Skip to content

Commit 69a65bd

Browse files
SanjayChopraNHSSanjayChopraNHS
authored
[PRMP-683] feat: Add SSH key management infrastructure (#526)
1 parent 6ddedd6 commit 69a65bd

File tree

7 files changed

+161
-0
lines changed

7 files changed

+161
-0
lines changed

infrastructure/dev.tfvars

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,3 +12,5 @@ cloud_security_email_param_environment = "dev"
1212
apim_environment = "internal-dev."
1313

1414
kms_deletion_window = 7
15+
16+
ssh_key_management_dry_run = true

infrastructure/lambda-transfer-key-manager.tf

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
module "transfer-key-manager-lambda" {
2+
source = "./modules/lambda"
3+
name = "TransferKeyManagerLambda"
4+
handler = "handlers.transfer_key_manager_handler.lambda_handler"
5+
lambda_timeout = 300
6+
7+
iam_role_policy_documents = [
8+
data.aws_iam_policy_document.transfer_key_manager_policy.json,
9+
module.ndr-app-config.app_config_policy
10+
]
11+
12+
kms_deletion_window = var.kms_deletion_window
13+
rest_api_id = null
14+
api_execution_arn = null
15+
16+
lambda_environment_variables = {
17+
APPCONFIG_APPLICATION = module.ndr-app-config.app_config_application_id
18+
APPCONFIG_ENVIRONMENT = module.ndr-app-config.app_config_environment_id
19+
APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
20+
WORKSPACE = terraform.workspace
21+
PRM_MAILBOX_EMAIL = data.aws_ssm_parameter.prm_mailbox_email.value
22+
DRY_RUN = tostring(var.ssh_key_management_dry_run)
23+
}
24+
25+
is_gateway_integration_needed = false
26+
is_invoked_from_gateway = false
27+
}
28+
29+
data "aws_ssm_parameter" "prm_mailbox_email" {
30+
name = "/prs/${var.environment}/user-input/prm-mailbox-email"
31+
}
32+
33+
data "aws_iam_policy_document" "transfer_key_manager_policy" {
34+
statement {
35+
sid = "TransferFamilyAccess"
36+
effect = "Allow"
37+
actions = [
38+
"transfer:ListServers",
39+
"transfer:ListUsers",
40+
"transfer:DescribeUser",
41+
"transfer:DeleteSshPublicKey"
42+
]
43+
resources = ["*"]
44+
}
45+
46+
statement {
47+
sid = "SESAccess"
48+
effect = "Allow"
49+
actions = [
50+
"ses:SendEmail",
51+
"ses:SendRawEmail"
52+
]
53+
resources = ["*"]
54+
condition {
55+
test = "StringEquals"
56+
variable = "ses:FromAddress"
57+
values = [data.aws_ssm_parameter.prm_mailbox_email.value]
58+
}
59+
}
60+
61+
statement {
62+
sid = "CloudWatchMetrics"
63+
effect = "Allow"
64+
actions = [
65+
"cloudwatch:PutMetricData"
66+
]
67+
resources = ["*"]
68+
condition {
69+
test = "StringEquals"
70+
variable = "cloudwatch:namespace"
71+
values = ["SSHKeyManagement"]
72+
}
73+
}
74+
}
75+
76+
module "transfer-key-manager-alarm" {
77+
source = "./modules/lambda_alarms"
78+
lambda_function_name = module.transfer-key-manager-lambda.function_name
79+
lambda_timeout = module.transfer-key-manager-lambda.timeout
80+
lambda_name = "transfer_key_manager_handler"
81+
namespace = "AWS/Lambda"
82+
alarm_actions = [module.transfer-key-manager-alarm-topic.arn]
83+
ok_actions = [module.transfer-key-manager-alarm-topic.arn]
84+
depends_on = [module.transfer-key-manager-lambda, module.transfer-key-manager-alarm-topic]
85+
}
86+
87+
module "transfer-key-manager-alarm-topic" {
88+
source = "./modules/sns"
89+
sns_encryption_key_id = module.sns_encryption_key.id
90+
topic_name = "transfer-key-manager-topic"
91+
topic_protocol = "lambda"
92+
topic_endpoint = module.transfer-key-manager-lambda.lambda_arn
93+
delivery_policy = jsonencode({
94+
"Version" : "2012-10-17",
95+
"Statement" : [
96+
{
97+
"Effect" : "Allow",
98+
"Principal" : {
99+
"Service" : "cloudwatch.amazonaws.com"
100+
},
101+
"Action" : [
102+
"SNS:Publish",
103+
],
104+
"Condition" : {
105+
"ArnLike" : {
106+
"aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
107+
}
108+
}
109+
"Resource" : "*"
110+
}
111+
]
112+
})
113+
114+
depends_on = [module.transfer-key-manager-lambda, module.sns_encryption_key]
115+
}

