diff --git a/infrastructure/cloudfront.tf b/infrastructure/cloudfront.tf index 9a56ae301..e0bb8c522 100644 --- a/infrastructure/cloudfront.tf +++ b/infrastructure/cloudfront.tf @@ -37,8 +37,8 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" { cached_methods = ["HEAD", "GET", "OPTIONS"] target_origin_id = module.ndr-lloyd-george-store.bucket_id viewer_protocol_policy = "redirect-to-https" - cache_policy_id = aws_cloudfront_cache_policy.nocache.id - origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer.id + cache_policy_id = local.cache_policy_id + origin_request_policy_id = local.viewer_policy_id lambda_function_association { event_type = "origin-request" @@ -58,8 +58,8 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" { path_pattern = "/review/*" target_origin_id = module.ndr-document-pending-review-store.bucket_id viewer_protocol_policy = "redirect-to-https" - cache_policy_id = aws_cloudfront_cache_policy.nocache.id - origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer.id + cache_policy_id = local.cache_policy_id + origin_request_policy_id = local.viewer_policy_id lambda_function_association { event_type = "origin-request" @@ -79,8 +79,8 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" { path_pattern = "/upload/*" target_origin_id = module.ndr-bulk-staging-store.bucket_id viewer_protocol_policy = "redirect-to-https" - cache_policy_id = aws_cloudfront_cache_policy.nocache.id - origin_request_policy_id = aws_cloudfront_origin_request_policy.uploader.id + cache_policy_id = local.cache_policy_id + origin_request_policy_id = local.uploader_policy_id lambda_function_association { event_type = "origin-request" @@ -103,7 +103,8 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" { } resource "aws_cloudfront_origin_request_policy" "viewer" { - name = "${terraform.workspace}_BlockQueriesAndAllowViewer" + count = local.is_sandbox ? 0 : 1 + name = "${terraform.workspace}_BlockQueriesAndAllowViewer" query_strings_config { query_string_behavior = "whitelist" @@ -136,7 +137,8 @@ resource "aws_cloudfront_origin_request_policy" "viewer" { } resource "aws_cloudfront_origin_request_policy" "uploader" { - name = "${terraform.workspace}_BlockQueriesAndAllowUploader" + count = local.is_sandbox ? 0 : 1 + name = "${terraform.workspace}_BlockQueriesAndAllowUploader" query_strings_config { query_string_behavior = "whitelist" @@ -172,6 +174,7 @@ resource "aws_cloudfront_origin_request_policy" "uploader" { } resource "aws_cloudfront_cache_policy" "nocache" { + count = local.is_sandbox ? 0 : 1 name = "${terraform.workspace}_nocache_policy" default_ttl = 0 max_ttl = 0 @@ -189,3 +192,33 @@ resource "aws_cloudfront_cache_policy" "nocache" { } } } + +data "aws_cloudfront_origin_request_policy" "dev_environment_viewer" { + count = local.is_sandbox ? 1 : 0 + name = "${var.shared_infra_workspace}_BlockQueriesAndAllowViewer" +} + +data "aws_cloudfront_origin_request_policy" "dev_environment_uploader" { + count = local.is_sandbox ? 1 : 0 + name = "${var.shared_infra_workspace}_BlockQueriesAndAllowUploader" +} + +data "aws_cloudfront_cache_policy" "dev_environment_nocache" { + count = local.is_sandbox ? 