[NDR-55] Virus Scanning Terraform Implementation (#300)

Author: MatthewMoore-NHS

infrastructure/README.md

@@ -3,12 +3,13 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+| <a name="requirement_awscc"></a> [awscc](#requirement\_awscc) | ~> 1.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.84.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.97.0 |
 
 ## Modules
 
@@ -40,6 +41,7 @@
 | <a name="module_bulk-upload-report-lambda"></a> [bulk-upload-report-lambda](#module\_bulk-upload-report-lambda) | ./modules/lambda | n/a |
 | <a name="module_bulk_upload_metadata_preprocessor_lambda"></a> [bulk\_upload\_metadata\_preprocessor\_lambda](#module\_bulk\_upload\_metadata\_preprocessor\_lambda) | ./modules/lambda | n/a |
 | <a name="module_bulk_upload_report_dynamodb_table"></a> [bulk\_upload\_report\_dynamodb\_table](#module\_bulk\_upload\_report\_dynamodb\_table) | ./modules/dynamo_db | n/a |
+| <a name="module_cloud_storage_security"></a> [cloud\_storage\_security](#module\_cloud\_storage\_security) | cloudstoragesec/cloud-storage-security/aws | 1.7.1+css8.07.002 |
 | <a name="module_cloudfront-distribution-lg"></a> [cloudfront-distribution-lg](#module\_cloudfront-distribution-lg) | ./modules/cloudfront | n/a |
 | <a name="module_cloudfront_edge_dynamodb_table"></a> [cloudfront\_edge\_dynamodb\_table](#module\_cloudfront\_edge\_dynamodb\_table) | ./modules/dynamo_db | n/a |
 | <a name="module_cloudfront_firewall_waf_v2"></a> [cloudfront\_firewall\_waf\_v2](#module\_cloudfront\_firewall\_waf\_v2) | ./modules/firewall_waf_v2 | n/a |
@@ -306,6 +308,9 @@
 | [aws_lambda_permission.data_collection_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.nhs_oauth_token_generator_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.statistical_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_route_table.virus_scanning_route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
+| [aws_route_table_association.virus_scanning_subnet1_route_table_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_route_table_association.virus_scanning_subnet2_route_table_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
 | [aws_rum_app_monitor.ndr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rum_app_monitor) | resource |
 | [aws_s3_bucket.access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
@@ -322,7 +327,11 @@
 | [aws_scheduler_schedule.data_collection_ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/scheduler_schedule) | resource |
 | [aws_sns_topic.alarm_notifications_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_subscription.alarm_notifications_sns_topic_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_sns_topic_subscription.proactive_notifications_sns_topic_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 | [aws_sqs_queue_policy.mns_sqs_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
+| [aws_ssm_parameter.virus_scan_notifications_sns_topic_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_subnet.virus_scanning_subnet1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_subnet.virus_scanning_subnet2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
 | [aws_wafv2_web_acl_association.web_acl_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_association) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source |
@@ -338,11 +347,13 @@
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_ssm_parameter.apim_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.backup_target_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.cloud_security_admin_email](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.cloud_security_notification_email_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.end_user_ods_code](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.mns_lambda_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.splunk_trusted_principal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.target_backup_vault_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.virus_scanning_subnet_cidr_range](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs
 
@@ -357,6 +368,9 @@
 | <a name="input_certificate_domain"></a> [certificate\_domain](#input\_certificate\_domain) | n/a | `string` | n/a | yes |
 | <a name="input_certificate_subdomain_name_prefix"></a> [certificate\_subdomain\_name\_prefix](#input\_certificate\_subdomain\_name\_prefix) | Prefix to add to subdomains on certification configurations, dev envs use api-{env}, prod envs use api.{env} | `string` | `"api-"` | no |
 | <a name="input_cloud_only_service_instances"></a> [cloud\_only\_service\_instances](#input\_cloud\_only\_service\_instances) | n/a | `number` | `1` | no |
+| <a name="input_cloud_security_console_black_hole_address"></a> [cloud\_security\_console\_black\_hole\_address](#input\_cloud\_security\_console\_black\_hole\_address) | Using reserved address that does not lead anywhere to make sure CloudStorageSecurity console is not available | `string` | `"198.51.100.0/24"` | no |
+| <a name="input_cloud_security_console_public_address"></a> [cloud\_security\_console\_public\_address](#input\_cloud\_security\_console\_public\_address) | Using public address to make sure CloudStorageSecurity console is available | `string` | `"0.0.0.0/0"` | no |
+| <a name="input_cloud_security_email_param_environment"></a> [cloud\_security\_email\_param\_environment](#input\_cloud\_security\_email\_param\_environment) | This is the environment reference in cloud security email param store key | `string` | n/a | yes |
 | <a name="input_cloudfront_edge_table_name"></a> [cloudfront\_edge\_table\_name](#input\_cloudfront\_edge\_table\_name) | The name of the dynamodb table to store the presigned url reference of CloudFront requests | `string` | `"CloudFrontEdgeReference"` | no |
 | <a name="input_cloudwatch_alarm_evaluation_periods"></a> [cloudwatch\_alarm\_evaluation\_periods](#input\_cloudwatch\_alarm\_evaluation\_periods) | n/a | `any` | n/a | yes |
 | <a name="input_docstore_bucket_name"></a> [docstore\_bucket\_name](#input\_docstore\_bucket\_name) | The name of the S3 bucket to store ARF documents | `string` | `"ndr-document-store"` | no |

