[PRM-52] Edge lambda and S3 Presigned URL (#281)

* [PRM-52] Add permission to access edge table and list bucket
* [PRM-52] rename ssm iam policy
* [PRM-52] remove duplicated policies
* [PRM-52] change condition in firewall resources

Author: NogaNHS

infrastructure/README.md

@@ -240,9 +240,7 @@
 | [aws_iam_policy.s3_document_data_policy_put_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ses_send_email_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.ssm_policy_authoriser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.ssm_policy_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.ssm_policy_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.ssm_access_policy_authoriser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.cognito_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.create_post_presign_url_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cross_account_backup_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |

infrastructure/firewall.tf

@@ -1,22 +1,14 @@
 module "firewall_waf_v2" {
-  source = "./modules/firewall_waf_v2"
-
+  source      = "./modules/firewall_waf_v2"
   environment = var.environment
   owner       = var.owner
-  count = (terraform.workspace == "ndra" ||
-    terraform.workspace == "ndrb" ||
-    terraform.workspace == "ndrc" ||
-  terraform.workspace == "ndrd") ? 0 : 1
+  count       = local.is_sandbox ? 0 : 1
 }
 
 resource "aws_wafv2_web_acl_association" "web_acl_association" {
   resource_arn = module.ndr-ecs-fargate-app.load_balancer_arn
   web_acl_arn  = module.firewall_waf_v2[0].arn
-
-  count = (terraform.workspace == "ndra" ||
-    terraform.workspace == "ndrb" ||
-    terraform.workspace == "ndrc" ||
-  terraform.workspace == "ndrd") ? 0 : 1
+  count        = local.is_sandbox ? 0 : 1
   depends_on = [
     module.ndr-ecs-fargate-app,
     module.firewall_waf_v2[0]

infrastructure/iam.tf

@@ -46,6 +46,7 @@ resource "aws_iam_policy" "s3_document_data_policy_for_stitch_lambda" {
         "Effect" : "Allow",
         "Action" : [
           "s3:GetObject",
+          "S3:ListBucket",
         ],
         "Resource" : ["${module.ndr-lloyd-george-store.bucket_arn}/combined_files/*"]
       }
@@ -188,4 +189,3 @@ resource "aws_iam_role_policy_attachment" "ods_report_presign_url" {
   role       = aws_iam_role.ods_report_presign_url_role.name
   policy_arn = aws_iam_policy.s3_document_data_policy_for_ods_report_lambda.arn
 }
-

infrastructure/lambda-authoriser.tf

@@ -3,7 +3,7 @@ module "authoriser-lambda" {
   name    = "AuthoriserLambda"
   handler = "handlers.authoriser_handler.lambda_handler"
   iam_role_policy_documents = [
-    aws_iam_policy.ssm_policy_authoriser.policy,
+    aws_iam_policy.ssm_access_policy_authoriser.policy,
     module.auth_session_dynamodb_table.dynamodb_read_policy_document,
     module.auth_session_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-app-config.app_config_policy
@@ -23,7 +23,7 @@ module "authoriser-lambda" {
   is_invoked_from_gateway       = true
 
   depends_on = [
-    aws_iam_policy.ssm_policy_authoriser,
+    aws_iam_policy.ssm_access_policy_authoriser,
     module.auth_session_dynamodb_table,
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.ndr-app-config
@@ -82,7 +82,7 @@ resource "aws_api_gateway_authorizer" "repo_authoriser" {
   authorizer_result_ttl_in_seconds = 0
 }
 
-resource "aws_iam_policy" "ssm_policy_authoriser" {
+resource "aws_iam_policy" "ssm_access_policy_authoriser" {
   name = "${terraform.workspace}_ssm_public_token_policy"
   policy = jsonencode({
     Version = "2012-10-17",

infrastructure/lambda-back-channel-logout.tf

@@ -24,7 +24,7 @@ module "back_channel_logout_lambda" {
   name    = "BackChannelLogoutHandler"
   handler = "handlers.back_channel_logout_handler.lambda_handler"
   iam_role_policy_documents = [
-    aws_iam_policy.ssm_policy_oidc.policy,
+    aws_iam_policy.ssm_access_policy.policy,
     module.auth_session_dynamodb_table.dynamodb_read_policy_document,
     module.auth_session_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-app-config.app_config_policy
@@ -45,7 +45,7 @@ module "back_channel_logout_lambda" {
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
-    aws_iam_policy.ssm_policy_oidc,
+    aws_iam_policy.ssm_access_policy,
     module.auth_session_dynamodb_table,
     module.back-channel-logout-gateway,
     module.ndr-app-config