1 : 0 + name = "${var.shared_infra_workspace}_nocache_policy" +} + +locals { + viewer_policy_id = local.is_sandbox ? ( + data.aws_cloudfront_origin_request_policy.dev_environment_viewer[0].id + ) : aws_cloudfront_origin_request_policy.viewer[0].id + + uploader_policy_id = local.is_sandbox ? ( + data.aws_cloudfront_origin_request_policy.dev_environment_uploader[0].id + ) : aws_cloudfront_origin_request_policy.uploader[0].id + + cache_policy_id = local.is_sandbox ? ( + data.aws_cloudfront_cache_policy.dev_environment_nocache[0].id + ) : aws_cloudfront_cache_policy.nocache[0].id +} + diff --git a/infrastructure/ecs.tf b/infrastructure/ecs.tf index 192a48019..a62535dbf 100644 --- a/infrastructure/ecs.tf +++ b/infrastructure/ecs.tf @@ -123,7 +123,7 @@ resource "aws_iam_role_policy_attachment" "data_collection_lloyd_george_referenc resource "aws_iam_role_policy_attachment" "data_collection_ssm_access_policy" { count = local.is_sandbox ? 0 : 1 role = aws_iam_role.data_collection_task_role[0].name - policy_arn = aws_iam_policy.ssm_access_policy.arn + policy_arn = local.ssm_access_policy.arn } resource "aws_iam_role_policy_attachment" "data_collection_statistics_dynamodb_table" { diff --git a/infrastructure/lambda-back-channel-logout.tf b/infrastructure/lambda-back-channel-logout.tf index da0c936ac..c39f8572e 100644 --- a/infrastructure/lambda-back-channel-logout.tf +++ b/infrastructure/lambda-back-channel-logout.tf @@ -14,7 +14,7 @@ module "back_channel_logout_lambda" { name = "BackChannelLogoutHandler" handler = "handlers.back_channel_logout_handler.lambda_handler" iam_role_policy_documents = [ - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.auth_session_dynamodb_table.dynamodb_read_policy_document, module.auth_session_dynamodb_table.dynamodb_write_policy_document, module.ndr-app-config.app_config_policy @@ -36,7 +36,6 @@ module "back_channel_logout_lambda" { } depends_on = [ aws_api_gateway_rest_api.ndr_doc_store_api, - aws_iam_policy.ssm_access_policy, module.auth_session_dynamodb_table, module.back-channel-logout-gateway, module.ndr-app-config diff --git a/infrastructure/lambda-bulk-upload-metadata-processor.tf b/infrastructure/lambda-bulk-upload-metadata-processor.tf index d34aec5dc..8162f8c94 100644 --- a/infrastructure/lambda-bulk-upload-metadata-processor.tf +++ b/infrastructure/lambda-bulk-upload-metadata-processor.tf @@ -15,7 +15,7 @@ module "bulk-upload-metadata-processor-lambda" { module.lg-bulk-upload-expedite-metadata-queue.sqs_read_policy_document, module.lg-bulk-upload-expedite-metadata-queue.sqs_write_policy_document, module.ndr-app-config.app_config_policy, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy, ] diff --git a/infrastructure/lambda-bulk-upload.tf b/infrastructure/lambda-bulk-upload.tf index 45e5b994a..b14e83a4c 100644 --- a/infrastructure/lambda-bulk-upload.tf +++ b/infrastructure/lambda-bulk-upload.tf @@ -19,7 +19,7 @@ module "bulk-upload-lambda" { module.sqs-lg-bulk-upload-invalid-queue.sqs_write_policy_document, module.lg-bulk-upload-expedite-metadata-queue.sqs_write_policy_document, module.lg-bulk-upload-expedite-metadata-queue.sqs_read_policy_document, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.ndr-app-config.app_config_policy ] kms_deletion_window = var.kms_deletion_window @@ -54,7 +54,6 @@ module "bulk-upload-lambda" { module.ndr-lloyd-george-store, module.lloyd_george_reference_dynamodb_table, module.bulk_upload_report_dynamodb_table, - aws_iam_policy.ssm_access_policy, module.lg-bulk-upload-expedite-metadata-queue, ] } diff --git a/infrastructure/lambda-create-doc-ref.tf b/infrastructure/lambda-create-doc-ref.tf index 5c7e30ab4..d52e6b4ea 100644 --- a/infrastructure/lambda-create-doc-ref.tf +++ b/infrastructure/lambda-create-doc-ref.tf @@ -56,7 +56,7 @@ module "create-doc-ref-lambda" { module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document, module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document, module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.ndr-app-config.app_config_policy, ] kms_deletion_window = var.kms_deletion_window