Merge branch 'main' into PRM-539

Author: oliverbeumkes-nhs

infrastructure/kms_pdm.tf

@@ -0,0 +1,9 @@
+module "pdm_encryption_key" {
+  source              = "./modules/kms"
+  kms_key_name        = "alias/pdm-encryption-key-kms-${terraform.workspace}"
+  kms_key_description = "Custom KMS Key to enable server side encryption for PDM resources"
+  environment         = var.environment
+  owner               = var.owner
+  service_identifiers = ["ssm.amazonaws.com"]
+  kms_deletion_window = var.kms_deletion_window
+}

infrastructure/lambda-document-upload-check.tf

@@ -6,19 +6,24 @@ module "document_upload_check_lambda" {
     module.ndr-bulk-staging-store.s3_read_policy_document,
     module.ndr-bulk-staging-store.s3_write_policy_document,
     module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.pdm-document-store.s3_write_policy_document,
     aws_iam_policy.ssm_access_policy.policy,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.pdm_dynamodb_table.dynamodb_read_policy_document,
+    module.pdm_dynamodb_table.dynamodb_write_policy_document,
     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy
   ]
   kms_deletion_window = var.kms_deletion_window
   rest_api_id         = null
   http_methods        = null
   api_execution_arn   = null
   lambda_environment_variables = {
-    LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
-    STAGING_STORE_BUCKET_NAME  = "${terraform.workspace}-${var.staging_store_bucket_name}"
-    LLOYD_GEORGE_BUCKET_NAME   = "${terraform.workspace}-${var.lloyd_george_bucket_name}"
+    LLOYD_GEORGE_DYNAMODB_NAME = module.lloyd_george_reference_dynamodb_table.table_name
+    PDM_DYNAMODB_NAME          = module.pdm_dynamodb_table.table_name
+    STAGING_STORE_BUCKET_NAME  = module.ndr-bulk-staging-store.bucket_id
+    LLOYD_GEORGE_BUCKET_NAME   = module.ndr-lloyd-george-store.bucket_id
+    PDM_BUCKET_NAME            = module.pdm-document-store.bucket_id
     WORKSPACE                  = terraform.workspace
     VIRUS_SCAN_STUB            = !local.is_production
 
@@ -48,7 +53,8 @@ data "aws_security_groups" "virus_scanner_api" {
 }
 
 resource "aws_s3_bucket_notification" "document_upload_check_lambda_trigger" {
-  bucket = module.ndr-bulk-staging-store.bucket_id
+  bucket      = module.ndr-bulk-staging-store.bucket_id
+  eventbridge = true
   lambda_function {
     lambda_function_arn = module.document_upload_check_lambda.lambda_arn
     events              = ["s3:ObjectCreated:*"]

infrastructure/lambda-get-document-fhir.tf

@@ -40,8 +40,10 @@ module "get-doc-fhir-lambda" {
   iam_role_policy_documents = [
     module.ndr-app-config.app_config_policy,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.pdm_dynamodb_table.dynamodb_read_policy_document,
     aws_iam_policy.ssm_access_policy.policy,
     module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.pdm-document-store.s3_read_policy_document,
   ]
   kms_deletion_window = var.kms_deletion_window
   rest_api_id         = aws_api_gateway_rest_api.ndr_doc_store_api.id

infrastructure/lambda-post-document-fhir.tf

@@ -5,6 +5,7 @@ module "post-document-references-fhir-lambda" {
   iam_role_policy_documents = [
     module.document_reference_dynamodb_table.dynamodb_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.pdm_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-bulk-staging-store.s3_write_policy_document,
     module.ndr-app-config.app_config_policy,
     aws_iam_policy.ssm_access_policy.policy

infrastructure/lambda-search-document-references-fhir.tf

@@ -7,6 +7,8 @@ module "search-document-references-fhir-lambda" {
     module.document_reference_dynamodb_table.dynamodb_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.pdm_dynamodb_table.dynamodb_read_policy_document,
+    module.pdm_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-lloyd-george-store.s3_read_policy_document,
     module.ndr-document-store.s3_read_policy_document,
     module.ndr-app-config.app_config_policy

infrastructure/modules/ssm_parameter/main.tf

@@ -1,11 +1,34 @@
 resource "aws_ssm_parameter" "secret" {
+  count       = var.ignore_value_changes ? 0 : 1
   name        = "/ndr/${terraform.workspace}/${var.name}"
   type        = var.type
   description = var.description
   value       = var.value
+  key_id      = var.key_id
   depends_on  = [var.resource_depends_on]
   tags = {
     Name = "${terraform.workspace}-ssm"
   }
+
+}
+
+
+resource "aws_ssm_parameter" "secret_ignore_value_changes" {
+  count       = var.ignore_value_changes ? 1 : 0
+  name        = "/ndr/${terraform.workspace}/${var.name}"
+  type        = var.type
+  description = var.description
+  value       = var.value
+  key_id      = var.key_id
+  depends_on  = [var.resource_depends_on]
+  tags = {
+    Name = "${terraform.workspace}-ssm"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      value,
+    ]
+  }
 }
 

infrastructure/modules/ssm_parameter/variable.tf

@@ -37,3 +37,15 @@ variable "owner" {
   description = "Owner tag used to identify the team or individual responsible for the resource."
   type        = string
 }
+
+variable "key_id" {
+  type        = string
+  default     = null
+  description = "KMS Key ID or ARN to encrypt the SecureString parameter"
+}
+
+variable "ignore_value_changes" {
+  type        = bool
+  default     = false
+  description = "Whether to ignore changes to the value field"
+}

infrastructure/policies.tf

@@ -30,7 +30,7 @@ resource "aws_iam_policy" "read_only_role_extra_permissions" {
           "kms:Decrypt",
         ],
         Resource = [
-          "arn:aws:lambda:eu-west-2:${data.aws_caller_identity.current.account_id}:function:*",
+          "arn:aws:kms:eu-west-2:${data.aws_caller_identity.current.account_id}:key/*",
         ]
       }
     ]

infrastructure/ssm_parameters_externally_signed_mtls.tf

@@ -0,0 +1,26 @@
+# Creating Params to hold a copy of externally signed client cert and key
+module "ssm_param_external_client_cert" {
+  count                = local.is_sandbox ? 0 : 1
+  source               = "./modules/ssm_parameter"
+  environment          = var.environment
+  owner                = var.owner
+  name                 = "external_client_cert"
+  type                 = "SecureString"
+  description          = "Externally signed client certificate for mTLS"
+  value                = "REPLACE_ME"
+  key_id               = module.pdm_encryption_key.id
+  ignore_value_changes = true
+}
+
+module "ssm_param_external_client_key" {
+  count                = local.is_sandbox ? 0 : 1
+  source               = "./modules/ssm_parameter"
+  environment          = var.environment
+  owner                = var.owner
+  name                 = "external_client_key"
+  type                 = "SecureString"
+  description          = "Externally signed client certificate for mTLS"
+  value                = "REPLACE_ME"
+  key_id               = module.pdm_encryption_key.id
+  ignore_value_changes = true
+}

scripts/confs/dev.conf

@@ -0,0 +1,17 @@
+[req]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = GB
+ST = West Yorkshire
+L = Leeds
+O = NHS England
+OU = National Document Repository
+CN = client.dev.ndr.national.nhs.uk
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth