CCM-12481 migrating the S3 quarantine bucket up to the acct component

Author: aidenvaines-cgi

infrastructure/terraform/components/acct/data_iam_policy_document_kms.tf

@@ -0,0 +1,148 @@
+data "aws_iam_policy_document" "kms" {
+  # '*' resource scope is permitted in access policies as as the resource is itself
+  # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html
+
+  statement {
+    sid    = "AllowCloudWatchEncrypt"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "logs.${var.region}.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:logs:arn"
+
+      values = [
+        "arn:aws:logs:${var.region}:${var.aws_account_id}:log-group:*",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowS3"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "s3.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+
+  statement {
+    sid    = "AllowSES"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "ses.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+
+  statement {
+    sid    = "AllowLogDeliveryEncrypt"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "delivery.logs.amazonaws.com"
+      ]
+    }
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey*",
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:SourceArn"
+
+      values = [
+        "arn:aws:logs:${var.region}:${var.aws_account_id}:*",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowEventBridgeAccessToLetterValidationQueue"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt",
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:sqs:arn"
+      values   = ["arn:aws:sqs:${var.region}:${var.aws_account_id}:*-validate-letter-template-files-queue"]
+    }
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:events:${var.region}:${var.aws_account_id}:rule/*-quarantine-scan-passed-for-upload"]
+    }
+  }
+}

infrastructure/terraform/components/acct/module_kms.tf

@@ -0,0 +1,20 @@
+module "kms" {
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip"
+
+  providers = {
+    aws           = aws
+    aws.us-east-1 = aws.us-east-1
+  }
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+
+  name                 = "main"
+  deletion_window      = var.kms_deletion_window
+  alias                = "alias/${local.csi}"
+  key_policy_documents = [data.aws_iam_policy_document.kms.json]
+  iam_delegation       = true
+}

…ackend-api/module_s3bucket_quarantine.tf …nents/acct/module_s3bucket_quarantine.tfinfrastructure/terraform/modules/backend-api/module_s3bucket_quarantine.tf renamed to infrastructure/terraform/components/acct/module_s3bucket_quarantine.tf infrastructure/terraform/modules/backend-api/module_s3bucket_quarantine.tf renamed to infrastructure/terraform/components/acct/module_s3bucket_quarantine.tf

@@ -1,5 +1,5 @@
 module "s3bucket_quarantine" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-s3bucket.zip"
 
   name = "quarantine"
 
@@ -9,7 +9,7 @@ module "s3bucket_quarantine" {
   environment    = var.environment
   component      = var.component
 