diff --git a/infrastructure/lambda-document-status-check-result.tf b/infrastructure/lambda-document-status-check-result.tf index b37f3acb4..11c719a64 100644 --- a/infrastructure/lambda-document-status-check-result.tf +++ b/infrastructure/lambda-document-status-check-result.tf @@ -57,7 +57,7 @@ module "document-status-check-lambda" { handler = "handlers.document_status_check_handler.lambda_handler" iam_role_policy_documents = [ module.ndr-app-config.app_config_policy, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.document_reference_dynamodb_table.dynamodb_read_policy_document, module.document_reference_dynamodb_table.dynamodb_write_policy_document, module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document, diff --git a/infrastructure/lambda-document-upload-check.tf b/infrastructure/lambda-document-upload-check.tf index f66800c58..8a72d6877 100644 --- a/infrastructure/lambda-document-upload-check.tf +++ b/infrastructure/lambda-document-upload-check.tf @@ -7,7 +7,7 @@ module "document_upload_check_lambda" { module.ndr-bulk-staging-store.s3_write_policy_document, module.ndr-lloyd-george-store.s3_write_policy_document, module.pdm-document-store.s3_write_policy_document, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document, module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document, data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy, diff --git a/infrastructure/lambda-dynamodb-migration.tf b/infrastructure/lambda-dynamodb-migration.tf index 692187df9..3f0d80f36 100644 --- a/infrastructure/lambda-dynamodb-migration.tf +++ b/infrastructure/lambda-dynamodb-migration.tf @@ -9,7 +9,7 @@ module "migration-dynamodb-lambda" { module.bulk_upload_report_dynamodb_table.dynamodb_read_policy_document, module.ndr-bulk-staging-store.s3_read_policy_document, module.ndr-lloyd-george-store.s3_read_policy_document, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.ndr-app-config.app_config_policy, module.migration-failed-items-store.s3_write_policy_document ] @@ -36,7 +36,6 @@ module "migration-dynamodb-lambda" { module.lloyd_george_reference_dynamodb_table, module.bulk_upload_report_dynamodb_table, module.ndr-app-config, - aws_iam_policy.ssm_access_policy, module.migration-failed-items-store ] } diff --git a/infrastructure/lambda-edge-presign.tf b/infrastructure/lambda-edge-presign.tf index 60b2d95e4..e735a8b7a 100644 --- a/infrastructure/lambda-edge-presign.tf +++ b/infrastructure/lambda-edge-presign.tf @@ -72,7 +72,7 @@ module "edge-presign-lambda" { handler = "handlers.edge_presign_handler.lambda_handler" iam_role_policies = [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - aws_iam_policy.ssm_access_policy.arn, + local.ssm_access_policy.arn, module.ndr-app-config.app_config_policy_arn, aws_iam_policy.staging_bucket_put.arn ] diff --git a/infrastructure/lambda-feature-flags.tf b/infrastructure/lambda-feature-flags.tf index 6ddf0d8b3..c284fa946 100644 --- a/infrastructure/lambda-feature-flags.tf +++ b/infrastructure/lambda-feature-flags.tf @@ -57,7 +57,7 @@ module "feature-flags-lambda" { handler = "handlers.feature_flags_handler.lambda_handler" iam_role_policy_documents = [ module.ndr-app-config.app_config_policy, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, ] kms_deletion_window = var.kms_deletion_window rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id diff --git a/infrastructure/lambda-get-doc-ref.tf b/infrastructure/lambda-get-doc-ref.tf index b82dacb52..af43d3f83 100644 --- a/infrastructure/lambda-get-doc-ref.tf +++ b/infrastructure/lambda-get-doc-ref.tf @@ -45,7 +45,7 @@ module "get-doc-ref-lambda" { iam_role_policy_documents = [ module.ndr-lloyd-george-store.s3_read_policy_document, module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.ndr-app-config.app_config_policy, module.cloudfront_edge_dynamodb_table.dynamodb_write_policy_document ] diff --git a/infrastructure/lambda-get-document-fhir.tf b/infrastructure/lambda-get-document-fhir.tf index f2b0168c7..e1c5af301 100644 --- a/infrastructure/lambda-get-document-fhir.tf +++ b/infrastructure/lambda-get-document-fhir.tf @@ -40,8 +40,8 @@ module "get-doc-fhir-lambda" { module.ndr-app-config.app_config_policy, module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document, module.core_dynamodb_table.dynamodb_read_policy_document, - aws_iam_policy.ssm_access_policy.policy, - aws_iam_policy.mtls_access_ssm_policy.policy, + local.ssm_access_policy.policy, + local.mtls_access_ssm_policy.policy, module.ndr-lloyd-george-store.s3_read_policy_document, module.pdm-document-store.s3_read_policy_document, ] diff --git a/infrastructure/lambda-get-document-review.tf b/infrastructure/lambda-get-document-review.tf index 7bbd73cb9..988c13519 100644 --- a/infrastructure/lambda-get-document-review.tf +++ b/infrastructure/lambda-get-document-review.tf @@ -7,7 +7,7 @@ module "get_document_review_lambda" { module.cloudfront_edge_dynamodb_table.dynamodb_read_policy_document, module.cloudfront_edge_dynamodb_table.dynamodb_write_policy_document, module.document_upload_review_dynamodb_table.dynamodb_read_policy_document, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.ndr-document-pending-review-store.s3_read_policy_document ] diff --git a/infrastructure/lambda-get-report-by-ods.tf b/infrastructure/lambda-get-report-by-ods.tf index a0e596919..bd4b08db6 100644 --- a/infrastructure/lambda-get-report-by-ods.tf +++ b/infrastructure/lambda-get-report-by-ods.tf @@ -54,7 +54,7 @@ module "get-report-by-ods-lambda" { name = "GetReportByODS" handler = "handlers.get_report_by_ods_handler.lambda_handler" iam_role_policy_documents = [ - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.ndr-app-config.app_config_policy, module.statistical-reports-store.s3_write_policy_document, module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document, diff --git a/infrastructure/lambda-im-alerting.tf b/infrastructure/lambda-im-alerting.tf index fc6970628..181690332 100644 --- a/infrastructure/lambda-im-alerting.tf +++ b/infrastructure/lambda-im-alerting.tf @@ -19,9 +19,9 @@ module "im-alerting-lambda" { name = "IMAlertingLambda" handler = "handlers.im_alerting_handler.lambda_handler" iam_role_policy_documents = [ - aws_iam_policy.ssm_access_policy.policy, - aws_iam_policy.alerting_lambda_alarms.policy, - aws_iam_policy.alerting_lambda_tags.policy, + local.ssm_access_policy.policy, + local.alerting_lambda_alarms_policy.policy, + local.alerting_lambda_tags_policy.policy, module.ndr-app-config.app_config_policy, module.alarm_state_history_table.dynamodb_read_policy_document, module.alarm_state_history_table.dynamodb_write_policy_document @@ -47,6 +47,7 @@ module "im-alerting-lambda" { resource "aws_iam_policy" "alerting_lambda_alarms" { + count = local.is_sandbox ? 0 : 1 name = "${terraform.workspace}_alerting_lambda_alarms_policy" description = "Alarms policy to allow lambda to describe all alarms" policy = jsonencode({ @@ -65,6 +66,7 @@ resource "aws_iam_policy" "alerting_lambda_alarms" { } resource "aws_iam_policy" "alerting_lambda_tags" { + count = local.is_sandbox ? 0 : 1 name = "${terraform.workspace}_alerting_lambda_tags_policy" description = "Tags policy to allow alerting lambda to get resources by tags" policy = jsonencode({ @@ -80,3 +82,23 @@ resource "aws_iam_policy" "alerting_lambda_tags" { }) } +data "aws_iam_policy" "dev_environment_alerting_lambda_alarms" { + count = local.is_sandbox ? 