infrastructure/preprod.tfvars

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,6 @@ cloud_security_email_param_environment = "pre-prod"
1111

1212
apim_environment = "int."
1313

14+
ssh_key_management_dry_run = true
15+
1416
deletion_protection_enabled = true

infrastructure/prod.tfvars

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,6 @@ cloud_security_email_param_environment = "prod"
1111

1212
apim_environment = ""
1313

14+
ssh_key_management_dry_run = true
15+
1416
deletion_protection_enabled = true

infrastructure/schedules.tf

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -167,3 +167,34 @@ resource "aws_lambda_permission" "toggle_bulk_upload_disable_permission" {
167167
principal = "events.amazonaws.com"
168168
source_arn = aws_cloudwatch_event_rule.bulk_upload_disable_rule.arn
169169
}
170+
171+
# Transfer Key Manager Schedule - Daily SSH Key Expiry Check
172+
resource "aws_cloudwatch_event_rule" "transfer_key_manager_schedule" {
173+
name = "${terraform.workspace}_transfer_key_manager_schedule"
174+
description = "Daily schedule for SSH key expiry management in AWS Transfer Family"
175+
schedule_expression = "cron(0 2 * * ? *)" # 2 AM UTC daily
176+
}
177+
178+
resource "aws_cloudwatch_event_target" "transfer_key_manager_schedule_event" {
179+
rule = aws_cloudwatch_event_rule.transfer_key_manager_schedule.name
180+
target_id = "transfer_key_manager_schedule"
181+
arn = module.transfer-key-manager-lambda.lambda_arn
182+
183+
depends_on = [
184+
module.transfer-key-manager-lambda,
185+
aws_cloudwatch_event_rule.transfer_key_manager_schedule
186+
]
187+
}
188+
189+
resource "aws_lambda_permission" "transfer_key_manager_schedule_permission" {
190+
statement_id = "AllowExecutionFromCloudWatch"
191+
action = "lambda:InvokeFunction"
192+
function_name = module.transfer-key-manager-lambda.function_name
193+
principal = "events.amazonaws.com"
194+
source_arn = aws_cloudwatch_event_rule.transfer_key_manager_schedule.arn
195+
196+
depends_on = [
197+
module.transfer-key-manager-lambda,
198+
aws_cloudwatch_event_rule.transfer_key_manager_schedule
199+
]
200+
}

infrastructure/test.tfvars

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,3 +10,5 @@ standalone_vpc_ig_tag = "ndr-test"
1010
cloud_security_email_param_environment = "ndr-test"
1111

1212
apim_environment = "internal-qa."
13+
14+
ssh_key_management_dry_run = true

infrastructure/variable.tf

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -314,3 +314,10 @@ variable "kms_deletion_window" {
314314
type = number
315315
default = 30
316316
}
317+
318+
# SSH Key Management Variables
319+
variable "ssh_key_management_dry_run" {
320+
description = "Enable dry-run mode for SSH key management (no keys will be deleted)"
321+
type = bool
322+
default = false
323+
}

0 commit comments

Comments
 (0)