CCM-8574: remove custom event

Author: harrim91

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed.tf

@@ -0,0 +1,56 @@
+resource "aws_cloudwatch_event_rule" "quarantine_guardduty_scan_failed" {
+  name        = "${local.csi}-quarantine-scan-failed"
+  description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
+
+  event_pattern = jsonencode({
+    source      = ["aws.guardduty"]
+    detail-type = ["GuardDuty Malware Protection Object Scan Result"]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
+    detail = {
+      s3ObjectDetails = {
+        bucketName = [module.s3bucket_quarantine.id]
+        objectKey  = [{ prefix = "pdf-template/" }, { prefix = "test-data/" }]
+      }
+      scanResultDetails = {
+        scanResultStatus = [{ anything-but = "NO_THREATS_FOUND" }]
+      }
+    }
+  })
+}
+
+resource "aws_cloudwatch_event_target" "quarantine_scan_failed_set_file_status" {
+  rule     = aws_cloudwatch_event_rule.quarantine_guardduty_scan_failed.name
+  arn      = module.lambda_set_file_virus_scan_status.function_arn
+  role_arn = aws_iam_role.quarantine_scan_failed.arn
+}
+
+resource "aws_cloudwatch_event_target" "quarantine_scan_failed_delete_object" {
+  rule     = aws_cloudwatch_event_rule.quarantine_guardduty_scan_failed.name
+  arn      = module.lambda_delete_failed_scanned_object.function_arn
+  role_arn = aws_iam_role.quarantine_scan_failed.arn
+}
+
+resource "aws_iam_role" "quarantine_scan_failed" {
+  name               = "${local.csi}-quarantine-scan-failed"
+  assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
+}
+
+resource "aws_iam_role_policy" "quarantine_scan_failed" {
+  name   = "${local.csi}-quarantine-scan-failed"
+  role   = aws_iam_role.quarantine_scan_failed.id
+  policy = data.aws_iam_policy_document.quarantine_scan_failed.json
+}
+
+data "aws_iam_policy_document" "quarantine_scan_failed" {
+  version = "2012-10-17"
+
+  statement {
+    sid     = "AllowLambdaInvoke"
+    effect  = "Allow"
+    actions = ["lambda:InvokeFunction"]
+    resources = [
+      module.lambda_set_file_virus_scan_status.function_arn,
+      module.lambda_delete_failed_scanned_object.function_arn
+    ]
+  }
+}

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_no_threats.tf

@@ -0,0 +1,79 @@
+resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed" {
+  name        = "${local.csi}-quarantine-scan-passed"
+  description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
+
+  event_pattern = jsonencode({
+    source      = ["aws.guardduty"]
+    detail-type = ["GuardDuty Malware Protection Object Scan Result"]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
+    detail = {
+      s3ObjectDetails = {
+        bucketName = [module.s3bucket_quarantine.id]
+        objectKey  = [{ prefix = "pdf-template/" }, { prefix = "test-data/" }]
+      }
+      scanResultDetails = {
+        scanResultStatus = ["NO_THREATS_FOUND"]
+      }
+    }
+  })
+}
+
+resource "aws_cloudwatch_event_target" "guardduty_quarantine_scan_passed_copy_object" {
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed.name
+  arn      = module.lambda_copy_scanned_object_to_internal.function_arn
+  role_arn = aws_iam_role.guardduty_quarantine_scan_passed.arn
+}
+
+resource "aws_cloudwatch_event_target" "guardduty_quarantine_scan_passed_set_file_status" {
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed.name
+  arn      = module.lambda_set_file_virus_scan_status.function_arn
+  role_arn = aws_iam_role.guardduty_quarantine_scan_passed.arn
+}
+
+resource "aws_cloudwatch_event_target" "guardduty_quarantine_scan_passed_validate_files" {
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed.name
+  arn      = module.sqs_validate_letter_template_files.sqs_queue_arn
+  role_arn = aws_iam_role.guardduty_quarantine_scan_passed.arn
+}
+
+resource "aws_iam_role" "guardduty_quarantine_scan_passed" {
+  name               = "${local.csi}-quarantine-scan-passed"
+  assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
+}
+
+resource "aws_iam_role_policy" "guardduty_quarantine_scan_passed" {
+  name   = "${local.csi}-quarantine-scan-passed"
+  role   = aws_iam_role.guardduty_quarantine_scan_passed.id
+  policy = data.aws_iam_policy_document.guardduty_quarantine_scan_passed.json
+}
+
+data "aws_iam_policy_document" "guardduty_quarantine_scan_passed" {
+  version = "2012-10-17"
+
+  statement {
+    sid     = "AllowLambdaInvoke"
+    effect  = "Allow"
+    actions = ["lambda:InvokeFunction"]
+    resources = [
+      module.lambda_copy_scanned_object_to_internal.function_arn,
+      module.lambda_set_file_virus_scan_status.function_arn,
+    ]
+  }
+
+  statement {
+    sid       = "AllowSQSSendMessage"
+    effect    = "Allow"
+    actions   = ["sqs:SendMessage"]
+    resources = [module.sqs_validate_letter_template_files.sqs_queue_arn]
+  }
+
+  statement {
+    sid    = "AllowKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey"
+    ]
+    resources = [var.kms_key_arn]
+  }
+}

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed.tf

@@ -35,12 +35,8 @@ locals {
     NODE_OPTIONS                     = "--enable-source-maps"
     TEMPLATES_QUARANTINE_BUCKET_NAME = module.s3bucket_quarantine.id
     TEMPLATES_INTERNAL_BUCKET_NAME   = module.s3bucket_internal.id
-    TEMPLATES_EVENT_BUS_NAME         = data.aws_cloudwatch_event_bus.default.name
-    TEMPLATES_EVENT_SOURCE           = local.event_source
     TEMPLATES_TABLE_NAME             = aws_dynamodb_table.templates.name
   }
 
   dynamodb_kms_key_arn = var.dynamodb_kms_key_arn == "" ? aws_kms_key.dynamo[0].arn : var.dynamodb_kms_key_arn
-
-  event_source = "templates.${var.environment}.${var.project}"
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_result.tf

@@ -19,6 +19,7 @@ data "aws_iam_policy_document" "delete_failed_scanned_object" {
 
     actions = [
       "s3:DeleteObject",
+      "s3:DeleteObjectVersion",
     ]
 
     resources = ["${module.s3bucket_quarantine.arn}/*"]

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_virus_scan_failed.tf

@@ -14,18 +14,6 @@ module "lambda_set_file_virus_scan_status" {
 }
 
 data "aws_iam_policy_document" "set_file_virus_scan_status" {
-  statement {
-    sid    = "AllowS3Read"
-    effect = "Allow"
-
-    actions = [
-      "s3:GetObject",
-      "s3:GetObjectVersion",
-    ]
-
-    resources = ["${module.s3bucket_quarantine.arn}/*"]
-  }
-
   statement {
     sid    = "AllowDynamoAccess"
     effect = "Allow"
@@ -82,16 +70,4 @@ data "aws_iam_policy_document" "set_file_virus_scan_status" {
       var.kms_key_arn,
     ]
   }
-
-  statement {
-    sid    = "AllowEventBridge"
-    effect = "Allow"
-    actions = [
-      "events:PutEvents"
-    ]
-
-    resources = [
-      data.aws_cloudwatch_event_bus.default.arn
-    ]
-  }
 }