-  kms_key_arn = var.kms_key_arn
+  kms_key_arn = module.kms.key_arn
 
   notification_events = {
     eventbridge = true

infrastructure/terraform/components/acct/module_sandbox_kms.tf

@@ -21,152 +21,3 @@ module "kms_sandbox" {
 
   key_policy_documents = [data.aws_iam_policy_document.kms.json]
 }
-
-data "aws_iam_policy_document" "kms" {
-  # '*' resource scope is permitted in access policies as as the resource is itself
-  # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html
-
-  statement {
-    sid    = "AllowCloudWatchEncrypt"
-    effect = "Allow"
-
-    principals {
-      type = "Service"
-
-      identifiers = [
-        "logs.${var.region}.amazonaws.com",
-      ]
-    }
-
-    actions = [
-      "kms:Encrypt*",
-      "kms:Decrypt*",
-      "kms:ReEncrypt*",
-      "kms:GenerateDataKey*",
-      "kms:Describe*"
-    ]
-
-    resources = [
-      "*",
-    ]
-
-    condition {
-      test     = "ArnLike"
-      variable = "kms:EncryptionContext:aws:logs:arn"
-
-      values = [
-        "arn:aws:logs:${var.region}:${var.aws_account_id}:log-group:*",
-      ]
-    }
-  }
-
-  statement {
-    sid    = "AllowS3"
-    effect = "Allow"
-
-    principals {
-      type = "Service"
-
-      identifiers = [
-        "s3.amazonaws.com",
-      ]
-    }
-
-    actions = [
-      "kms:Encrypt*",
-      "kms:Decrypt*",
-      "kms:ReEncrypt*",
-      "kms:GenerateDataKey*",
-      "kms:Describe*"
-    ]
-
-    resources = [
-      "*",
-    ]
-  }
-
-  statement {
-    sid    = "AllowSES"
-    effect = "Allow"
-
-    principals {
-      type = "Service"
-
-      identifiers = [
-        "ses.amazonaws.com",
-      ]
-    }
-
-    actions = [
-      "kms:Encrypt*",
-      "kms:Decrypt*",
-      "kms:ReEncrypt*",
-      "kms:GenerateDataKey*",
-      "kms:Describe*"
-    ]
-
-    resources = [
-      "*",
-    ]
-  }
-
-  statement {
-    sid    = "AllowLogDeliveryEncrypt"
-    effect = "Allow"
-
-    principals {
-      type = "Service"
-
-      identifiers = [
-        "delivery.logs.amazonaws.com"
-      ]
-    }
-
-    actions = [
-      "kms:Decrypt",
-      "kms:GenerateDataKey*",
-    ]
-
-    resources = [
-      "*",
-    ]
-
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:SourceArn"
-
-      values = [
-        "arn:aws:logs:${var.region}:${var.aws_account_id}:*",
-      ]
-    }
-  }
-
-  statement {
-    sid    = "AllowEventBridgeAccessToLetterValidationQueue"
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["events.amazonaws.com"]
-    }
-
-    actions = [
-      "kms:GenerateDataKey*",
-      "kms:Decrypt",
-    ]
-
-    resources = ["*"]
-
-    condition {
-      test     = "ArnLike"
-      variable = "kms:EncryptionContext:aws:sqs:arn"
-      values   = ["arn:aws:sqs:${var.region}:${var.aws_account_id}:*-validate-letter-template-files-queue"]
-    }
-
-    condition {
-      test     = "ArnLike"
-      variable = "aws:SourceArn"
-      values   = ["arn:aws:events:${var.region}:${var.aws_account_id}:rule/*-quarantine-scan-passed-for-upload"]
-    }
-  }
-}

infrastructure/terraform/components/acct/outputs.tf

@@ -32,6 +32,11 @@ output "s3_buckets" {
       bucket = module.s3bucket_backup_reports.bucket
       id     = module.s3bucket_backup_reports.id
     }
+    quarantine = {
+      arn    = module.s3bucket_quarantine.arn
+      bucket = module.s3bucket_quarantine.bucket
+      id     = module.s3bucket_quarantine.id
+    }
   }
 }
 

infrastructure/terraform/components/app/module_backend_api.tf

@@ -14,6 +14,7 @@ module "backend_api" {
   kms_key_arn             = module.kms.key_arn
   parent_acct_environment = var.parent_acct_environment
   function_s3_bucket      = local.acct.s3_buckets["artefacts"]["id"]
+  quarantine_s3_bucket    = local.acct.s3_buckets["quarantine"]["id"]
 
   cloudfront_distribution_arn = aws_cloudfront_distribution.main.arn
 

infrastructure/terraform/modules/backend-api/data_s3_bucket.tf

@@ -0,0 +1,3 @@
+data "aws_s3_bucket" "quarantine" {
+  bucket = var.quarantine_s3_bucket
+}

infrastructure/terraform/modules/backend-api/guardduty_malware_protection_plan_quarantine.tf

@@ -1,14 +1,10 @@
 resource "aws_guardduty_malware_protection_plan" "quarantine" {
-  depends_on = [
-    aws_iam_role_policy_attachment.guardduty_quarantine
-  ]
-
   role = aws_iam_role.guardduty_quarantine.arn
 
   protected_resource {
     s3_bucket {
-      bucket_name     = module.s3bucket_quarantine.id
-      object_prefixes = ["pdf-template/", "test-data/", "proofs/"]
+      bucket_name     = data.aws_s3_bucket.quarantine.id
+      object_prefixes = ["${local.csi}/pdf-template/", "${local.csi}/test-data/", "${local.csi}/proofs/"]
     }
   }
 

infrastructure/terraform/modules/backend-api/locals.tf

@@ -38,7 +38,7 @@ locals {
     TEMPLATE_SUBMITTED_SENDER_EMAIL_ADDRESS = var.template_submitted_sender_email_address
     TEMPLATES_DOWNLOAD_BUCKET_NAME          = module.s3bucket_download.id
     TEMPLATES_INTERNAL_BUCKET_NAME          = module.s3bucket_internal.id
-    TEMPLATES_QUARANTINE_BUCKET_NAME        = module.s3bucket_quarantine.id
+    TEMPLATES_QUARANTINE_BUCKET_NAME        = data.aws_s3_bucket.quarantine.id
     TEMPLATES_TABLE_NAME                    = aws_dynamodb_table.templates.name
   }