CCM-9874: edge lambda auth (#474)

Co-authored-by: ben.hansell1 <[email protected]>
Co-authored-by: Michael Harrison <[email protected]>

Author: 3 people

infrastructure/terraform/components/acct/README.md

@@ -37,6 +37,7 @@
 | <a name="module_obs_datasource"></a> [obs\_datasource](#module\_obs\_datasource) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/obs-datasource | v2.0.3 |
 | <a name="module_s3bucket_access_logs"></a> [s3bucket\_access\_logs](#module\_s3bucket\_access\_logs) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.9 |
 | <a name="module_s3bucket_artefacts"></a> [s3bucket\_artefacts](#module\_s3bucket\_artefacts) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v2.0.2 |
+| <a name="module_s3bucket_artefacts_us_east_1"></a> [s3bucket\_artefacts\_us\_east\_1](#module\_s3bucket\_artefacts\_us\_east\_1) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v2.0.2 |
 | <a name="module_s3bucket_backup_reports"></a> [s3bucket\_backup\_reports](#module\_s3bucket\_backup\_reports) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_s3bucket_data_migration_backups"></a> [s3bucket\_data\_migration\_backups](#module\_s3bucket\_data\_migration\_backups) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v2.0.4 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.19.0 |

infrastructure/terraform/components/acct/module_s3bucket_artefacts_us_east_1.tf

@@ -0,0 +1,130 @@
+module "s3bucket_artefacts_us_east_1" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v2.0.2"
+
+  providers = {
+    aws = aws.us-east-1
+  }
+
+  name = "artefacts"
+
+  aws_account_id = var.aws_account_id
+  region         = "us-east-1"
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  acl           = "private"
+  force_destroy = false
+  versioning    = true
+
+  lifecycle_rules = [
+    {
+      prefix  = ""
+      enabled = true
+
+      noncurrent_version_transition = [
+        {
+          noncurrent_days = "30"
+          storage_class   = "STANDARD_IA"
+        }
+      ]
+
+      noncurrent_version_expiration = {
+        noncurrent_days = "90"
+      }
+
+      abort_incomplete_multipart_upload = {
+        days = "1"
+      }
+    }
+  ]
+
+  policy_documents = [
+    data.aws_iam_policy_document.s3bucket_artefacts_us_east_1.json
+  ]
+
+  public_access = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+
+
+  default_tags = {
+    Name = "Artefact bucket"
+  }
+}
+
+data "aws_iam_policy_document" "s3bucket_artefacts_us_east_1" {
+  statement {
+    sid    = "DontAllowNonSecureConnection"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      module.s3bucket_artefacts_us_east_1.arn,
+      "${module.s3bucket_artefacts_us_east_1.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "*",
+      ]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+
+      values = [
+        "false",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToList"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      module.s3bucket_artefacts_us_east_1.arn,
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToGet"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "${module.s3bucket_artefacts_us_east_1.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+}

infrastructure/terraform/components/acct/outputs.tf

@@ -22,6 +22,11 @@ output "s3_buckets" {
       bucket = module.s3bucket_artefacts.bucket
       id     = module.s3bucket_artefacts.id
     }
+    artefacts_us_east_1 = {
+      arn    = module.s3bucket_artefacts_us_east_1.arn
+      bucket = module.s3bucket_artefacts_us_east_1.bucket
+      id     = module.s3bucket_artefacts_us_east_1.id
+    }
     backup_reports = {
       arn    = module.s3bucket_backup_reports.arn
       bucket = module.s3bucket_backup_reports.bucket

infrastructure/terraform/components/app/README.md

@@ -50,8 +50,10 @@
 |------|--------|---------|
 | <a name="module_amplify_branch"></a> [amplify\_branch](#module\_amplify\_branch) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/amp_branch | v1.0.0 |
 | <a name="module_backend_api"></a> [backend\_api](#module\_backend\_api) | ../../modules/backend-api | n/a |
+| <a name="module_download_authorizer_lambda"></a> [download\_authorizer\_lambda](#module\_download\_authorizer\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.2 |
 | <a name="module_eventpub"></a> [eventpub](#module\_eventpub) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/eventpub | v1.0.13 |
 | <a name="module_kms"></a> [kms](#module\_kms) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v1.0.8 |
+| <a name="module_kms_us_east_1"></a> [kms\_us\_east\_1](#module\_kms\_us\_east\_1) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v1.0.8 |
 | <a name="module_nhse_backup_vault"></a> [nhse\_backup\_vault](#module\_nhse\_backup\_vault) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/aws-backup-source | v1.0.8 |
 | <a name="module_s3bucket_cf_logs"></a> [s3bucket\_cf\_logs](#module\_s3bucket\_cf\_logs) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v2.0.2 |
 ## Outputs

infrastructure/terraform/components/app/cloudfront_distribution_main.tf

@@ -4,6 +4,7 @@ resource "aws_cloudfront_distribution" "main" {
   enabled         = true
   is_ipv6_enabled = true
   comment         = "NHS Notify templates files CDN (${local.csi})"
+
   # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-priceclass
   price_class = "PriceClass_100"
 
