CSOC event bus"
+
+  event_pattern = jsonencode({
+    "source"      = ["aws.cloudwatch"],
+    "detail-type" = ["CloudWatch Alarm State Change"],
+    "resources"   = [
+      for alarm in aws_cloudwatch_metric_alarm.ddos_protection_global : alarm.arn
+    ]
+  })
+}
+
+resource "aws_cloudwatch_event_target" "shield_ddos_target_global" {
+  provider  = aws.use1
+  rule      = aws_cloudwatch_event_rule.shield_ddos_rule_global.name
+  target_id = "csoc-eventbus"
+  arn       = "arn:aws:events:us-east-1:${var.csoc_account_id}:event-bus/shield-eventbus"
+  role_arn  = aws_iam_role.shield_ddos_forwarder.arn
+}
diff --git a/infra/shield_subscription.tf b/infra/shield_subscription.tf
@@ -0,0 +1,7 @@
+// One-time Shield Advanced subscription for the account.
+// This resource is account-level. 
+
+resource "aws_shield_subscription" "shield_subscription" {
+  auto_renew = "ENABLED"
+
+}
diff --git a/infra/variables.tf b/infra/variables.tf
@@ -10,6 +10,12 @@ variable "dspp_account_id" {
   description = "DSPP Core AWS account ID"
   type        = string
 }
+variable "csoc_account_id" {
+  description = "CSOC Core AWS account ID"
+  type        = string
+
+}
+
 variable "auto_ops_role" {
   default = "role/auto-ops"
   type    = string

diff --git a/terraform/csoc_role_creation.tf b/terraform/csoc_role_creation.tf
@@ -0,0 +1,34 @@
+resource "aws_iam_role" "eventbridge_forwarder_role" {
+  name = "${local.short_prefix}-eventbridge-forwarder-role"
+  assume_role_policy = jsonencode({
+    Version : "2012-10-17",
+    Statement = [{
+      Sid      = "TrustEventBridgeService",
+      Effect   = "Allow",
+      Principal = { Service = "events.amazonaws.com" },
+      Action   = "sts:AssumeRole",
+      Condition = {
+        StringEquals = {
+          "aws:SourceAccount" = var.immunisation_account_id
+        }
+      }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "eventbridge_forwarder_policy" {
+  name = "${local.short_prefix}-eventbridge-forwarder-policy"
+  role = aws_iam_role.eventbridge_forwarder_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Sid    = "ActionsForResource",
+      Effect = "Allow",
+      Action = ["events:PutEvents"],
+      Resource = [
+        "arn:aws:events:eu-west-2:${var.csoc_account_id}:event-bus/shield-eventbus"
+      ]
+    }]
+  })
+}