infrastructure/dev.tfvars

@@ -10,4 +10,6 @@ poll_frequency                      = "3600"
 standalone_vpc_tag    = "ndr-dev"
 standalone_vpc_ig_tag = "ndr-dev"
 
-apim_environment = "internal-dev."
+cloud_security_email_param_environment = "dev"
+
+apim_environment = "internal-dev."

infrastructure/main.tf

@@ -6,6 +6,10 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 5.0"
     }
+    awscc = {
+      source  = "hashicorp/awscc"
+      version = "~> 1.0"
+    }
   }
   backend "s3" {
     dynamodb_table = "ndr-terraform-locks"
@@ -18,6 +22,10 @@ provider "aws" {
   region = "eu-west-2"
 }
 
+provider "awscc" {
+  region = "eu-west-2"
+}
+
 provider "aws" {
   alias  = "us_east_1"
   region = "us-east-1"

infrastructure/modules/vpc/README.md

@@ -62,6 +62,7 @@ No modules.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_internet_gateway_id"></a> [internet\_gateway\_id](#output\_internet\_gateway\_id) | n/a |
 | <a name="output_private_subnets"></a> [private\_subnets](#output\_private\_subnets) | n/a |
 | <a name="output_public_subnets"></a> [public\_subnets](#output\_public\_subnets) | n/a |
 | <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | n/a |

infrastructure/modules/vpc/output.tf

@@ -2,6 +2,10 @@ output "vpc_id" {
   value = local.is_production ? aws_vpc.vpc[0].id : data.aws_vpc.vpc[0].id
 }
 
+output "internet_gateway_id" {
+  value = local.is_production ? aws_internet_gateway.ig[0].id : data.aws_internet_gateway.ig[0].id
+}
+
 output "public_subnets" {
   value = local.is_sandbox ? data.aws_subnet.public_subnets.*.id : aws_subnet.public_subnets.*.id
 }

infrastructure/preprod.tfvars

@@ -10,4 +10,6 @@ poll_frequency                      = "60"
 standalone_vpc_tag    = "ndr-pre-prod"
 standalone_vpc_ig_tag = "ndr-pre-prod"
 
-apim_environment = "int."
+cloud_security_email_param_environment = "pre-prod"
+
+apim_environment = "int."

infrastructure/prod.tfvars

@@ -10,4 +10,6 @@ poll_frequency                      = "60"
 standalone_vpc_tag    = "ndr-prod"
 standalone_vpc_ig_tag = "ndr-prod"
 
-apim_environment = ""
+cloud_security_email_param_environment = "prod"
+
+apim_environment = ""

infrastructure/test.tfvars

@@ -10,4 +10,6 @@ poll_frequency                      = "10"
 standalone_vpc_tag    = "ndr-test"
 standalone_vpc_ig_tag = "ndr-test"
 
-apim_environment = "internal-qa."
+cloud_security_email_param_environment = "ndr-test"
+
+apim_environment = "internal-qa."

infrastructure/variable.tf

@@ -198,4 +198,23 @@ locals {
 
 variable "nrl_api_endpoint_suffix" {
   default = "api.service.nhs.uk/record-locator/producer/FHIR/R4/DocumentReference"
+}
+
+# Virus scanner variables
+
+variable "cloud_security_email_param_environment" {
+  type        = string
+  description = "This is the environment reference in cloud security email param store key"
+}
+
+variable "cloud_security_console_black_hole_address" {
+  type        = string
+  default     = "198.51.100.0/24"
+  description = "Using reserved address that does not lead anywhere to make sure CloudStorageSecurity console is not available"
+}
+
+variable "cloud_security_console_public_address" {
+  type        = string
+  default     = "0.0.0.0/0"
+  description = "Using public address to make sure CloudStorageSecurity console is available"
 }