1 : 0 + name = "${var.shared_infra_workspace}_alerting_lambda_alarms_policy" +} + +data "aws_iam_policy" "dev_environment_alerting_lambda_tags" { + count = local.is_sandbox ? 1 : 0 + name = "${var.shared_infra_workspace}_alerting_lambda_tags_policy" +} + +locals { + alerting_lambda_alarms_policy = local.is_sandbox ? ( + data.aws_iam_policy.dev_environment_alerting_lambda_alarms[0] + ) : aws_iam_policy.alerting_lambda_alarms[0] + + alerting_lambda_tags_policy = local.is_sandbox ? ( + data.aws_iam_policy.dev_environment_alerting_lambda_tags[0] + ) : aws_iam_policy.alerting_lambda_tags[0] +} + diff --git a/infrastructure/lambda-login-redirect.tf b/infrastructure/lambda-login-redirect.tf index 9c6ecab77..87d0b8933 100644 --- a/infrastructure/lambda-login-redirect.tf +++ b/infrastructure/lambda-login-redirect.tf @@ -20,7 +20,7 @@ module "login_redirect_lambda" { name = "LoginRedirectHandler" handler = "handlers.login_redirect_handler.lambda_handler" iam_role_policy_documents = [ - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.auth_state_dynamodb_table.dynamodb_read_policy_document, module.auth_state_dynamodb_table.dynamodb_write_policy_document, module.ndr-app-config.app_config_policy @@ -41,7 +41,6 @@ module "login_redirect_lambda" { depends_on = [ aws_api_gateway_rest_api.ndr_doc_store_api, aws_api_gateway_resource.login_resource, - aws_iam_policy.ssm_access_policy, module.auth_state_dynamodb_table, module.ndr-app-config ] diff --git a/infrastructure/lambda-logout.tf b/infrastructure/lambda-logout.tf index d797dfeb7..bbc69df67 100644 --- a/infrastructure/lambda-logout.tf +++ b/infrastructure/lambda-logout.tf @@ -14,7 +14,7 @@ module "logout_lambda" { name = "LogoutHandler" handler = "handlers.logout_handler.lambda_handler" iam_role_policy_documents = [ - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.auth_session_dynamodb_table.dynamodb_read_policy_document, module.auth_session_dynamodb_table.dynamodb_write_policy_document, module.ndr-app-config.app_config_policy @@ -34,7 +34,6 @@ module "logout_lambda" { } depends_on = [ aws_api_gateway_rest_api.ndr_doc_store_api, - aws_iam_policy.ssm_access_policy, module.auth_session_dynamodb_table, module.logout-gateway, module.ndr-app-config diff --git a/infrastructure/lambda-manage-nrl-pointer.tf b/infrastructure/lambda-manage-nrl-pointer.tf index d55421b78..061f5dc28 100644 --- a/infrastructure/lambda-manage-nrl-pointer.tf +++ b/infrastructure/lambda-manage-nrl-pointer.tf @@ -7,7 +7,7 @@ module "manage-nrl-pointer-lambda" { module.ndr-app-config.app_config_policy, module.sqs-nrl-queue.sqs_read_policy_document, module.sqs-nrl-queue.sqs_write_policy_document, - aws_iam_policy.ssm_access_policy.policy + local.ssm_access_policy.policy ] kms_deletion_window = var.kms_deletion_window rest_api_id = null diff --git a/infrastructure/lambda-mns-notification.tf b/infrastructure/lambda-mns-notification.tf index 8b9bcede7..e177210e1 100644 --- a/infrastructure/lambda-mns-notification.tf +++ b/infrastructure/lambda-mns-notification.tf @@ -10,7 +10,7 @@ module "mns-notification-lambda" { module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document, module.document_upload_review_dynamodb_table.dynamodb_write_policy_document, module.document_upload_review_dynamodb_table.dynamodb_read_policy_document, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.ndr-app-config.app_config_policy, aws_iam_policy.kms_mns_lambda_access[0].policy, ] diff --git