CCM-9037: add acct sandbox kms key, quarantine s3 bucket

harrim91 · harrim91 · commit 0347b77c219b · 2025-03-14T10:26:50.000Z
diff --git a/infrastructure/terraform/components/acct/module_sandbox_kms.tf b/infrastructure/terraform/components/acct/module_sandbox_kms.tf
@@ -1,4 +1,4 @@
-module "kms" {
+module "kms_sandbox" {
   source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms?ref=v1.0.8"
 
   aws_account_id = var.aws_account_id
@@ -7,7 +7,7 @@ module "kms" {
   project        = var.project
   region         = var.region
 
-  name            = "main"
+  name            = "sandbox"
   deletion_window = var.kms_deletion_window
-  alias           = "alias/${local.csi}"
+  alias           = "alias/${local.csi}-sandbox"
 }
diff --git a/infrastructure/terraform/components/acct/variables.tf b/infrastructure/terraform/components/acct/variables.tf
@@ -70,3 +70,15 @@ variable "initial_cli_secrets_provision_override" {
   # Usage like:
   #  ... -a apply -- -var initial_cli_secrets_provision_override={\"github_pat\":\"l0ngstr1ng"}
 }
+
+variable "kms_deletion_window" {
+  type        = string
+  description = "When a kms key is deleted, how long should it wait in the pending deletion state?"
+  default     = "30"
+}
+
+variable "support_sandbox_environments" {
+  type        = bool
+  description = "Does this account support dev sandbox environments?"
+  default     = false
+}
diff --git a/infrastructure/terraform/components/sandbox/data_acct_kms_key.tf b/infrastructure/terraform/components/sandbox/data_acct_kms_key.tf
@@ -0,0 +1,3 @@
+data "aws_kms_key" "sandbox" {
+  key_id = "${var.project}-main-acct-sandbox"
+}
diff --git a/infrastructure/terraform/components/sandbox/module_backend_api.tf b/infrastructure/terraform/components/sandbox/module_backend_api.tf
@@ -6,15 +6,17 @@ module "backend_api" {
   aws_account_id        = var.aws_account_id
   region                = var.region
   group                 = var.group
+  component             = var.component
   csi                   = local.csi
   log_retention_in_days = var.log_retention_in_days
 
+
   cognito_config = {
     USER_POOL_ID        = aws_cognito_user_pool.sandbox.id
     USER_POOL_CLIENT_ID = aws_cognito_user_pool_client.sandbox.id
   }
 
   enable_letters = true
 
-  kms_key_arn = module.kms.key_arn
+  kms_key_arn = data.aws_kms_key.sandbox.arn
 }
diff --git a/infrastructure/terraform/modules/backend-api/module_s3bucket_quarantine.tf b/infrastructure/terraform/modules/backend-api/module_s3bucket_quarantine.tf
@@ -0,0 +1,13 @@
+module "s3bucket_quarantine" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v1.0.8"
+
+  name = "quarantine"
+
+  aws_account_id = var.aws_account_id
+  region         = var.region
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  kms_key_arn = var.kms_key_arn
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+data "aws_kms_key" "sandbox" {`
	`2`	`+ key_id = "${var.project}-main-acct-sandbox"`
	`3`	`+}`