infrastructure/virusscanner.tf

@@ -0,0 +1,111 @@
+locals {
+  subnet_1_cidr_block = split(",", data.aws_ssm_parameter.virus_scanning_subnet_cidr_range.value)[0]
+  subnet_2_cidr_block = split(",", data.aws_ssm_parameter.virus_scanning_subnet_cidr_range.value)[1]
+}
+
+data "aws_ssm_parameter" "cloud_security_admin_email" {
+  name = "/prs/${var.cloud_security_email_param_environment}/user-input/cloud-security-admin-email"
+}
+
+data "aws_ssm_parameter" "virus_scanning_subnet_cidr_range" {
+  name = "/prs/virus-scanner/subnet-cidr-range"
+}
+
+resource "aws_subnet" "virus_scanning_a" {
+  count = local.is_production ? 1 : 0
+
+  availability_zone = "eu-west-2a"
+  vpc_id            = module.ndr-vpc-ui.vpc_id
+  cidr_block        = local.subnet_1_cidr_block
+
+  tags = {
+    Name        = "Virus scanning subnet for eu-west-2a"
+    Environment = var.environment
+    Owner       = var.owner
+  }
+}
+
+resource "aws_subnet" "virus_scanning_b" {
+  count = local.is_production ? 1 : 0
+
+  availability_zone = "eu-west-2b"
+  vpc_id            = module.ndr-vpc-ui.vpc_id
+  cidr_block        = local.subnet_2_cidr_block
+
+  tags = {
+    Name        = "Virus scanning subnet for eu-west-2b"
+    Environment = var.environment
+    Owner       = var.owner
+  }
+}
+
+resource "aws_route_table" "virus_scanning" {
+  count = local.is_production ? 1 : 0
+
+  vpc_id = module.ndr-vpc-ui.vpc_id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = module.ndr-vpc-ui.internet_gateway_id
+  }
+
+  tags = {
+    Name        = "Virus scanning route table"
+    Environment = var.environment
+    Owner       = var.owner
+  }
+}
+
+resource "aws_route_table_association" "virus_scanning_a" {
+  count = local.is_production ? 1 : 0
+
+  subnet_id      = aws_subnet.virus_scanning_a[0].id
+  route_table_id = aws_route_table.virus_scanning[0].id
+}
+
+resource "aws_route_table_association" "virus_scanning_b" {
+  count = local.is_production ? 1 : 0
+
+  subnet_id      = aws_subnet.virus_scanning_b[0].id
+  route_table_id = aws_route_table.virus_scanning[0].id
+}
+
+module "cloud_storage_security" {
+  count = local.is_production ? 1 : 0
+
+  source                       = "cloudstoragesec/cloud-storage-security/aws"
+  version                      = "1.7.1+css8.07.002"
+  cidr                         = [var.cloud_security_console_black_hole_address] # This is a reserved address that does not lead anywhere to make sure CloudStorageSecurity console is not available
+  email                        = data.aws_ssm_parameter.cloud_security_admin_email.value
+  subnet_a_id                  = aws_subnet.virus_scanning_a[0].id
+  subnet_b_id                  = aws_subnet.virus_scanning_b[0].id
+  vpc                          = module.ndr-vpc-ui.vpc_id
+  min_running_agents           = 0
+  allow_access_to_all_kms_keys = false
+  # num_messages_in_queue_scaling_threshold = 1 # Currently not exposed in the module, will need to be set in the SSM after the terraform has been run.
+  # only_scan_when_queue_threshold_exceeded = true # Currently not exposed in the module, will need to be set in the SSM after the terraform has been run.
+  custom_resource_tags = {
+    Name        = "Virus scanner for Repository"
+    Environment = var.environment
+    Owner       = var.owner
+  }
+}
+
+resource "aws_ssm_parameter" "virus_scanning_notifications_sns_topic_arn" {
+  count = local.is_production ? 1 : 0
+
+  name  = "/prs/${var.environment}/virus-scan-notifications-sns-topic-arn"
+  type  = "String"
+  value = module.cloud_storage_security[0].proactive_notifications_topic_arn
+}
+
+resource "aws_sns_topic_subscription" "proactive_virus_scanning_notifications" {
+  for_each  = local.is_production ? toset(nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))) : []
+  endpoint  = each.value
+  protocol  = "email"
+  topic_arn = module.cloud_storage_security[0].proactive_notifications_topic_arn
+  filter_policy = jsonencode({
+    "notificationType" : ["scanResult"],
+    "scanResult" : ["Infected", "Error", "Unscannable", "Suspicious"]
+  })
+}