a/infrastructure/lambda-nhs-oauth-token-generator.tf b/infrastructure/lambda-nhs-oauth-token-generator.tf index 99bcbba79..a884d5673 100644 --- a/infrastructure/lambda-nhs-oauth-token-generator.tf +++ b/infrastructure/lambda-nhs-oauth-token-generator.tf @@ -4,7 +4,7 @@ module "nhs-oauth-token-generator-lambda" { handler = "handlers.nhs_oauth_token_generator_handler.lambda_handler" lambda_timeout = 120 iam_role_policy_documents = [ - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.ndr-app-config.app_config_policy ] diff --git a/infrastructure/lambda-patch-document-review.tf b/infrastructure/lambda-patch-document-review.tf index 53af85bd3..91e10ce79 100644 --- a/infrastructure/lambda-patch-document-review.tf +++ b/infrastructure/lambda-patch-document-review.tf @@ -6,7 +6,7 @@ module "patch_document_review_lambda" { module.ndr-app-config.app_config_policy, module.document_upload_review_dynamodb_table.dynamodb_write_policy_document, module.document_upload_review_dynamodb_table.dynamodb_read_policy_document, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.ndr-document-pending-review-store.s3_write_policy_document ] diff --git a/infrastructure/lambda-post-document-fhir.tf b/infrastructure/lambda-post-document-fhir.tf index b88a92e83..b1a0705be 100644 --- a/infrastructure/lambda-post-document-fhir.tf +++ b/infrastructure/lambda-post-document-fhir.tf @@ -8,8 +8,8 @@ module "post-document-references-fhir-lambda" { module.core_dynamodb_table.dynamodb_write_policy_document, module.ndr-bulk-staging-store.s3_write_policy_document, module.ndr-app-config.app_config_policy, - aws_iam_policy.mtls_access_ssm_policy.policy, - aws_iam_policy.ssm_access_policy.policy + local.mtls_access_ssm_policy.policy, + local.ssm_access_policy.policy ] kms_deletion_window = var.kms_deletion_window rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id diff --git a/infrastructure/lambda-post-document-review.tf b/infrastructure/lambda-post-document-review.tf index 8f638635f..d769fe141 100644 --- a/infrastructure/lambda-post-document-review.tf +++ b/infrastructure/lambda-post-document-review.tf @@ -6,7 +6,7 @@ module "post_document_review_lambda" { module.ndr-app-config.app_config_policy, module.document_upload_review_dynamodb_table.dynamodb_write_policy_document, module.document_upload_review_dynamodb_table.dynamodb_read_policy_document, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.ndr-bulk-staging-store.s3_write_policy_document, module.cloudfront_edge_dynamodb_table.dynamodb_write_policy_document, ] diff --git a/infrastructure/lambda-review-document-status.tf b/infrastructure/lambda-review-document-status.tf index ac29656a5..57ab0c429 100644 --- a/infrastructure/lambda-review-document-status.tf +++ b/infrastructure/lambda-review-document-status.tf @@ -4,7 +4,7 @@ module "review-document-status-check-lambda" { handler = "handlers.review_document_status_check_handler.lambda_handler" iam_role_policy_documents = [ module.ndr-app-config.app_config_policy, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.document_upload_review_dynamodb_table.dynamodb_read_policy_document, ] kms_deletion_window = var.kms_deletion_window diff --git a/infrastructure/lambda-search-doc-references.tf b/infrastructure/lambda-search-doc-references.tf index 279513a83..986809bc0 100644 --- a/infrastructure/lambda-search-doc-references.tf +++ b/infrastructure/lambda-search-doc-references.tf @@ -64,7 +64,7 @@ module "search-document-references-lambda" { module.ndr-lloyd-george-store.s3_read_policy_document, module.ndr-document-store.s3_read_policy_document, module.ndr-app-config.app_config_policy, - aws_iam_policy.ssm_access_policy.policy + local.ssm_access_policy.policy ] kms_deletion_window = var.kms_deletion_window rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id diff --git a/infrastructure/lambda-search-document-references-fhir.tf b/infrastructure/lambda-search-document-references-fhir.tf index 01f06d7ce..c20dd7e1a 100644 --- a/infrastructure/lambda-search-document-references-fhir.tf +++ b/infrastructure/lambda-search-document-references-fhir.tf @@ -12,8 +12,8 @@ module "search-document-references-fhir-lambda" { module.ndr-lloyd-george-store.s3_read_policy_document, module.ndr-document-store.s3_read_policy_document, module.ndr-app-config.app_config_policy, - aws_iam_policy.mtls_access_ssm_policy.policy, - aws_iam_policy.ssm_access_policy.policy + local.mtls_access_ssm_policy.policy, + local.ssm_access_policy.policy ] kms_deletion_window = var.kms_deletion_window rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id diff --git a/infrastructure/lambda-search-document-review.tf b/infrastructure/lambda-search-document-review.tf index 40e41f59a..d0b16fc9d 100644 --- a/infrastructure/lambda-search-document-review.tf +++ b/infrastructure/lambda-search-document-review.tf @@ -5,7 +5,7 @@ module "search_document_review_lambda" { iam_role_policy_documents = [ module.ndr-app-config.app_config_policy, module.document_upload_review_dynamodb_table.dynamodb_read_policy_document, - aws_iam_policy.ssm_access_policy.policy + local.ssm_access_policy.policy ] rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id diff --git a/infrastructure/lambda-search-patient.tf b/infrastructure/lambda-search-patient.tf index 100927bc2..5cd8f8ffc 100644 --- a/infrastructure/lambda-search-patient.tf +++ b/infrastructure/lambda-search-patient.tf @@ -55,7 +55,7 @@ module "search-patient-details-lambda" { name = "SearchPatientDetailsLambda" handler = "handlers.search_patient_details_handler.lambda_handler" iam_role_policy_documents = [ - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.ndr-app-config.app_config_policy, module.auth_session_dynamodb_table.dynamodb_write_policy_document, module.auth_session_dynamodb_table.dynamodb_read_policy_document, diff --git a/infrastructure/lambda-send-feedback.tf b/infrastructure/lambda-send-feedback.tf index b03d4ba5c..614cfe7fb 100644 --- a/infrastructure/lambda-send-feedback.tf +++ b/infrastructure/lambda-send-feedback.tf @@ -79,7 +79,7 @@ module "send-feedback-lambda" { name = "SendFeedbackLambda" handler = "handlers.send_feedback_handler.lambda_handler" iam_role_policy_documents = [ - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, aws_iam_policy.ses_send_email_policy.policy, module.ndr-app-config.app_config_policy ] diff --git a/infrastructure/lambda-token.tf b/infrastructure/lambda-token.tf index eb3c33ba2..df9efb288 100644 --- a/infrastructure/lambda-token.tf +++ b/infrastructure/lambda-token.tf @@ -14,7 +14,7 @@ module "create-token-lambda" { name = "TokenRequestHandler" handler = "handlers.token_handler.lambda_handler" iam_role_policy_documents = [ - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.auth_session_dynamodb_table.dynamodb_read_policy_document, module.auth_session_dynamodb_table.dynamodb_write_policy_document, module.auth_state_dynamodb_table.dynamodb_read_policy_document, @@ -40,7 +40,6 @@ module "create-token-lambda" { } depends_on = [ aws_api_gateway_rest_api.ndr_doc_store_api, - aws_iam_policy.ssm_access_policy, module.auth_session_dynamodb_table, module.auth_state_dynamodb_table, module.create-token-gateway, diff --git a/infrastructure/lambda-update-doc-ref.tf b/infrastructure/lambda-update-doc-ref.tf