[NDR-196] Manage AWS KMS resources into IaC for Lambdas (#388)

* Add KMS to Lambda

* KMS deletion time

* set kms_deletion_window for lambdas

* Remove script output

* Allow root access to KMS

* Add account id to lambda module

* Add caller identity data to the lambda module

* Remove requirement for account id as attricute of lambda

* Update resource naming

* resource id

* Change resource name

* Fix name change

Author: jameslinnell

infrastructure/dev.tfvars

@@ -10,3 +10,5 @@ standalone_vpc_ig_tag = "ndr-dev"
 cloud_security_email_param_environment = "dev"
 
 apim_environment = "internal-dev."
+
+kms_deletion_window = 7

infrastructure/kms_sns.tf

@@ -5,4 +5,5 @@ module "sns_encryption_key" {
   environment         = var.environment
   owner               = var.owner
   service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com"]
+  kms_deletion_window = var.kms_deletion_window
 }

infrastructure/lambda-access-audit.tf

@@ -61,9 +61,10 @@ module "access-audit-lambda" {
     module.auth_session_dynamodb_table.dynamodb_read_policy_document,
     module.access_audit_dynamodb_table.dynamodb_write_policy_document
   ]
-  rest_api_id  = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  resource_id  = module.access-audit-gateway.gateway_resource_id
-  http_methods = ["POST"]
+  kms_deletion_window = var.kms_deletion_window
+  rest_api_id         = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  resource_id         = module.access-audit-gateway.gateway_resource_id
+  http_methods        = ["POST"]
 
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   lambda_environment_variables = {

infrastructure/lambda-authoriser.tf

@@ -8,8 +8,9 @@ module "authoriser-lambda" {
     module.auth_session_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-app-config.app_config_policy
   ]
-  rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
+  kms_deletion_window = var.kms_deletion_window
+  rest_api_id         = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  api_execution_arn   = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   lambda_environment_variables = {
     APPCONFIG_APPLICATION          = module.ndr-app-config.app_config_application_id
     APPCONFIG_ENVIRONMENT          = module.ndr-app-config.app_config_environment_id

infrastructure/lambda-back-channel-logout.tf

@@ -19,10 +19,11 @@ module "back_channel_logout_lambda" {
     module.auth_session_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-app-config.app_config_policy
   ]
-  rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  resource_id       = module.back-channel-logout-gateway.gateway_resource_id
-  http_methods      = ["POST"]
-  api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
+  kms_deletion_window = var.kms_deletion_window
+  rest_api_id         = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  resource_id         = module.back-channel-logout-gateway.gateway_resource_id
+  http_methods        = ["POST"]
+  api_execution_arn   = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   lambda_environment_variables = {
     APPCONFIG_APPLICATION          = module.ndr-app-config.app_config_application_id
     APPCONFIG_ENVIRONMENT          = module.ndr-app-config.app_config_environment_id

infrastructure/lambda-bulk-upload-metadata-preprocessor.tf

@@ -8,8 +8,9 @@ module "bulk_upload_metadata_preprocessor_lambda" {
     module.ndr-bulk-staging-store.s3_write_policy_document,
     module.ndr-app-config.app_config_policy
   ]
-  rest_api_id       = null
-  api_execution_arn = null
+  kms_deletion_window = var.kms_deletion_window
+  rest_api_id         = null
+  api_execution_arn   = null
 
   lambda_environment_variables = {
     APPCONFIG_APPLICATION     = module.ndr-app-config.app_config_application_id
@@ -24,4 +25,5 @@ module "bulk_upload_metadata_preprocessor_lambda" {
   lambda_timeout                 = 900
   memory_size                    = 1769
   reserved_concurrent_executions = local.bulk_upload_lambda_concurrent_limit
-}
+}
+

infrastructure/lambda-bulk-upload-metadata.tf

@@ -12,8 +12,9 @@ module "bulk-upload-metadata-lambda" {
     module.ndr-app-config.app_config_policy
   ]
 
-  rest_api_id       = null
-  api_execution_arn = null
+  kms_deletion_window = var.kms_deletion_window
+  rest_api_id         = null
+  api_execution_arn   = null
 
   lambda_environment_variables = {
     APPCONFIG_APPLICATION     = module.ndr-app-config.app_config_application_id

infrastructure/lambda-bulk-upload-report.tf

@@ -12,8 +12,9 @@ module "bulk-upload-report-lambda" {
     aws_iam_policy.dynamodb_policy_scan_bulk_report.policy,
     module.ndr-app-config.app_config_policy
   ]
-  rest_api_id       = null
-  api_execution_arn = null
+  kms_deletion_window = var.kms_deletion_window
+  rest_api_id         = null
+  api_execution_arn   = null
 
   lambda_environment_variables = {
     APPCONFIG_APPLICATION      = module.ndr-app-config.app_config_application_id

infrastructure/lambda-bulk-upload.tf

@@ -20,8 +20,9 @@ module "bulk-upload-lambda" {
     aws_iam_policy.ssm_access_policy.policy,
     module.ndr-app-config.app_config_policy
   ]
-  rest_api_id       = null
-  api_execution_arn = null
+  kms_deletion_window = var.kms_deletion_window
+  rest_api_id         = null
+  api_execution_arn   = null
 
   lambda_environment_variables = {
     APPCONFIG_APPLICATION      = module.ndr-app-config.app_config_application_id

infrastructure/lambda-create-doc-ref.tf

@@ -71,10 +71,11 @@ module "create-doc-ref-lambda" {
     aws_iam_policy.ssm_access_policy.policy,
     module.ndr-app-config.app_config_policy,
   ]
-  rest_api_id  = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  resource_id  = module.create_document_reference_gateway.gateway_resource_id
-  http_methods = ["POST"]
-  memory_size  = 512
+  kms_deletion_window = var.kms_deletion_window
+  rest_api_id         = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  resource_id         = module.create_document_reference_gateway.gateway_resource_id
+  http_methods        = ["POST"]
+  memory_size         = 512
 
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   lambda_environment_variables = {