infrastructure/lambda-edge-presign.tf

@@ -73,8 +73,7 @@ module "edge-presign-lambda" {
   handler        = "handlers.edge_presign_handler.lambda_handler"
   iam_role_policies = [
     "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    aws_iam_policy.ssm_policy_oidc.arn,
-    module.auth_state_dynamodb_table.dynamodb_policy,
+    aws_iam_policy.ssm_access_policy.arn,
     module.ndr-app-config.app_config_policy_arn
   ]
   providers = {

infrastructure/lambda-lloyd-george-record-stitch.tf

@@ -73,7 +73,8 @@ module "lloyd-george-stitch-lambda" {
     module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
     module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.cloudfront_edge_dynamodb_table.dynamodb_write_policy_document
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.lloyd-george-stitch-gateway.gateway_resource_id
@@ -91,6 +92,7 @@ module "lloyd-george-stitch-lambda" {
     SPLUNK_SQS_QUEUE_URL          = try(module.sqs-splunk-queue[0].sqs_url, null)
     WORKSPACE                     = terraform.workspace
     PRESIGNED_ASSUME_ROLE         = aws_iam_role.stitch_presign_url_role.arn
+    EDGE_REFERENCE_TABLE          = module.cloudfront_edge_dynamodb_table.table_name
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,

infrastructure/lambda-login-redirect.tf

@@ -20,7 +20,7 @@ module "login_redirect_lambda" {
   name    = "LoginRedirectHandler"
   handler = "handlers.login_redirect_handler.lambda_handler"
   iam_role_policy_documents = [
-    aws_iam_policy.ssm_policy_oidc.policy,
+    aws_iam_policy.ssm_access_policy.policy,
     module.auth_state_dynamodb_table.dynamodb_read_policy_document,
     module.auth_state_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-app-config.app_config_policy
@@ -40,7 +40,7 @@ module "login_redirect_lambda" {
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     aws_api_gateway_resource.login_resource,
-    aws_iam_policy.ssm_policy_oidc,
+    aws_iam_policy.ssm_access_policy,
     module.auth_state_dynamodb_table,
     module.ndr-app-config
   ]
@@ -89,22 +89,3 @@ module "login_redirect-alarm_topic" {
   depends_on = [module.login_redirect_lambda, module.sns_encryption_key]
 }
 
-resource "aws_iam_policy" "ssm_policy_oidc" {
-  name = "${terraform.workspace}_ssm_oidc_policy"
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "ssm:GetParameters",
-          "ssm:GetParameter",
-          "ssm:GetParametersByPath"
-        ],
-        Resource = [
-          "arn:aws:ssm:*:*:parameter/*",
-        ]
-      }
-    ]
-  })
-}

infrastructure/lambda-logout.tf

@@ -23,7 +23,7 @@ module "logout_lambda" {
   name    = "LogoutHandler"
   handler = "handlers.logout_handler.lambda_handler"
   iam_role_policy_documents = [
-    aws_iam_policy.ssm_policy_oidc.policy,
+    aws_iam_policy.ssm_access_policy.policy,
     module.auth_session_dynamodb_table.dynamodb_read_policy_document,
     module.auth_session_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-app-config.app_config_policy
@@ -42,7 +42,7 @@ module "logout_lambda" {
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
-    aws_iam_policy.ssm_policy_oidc,
+    aws_iam_policy.ssm_access_policy,
     module.auth_session_dynamodb_table,
     module.logout-gateway,
     module.ndr-app-config

infrastructure/lambda-token.tf

@@ -24,7 +24,7 @@ module "create-token-lambda" {
   name    = "TokenRequestHandler"
   handler = "handlers.token_handler.lambda_handler"
   iam_role_policy_documents = [
-    aws_iam_policy.ssm_policy_token.policy,
+    aws_iam_policy.ssm_access_policy.policy,
     module.auth_session_dynamodb_table.dynamodb_read_policy_document,
     module.auth_session_dynamodb_table.dynamodb_write_policy_document,
     module.auth_state_dynamodb_table.dynamodb_read_policy_document,
@@ -50,7 +50,7 @@ module "create-token-lambda" {
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
-    aws_iam_policy.ssm_policy_token,
+    aws_iam_policy.ssm_access_policy,
     module.auth_session_dynamodb_table,
     module.auth_state_dynamodb_table,
     module.create-token-gateway,
@@ -103,25 +103,6 @@ module "create_token-alarm_topic" {
   depends_on = [module.create-token-lambda, module.sns_encryption_key]
 }
 
-resource "aws_iam_policy" "ssm_policy_token" {
-  name = "${terraform.workspace}_ssm_token_private_policy"
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "ssm:GetParameter",
-          "ssm:GetParameters",
-          "ssm:GetParametersByPath"
-        ],
-        Resource = [
-          "arn:aws:ssm:*:*:parameter/*",
-        ]
-      }
-    ]
-  })
-}
 
 resource "aws_iam_role_policy_attachment" "policy_audit_token_lambda" {
   count      = local.is_sandbox ? 0 : 1