index be482520c..5773ab699 100644 --- a/infrastructure/lambda-update-doc-ref.tf +++ b/infrastructure/lambda-update-doc-ref.tf @@ -51,7 +51,7 @@ module "update-doc-ref-lambda" { module.ndr-document-store.s3_write_policy_document, module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document, module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.ndr-app-config.app_config_policy, ] kms_deletion_window = var.kms_deletion_window diff --git a/infrastructure/lambda-virus-scan-result.tf b/infrastructure/lambda-virus-scan-result.tf index bb39c114d..c373eba5c 100644 --- a/infrastructure/lambda-virus-scan-result.tf +++ b/infrastructure/lambda-virus-scan-result.tf @@ -59,7 +59,7 @@ module "virus_scan_result_lambda" { module.ndr-bulk-staging-store.s3_read_policy_document, module.ndr-bulk-staging-store.s3_write_policy_document, module.ndr-app-config.app_config_policy, - aws_iam_policy.ssm_access_policy.policy, + local.ssm_access_policy.policy, module.document_reference_dynamodb_table.dynamodb_read_policy_document, module.document_reference_dynamodb_table.dynamodb_write_policy_document, module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document, diff --git a/infrastructure/moved-resources-v1.6.11.tf b/infrastructure/moved-resources-v1.6.11.tf new file mode 100644 index 000000000..8707bb4e3 --- /dev/null +++ b/infrastructure/moved-resources-v1.6.11.tf @@ -0,0 +1,35 @@ +moved { + from = aws_cloudfront_origin_request_policy.viewer + to = aws_cloudfront_origin_request_policy.viewer[0] +} + +moved { + from = aws_cloudfront_origin_request_policy.uploader + to = aws_cloudfront_origin_request_policy.uploader[0] +} + +moved { + from = aws_cloudfront_cache_policy.nocache + to = aws_cloudfront_cache_policy.nocache[0] +} + +moved { + from = aws_iam_policy.ssm_access_policy + to = aws_iam_policy.ssm_access_policy[0] +} + +moved { + from = aws_iam_policy.mtls_access_ssm_policy + to = aws_iam_policy.mtls_access_ssm_policy[0] +} + +moved { + from = aws_iam_policy.alerting_lambda_alarms + to = aws_iam_policy.alerting_lambda_alarms[0] +} + +moved { + from = aws_iam_policy.alerting_lambda_tags + to = aws_iam_policy.alerting_lambda_tags[0] +} + diff --git a/infrastructure/policies.tf b/infrastructure/policies.tf index 6d58526be..dd00c6095 100644 --- a/infrastructure/policies.tf +++ b/infrastructure/policies.tf @@ -1,5 +1,6 @@ resource "aws_iam_policy" "ssm_access_policy" { - name = "${terraform.workspace}_ssm_parameters" + count = local.is_sandbox ? 0 : 1 + name = "${terraform.workspace}_ssm_parameters" policy = jsonencode({ Version = "2012-10-17", Statement = [ @@ -111,7 +112,8 @@ resource "aws_iam_policy" "transfer_family_kill_switch" { } resource "aws_iam_policy" "mtls_access_ssm_policy" { - name = "${terraform.workspace}_mtls_ssm_parameters" + count = local.is_sandbox ? 0 : 1 + name = "${terraform.workspace}_mtls_ssm_parameters" policy = jsonencode({ Version = "2012-10-17", Statement = [ @@ -127,3 +129,24 @@ resource "aws_iam_policy" "mtls_access_ssm_policy" { ] }) } + +data "aws_iam_policy" "dev_environment_ssm_access" { + count = local.is_sandbox ? 1 : 0 + name = "${var.shared_infra_workspace}_ssm_parameters" +} + +data "aws_iam_policy" "dev_environment_mtls_access" { + count = local.is_sandbox ? 1 : 0 + name = "${var.shared_infra_workspace}_mtls_ssm_parameters" +} + +locals { + ssm_access_policy = local.is_sandbox ? ( + data.aws_iam_policy.dev_environment_ssm_access[0] + ) : aws_iam_policy.ssm_access_policy[0] + + mtls_access_ssm_policy = local.is_sandbox ? ( + data.aws_iam_policy.dev_environment_mtls_access[0] + ) : aws_iam_policy.mtls_access_ssm_policy[0] +} +