Skip to content

Commit ec30363

Browse files
NogaNHSNogaNHS
committed
[PRMP-1601] new audit lambda
1 parent ff51808 commit ec30363

File tree

2 files changed

+104
-1
lines changed

2 files changed

+104
-1
lines changed

infrastructure/README.md

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,12 +8,16 @@
88

99
| Name | Version |
1010
|------|---------|
11-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.72.1 |
11+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.84.0 |
1212

1313
## Modules
1414

1515
| Name | Source | Version |
1616
|------|--------|---------|
17+
| <a name="module_access-audit-alarm"></a> [access-audit-alarm](#module\_access-audit-alarm) | ./modules/lambda_alarms | n/a |
18+
| <a name="module_access-audit-alarm-topic"></a> [access-audit-alarm-topic](#module\_access-audit-alarm-topic) | ./modules/sns | n/a |
19+
| <a name="module_access-audit-gateway"></a> [access-audit-gateway](#module\_access-audit-gateway) | ./modules/gateway | n/a |
20+
| <a name="module_access-audit-lambda"></a> [access-audit-lambda](#module\_access-audit-lambda) | ./modules/lambda | n/a |
1721
| <a name="module_api_endpoint_url_ssm_parameter"></a> [api\_endpoint\_url\_ssm\_parameter](#module\_api\_endpoint\_url\_ssm\_parameter) | ./modules/ssm_parameter | n/a |
1822
| <a name="module_auth_session_dynamodb_table"></a> [auth\_session\_dynamodb\_table](#module\_auth\_session\_dynamodb\_table) | ./modules/dynamo_db | n/a |
1923
| <a name="module_auth_state_dynamodb_table"></a> [auth\_state\_dynamodb\_table](#module\_auth\_state\_dynamodb\_table) | ./modules/dynamo_db | n/a |
@@ -147,6 +151,7 @@
147151
| <a name="module_statistical-reports-store"></a> [statistical-reports-store](#module\_statistical-reports-store) | ./modules/s3/ | n/a |
148152
| <a name="module_statistics_dynamodb_table"></a> [statistics\_dynamodb\_table](#module\_statistics\_dynamodb\_table) | ./modules/dynamo_db | n/a |
149153
| <a name="module_stitch_metadata_reference_dynamodb_table"></a> [stitch\_metadata\_reference\_dynamodb\_table](#module\_stitch\_metadata\_reference\_dynamodb\_table) | ./modules/dynamo_db | n/a |
154+
| <a name="module_stitching-dlq-alarm-topic"></a> [stitching-dlq-alarm-topic](#module\_stitching-dlq-alarm-topic) | ./modules/sns | n/a |
150155
| <a name="module_unstitched_lloyd_george_reference_dynamodb_table"></a> [unstitched\_lloyd\_george\_reference\_dynamodb\_table](#module\_unstitched\_lloyd\_george\_reference\_dynamodb\_table) | ./modules/dynamo_db | n/a |
151156
| <a name="module_update-upload-state-gateway"></a> [update-upload-state-gateway](#module\_update-upload-state-gateway) | ./modules/gateway | n/a |
152157
| <a name="module_update-upload-state-lambda"></a> [update-upload-state-lambda](#module\_update-upload-state-lambda) | ./modules/lambda | n/a |
@@ -220,10 +225,14 @@
220225
| [aws_cloudwatch_metric_alarm.msn_dlq_new_message](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
221226
| [aws_cloudwatch_metric_alarm.nrl_dlq_new_messages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
222227
| [aws_cloudwatch_metric_alarm.sns_topic_error_log_alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
228+
| [aws_cloudwatch_metric_alarm.stitching_dlq_new_messages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
229+
| [aws_cognito_identity_pool.cloudwatch_rum](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_identity_pool) | resource |
230+
| [aws_cognito_identity_pool_roles_attachment.cloudwatch_rum](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_identity_pool_roles_attachment) | resource |
223231
| [aws_ecs_cluster.mesh-forwarder-ecs-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource |
224232
| [aws_ecs_service.mesh_forwarder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource |
225233
| [aws_ecs_task_definition.forwarder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
226234
| [aws_iam_policy.cloudwatch_log_query_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
235+
| [aws_iam_policy.cloudwatch_rum_cognito_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
227236
| [aws_iam_policy.copy_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
228237
| [aws_iam_policy.dynamodb_policy_scan_bulk_report](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
229238
| [aws_iam_policy.dynamodb_stream_delete_object_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -241,6 +250,7 @@
241250
| [aws_iam_policy.ssm_policy_authoriser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
242251
| [aws_iam_policy.ssm_policy_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
243252
| [aws_iam_policy.ssm_policy_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
253+
| [aws_iam_role.cognito_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
244254
| [aws_iam_role.create_post_presign_url_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
245255
| [aws_iam_role.cross_account_backup_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
246256
| [aws_iam_role.ecs_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -263,6 +273,7 @@
263273
| [aws_iam_role_policy.sns_failure_feedback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
264274
| [aws_iam_role_policy.splunk_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
265275
| [aws_iam_role_policy_attachment.backup_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
276+
| [aws_iam_role_policy_attachment.cloudwatch_rum_cognito_unauth](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
266277
| [aws_iam_role_policy_attachment.create_post_presign_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
267278
| [aws_iam_role_policy_attachment.cross_account_backup_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
268279
| [aws_iam_role_policy_attachment.cross_account_copy_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -306,6 +317,7 @@
306317
| [aws_lambda_permission.bulk_upload_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
307318
| [aws_lambda_permission.data_collection_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
308319
| [aws_lambda_permission.statistical_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
320+
| [aws_rum_app_monitor.ndr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rum_app_monitor) | resource |
309321
| [aws_s3_bucket.access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
310322
| [aws_s3_bucket.logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
311323
| [aws_s3_bucket_lifecycle_configuration.doc-store-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |

infrastructure/lambda-access-audit.tf

Lines changed: 91 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,91 @@
1+
module "access-audit-gateway" {
2+
# Gateway Variables
3+
source = "./modules/gateway"
4+
api_gateway_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
5+
parent_id = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
6+
http_methods = ["POST"]
7+
authorization = "CUSTOM"
8+
gateway_path = "AccessAudit"
9+
authorizer_id = aws_api_gateway_authorizer.repo_authoriser.id
10+
require_credentials = true
11+
origin = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
12+
13+
# Lambda Variables
14+
api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
15+
owner = var.owner
16+
environment = var.environment
17+
18+
depends_on = [
19+
aws_api_gateway_rest_api.ndr_doc_store_api,
20+
]
21+
}
22+
23+
module "access-audit-alarm" {
24+
source = "./modules/lambda_alarms"
25+
lambda_function_name = module.access-audit-lambda.function_name
26+
lambda_timeout = module.access-audit-lambda.timeout
27+
lambda_name = "access_audit_handler"
28+
namespace = "AWS/Lambda"
29+
alarm_actions = [module.access-audit-alarm-topic.arn]
30+
ok_actions = [module.access-audit-alarm-topic.arn]
31+
depends_on = [module.access-audit-lambda, module.access-audit-alarm-topic]
32+
}
33+
34+
35+
module "access-audit-alarm-topic" {
36+
source = "./modules/sns"
37+
sns_encryption_key_id = module.sns_encryption_key.id
38+
current_account_id = data.aws_caller_identity.current.account_id
39+
topic_name = "access-audit-alarms-topic"
40+
topic_protocol = "lambda"
41+
topic_endpoint = module.access-audit-lambda.lambda_arn
42+
depends_on = [module.sns_encryption_key]
43+
delivery_policy = jsonencode({
44+
"Version" : "2012-10-17",
45+
"Statement" : [
46+
{
47+
"Effect" : "Allow",
48+
"Principal" : {
49+
"Service" : "cloudwatch.amazonaws.com"
50+
},
51+
"Action" : [
52+
"SNS:Publish",
53+
],
54+
"Condition" : {
55+
"ArnLike" : {
56+
"aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
57+
}
58+
}
59+
"Resource" : "*"
60+
}
61+
]
62+
})
63+
}
64+
65+
module "access-audit-lambda" {
66+
source = "./modules/lambda"
67+
name = "AccessAuditLambda"
68+
handler = "handlers.access_audit_handler.lambda_handler"
69+
iam_role_policy_documents = [
70+
module.ndr-app-config.app_config_policy,
71+
module.auth_session_dynamodb_table.dynamodb_write_policy_document,
72+
module.auth_session_dynamodb_table.dynamodb_read_policy_document,
73+
]
74+
rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
75+
resource_id = module.access-audit-gateway.gateway_resource_id
76+
http_methods = ["POST"]
77+
memory_size = 512
78+
79+
api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
80+
lambda_environment_variables = {
81+
APPCONFIG_APPLICATION = module.ndr-app-config.app_config_application_id
82+
APPCONFIG_ENVIRONMENT = module.ndr-app-config.app_config_environment_id
83+
APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
84+
WORKSPACE = terraform.workspace
85+
AUTH_SESSION_TABLE_NAME = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
86+
ACCESS_AUDIT_TABLE_NAME = "placeholder"
87+
}
88+
depends_on = [
89+
aws_api_gateway_rest_api.ndr_doc_store_api,
90+
]
91+
}

0 commit comments

Comments
 (0)