@@ -34,6 +35,16 @@ resource "aws_cloudfront_distribution" "main" {
     domain_name              = module.backend_api.download_bucket_regional_domain_name
     origin_access_control_id = aws_cloudfront_origin_access_control.s3.id
     origin_id                = "S3-${local.csi}-download"
+
+    custom_header {
+      name  = "x-user-pool-id"
+      value = jsondecode(aws_ssm_parameter.cognito_config.value)["USER_POOL_ID"]
+    }
+
+    custom_header {
+      name  = "x-user-pool-client-id"
+      value = jsondecode(aws_ssm_parameter.cognito_config.value)["USER_POOL_CLIENT_ID"]
+    }
   }
 
   default_cache_behavior {
@@ -48,19 +59,27 @@ resource "aws_cloudfront_distribution" "main" {
     ]
     target_origin_id = "S3-${local.csi}-download"
 
-    forwarded_values {
-      query_string = true
-      headers      = ["Origin"]
-
-      cookies {
-        forward = "all"
-      }
-    }
-
     viewer_protocol_policy = "redirect-to-https"
-    min_ttl                = 0
-    default_ttl            = 3600
-    max_ttl                = 86400
     compress               = true
+
+    cache_policy_id          = data.aws_cloudfront_cache_policy.caching_disabled.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.forward_cookies.id
+
+
+    lambda_function_association {
+      lambda_arn = module.download_authorizer_lambda.function_qualified_arn
+      event_type = "origin-request"
+    }
   }
 }
+
+data "aws_cloudfront_cache_policy" "caching_disabled" {
+  name = "Managed-CachingDisabled"
+}
+
+resource "aws_cloudfront_origin_request_policy" "forward_cookies" {
+  name = "${local.csi}-forward-cookies"
+  cookies_config { cookie_behavior = "all" }
+  headers_config { header_behavior = "none" }
+  query_strings_config { query_string_behavior = "none" }
+}

infrastructure/terraform/components/app/locals.tf

@@ -1,4 +1,5 @@
 locals {
   cloudfront_files_domain_name = "files.${local.root_domain_name}"
   root_domain_name             = "${var.environment}.${local.acct.dns_zone["name"]}"
+  lambdas_source_code_dir      = "../../../../lambdas"
 }

infrastructure/terraform/components/app/module_download_authorizer_lambda.tf

@@ -0,0 +1,50 @@
+module "download_authorizer_lambda" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda?ref=v2.0.2"
+
+  providers = {
+    aws = aws.us-east-1
+  }
+
+  function_name = "download-authorizer"
+  description   = "Download authorizer for s3 download bucket"
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = "us-east-1"
+  group          = var.group
+
+  log_retention_in_days = var.log_retention_in_days
+  kms_key_arn           = module.kms_us_east_1.key_arn
+
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.authorizer.json
+  }
+
+  function_s3_bucket      = local.acct.s3_buckets["artefacts_us_east_1"]["id"]
+  function_code_base_path = local.lambdas_source_code_dir
+  function_code_dir       = "download-authorizer/dist"
+  handler_function_name   = "handler"
+  runtime                 = "nodejs20.x"
+  memory                  = 128
+  timeout                 = 3
+  lambda_at_edge          = true
+  enable_lambda_insights  = false
+}
+
+data "aws_iam_policy_document" "authorizer" {
+  statement {
+    sid    = "KMSPermissions"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+    ]
+
+    resources = [
+      module.kms_us_east_1.key_arn,
+    ]
+  }
+}

infrastructure/terraform/components/app/module_kms_us_east_1.tf

@@ -0,0 +1,49 @@
+module "kms_us_east_1" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms?ref=v1.0.8"
+
+  providers = {
+    aws = aws.us-east-1
+  }
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = "us-east-1"
+
+  name                 = "main"
+  deletion_window      = var.kms_deletion_window
+  alias                = "alias/${local.csi}"
+  key_policy_documents = [data.aws_iam_policy_document.kms_us_east_1.json]
+  iam_delegation       = true
+}
+
+data "aws_iam_policy_document" "kms_us_east_1" {
+  # '*' resource scope is permitted in access policies as as the resource is itself
+  # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html
+
+  statement {
+    sid    = "AllowCloudWatchEncrypt"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "logs.us-east-1.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}

infrastructure/terraform/modules/backend-api/data_cloudwatch_event_bus_default.tf

@@ -73,10 +73,10 @@ data "aws_iam_policy_document" "guardduty_quarantine" {
     sid    = "AllowPostScanTag"
     effect = "Allow"
     actions = [
-      "S3:PutObjectTagging",
-      "S3:GetObjectTagging",
-      "S3:PutObjectVersionTagging",
-      "S3:GetObjectVersionTagging"
+      "s3:PutObjectTagging",
+      "s3:GetObjectTagging",
+      "s3:PutObjectVersionTagging",
+      "s3:GetObjectVersionTagging"
     ]
 
     resources = [