CCM-8637: add sftp utils

Author: alexnuttall

infrastructure/terraform/components/acct/ssm_parameter_sftp_mock_config.tf

@@ -0,0 +1,24 @@
+resource "aws_ssm_parameter" "sftp_mock_config" {
+  name = format(
+    "/%s/sftp-mock-config",
+    local.csi,
+  )
+  description = "Configuration values for accessing an SFTP mock server"
+  type        = "SecureString"
+
+  /*
+  JSON object matching:
+  {
+    "host": string
+    "username": string,
+    "privateKey": string,
+    "baseUploadDir": "WTM_MOCK/Incoming,
+    "baseDownloadDir": "WTM_MOCK/Outgoing"
+  }
+  */
+  value = "placeholder"
+
+  lifecycle {
+    ignore_changes = [value]
+  }
+}

infrastructure/terraform/components/app/module_backend_api.tf

@@ -16,5 +16,6 @@ module "backend_api" {
 
   enable_backup = var.destination_vault_arn != null ? true : false
 
-  enable_letters = var.enable_letters
+  enable_letters   = var.enable_letters
+  letter_suppliers = var.letter_suppliers
 }

infrastructure/terraform/components/app/variables.tf

@@ -192,3 +192,12 @@ variable "observability_account_id" {
   type        = string
   description = "The Observability Account ID that needs access"
 }
+
+variable "letter_suppliers" {
+  type = map(object({
+    enable_polling   = bool
+    default_supplier = optional(bool)
+  }))
+  default = {}
+  description = "Letter suppliers enabled in the environment"
+}

infrastructure/terraform/components/sandbox/module_backend_api.tf

@@ -15,7 +15,8 @@ module "backend_api" {
     USER_POOL_CLIENT_ID = aws_cognito_user_pool_client.sandbox.id
   }
 
-  enable_letters = true
+  enable_letters   = true
+  letter_suppliers = var.letter_suppliers
 
   kms_key_arn          = data.aws_kms_key.sandbox.arn
   dynamodb_kms_key_arn = data.aws_kms_key.sandbox.arn

infrastructure/terraform/components/sandbox/variables.tf

@@ -62,3 +62,18 @@ variable "kms_deletion_window" {
   description = "When a kms key is deleted, how long should it wait in the pending deletion state?"
   default     = "30"
 }
+
+variable "letter_suppliers" {
+  type = map(object({
+    enable_polling   = bool
+    default_supplier = optional(bool)
+  }))
+  default = {
+    "WTMMOCK" = {
+      enable_polling   = true
+      default_supplier = true
+    }
+  }
+  description = "Letter suppliers enabled in the environment"
+}
+

infrastructure/terraform/modules/backend-api/data_ssm_parameter_sftp_mock_config_acct.tf

@@ -0,0 +1,4 @@
+data "aws_ssm_parameter" "sftp_mock_config_acct" {
+  count = local.use_sftp_letter_supplier_mock ? 1 : 0
+  name  = "/nhs-notify-main-acct/sftp-mock-config"
+}

infrastructure/terraform/modules/backend-api/locals.tf

@@ -25,4 +25,10 @@ locals {
   }
 
   dynamodb_kms_key_arn = var.dynamodb_kms_key_arn == "" ? aws_kms_key.dynamo[0].arn : var.dynamodb_kms_key_arn
+
+  mock_letter_supplier_name     = "WTMMOCK"
+  use_sftp_letter_supplier_mock = lookup(var.letter_suppliers, local.mock_letter_supplier_name, null) != null
+  default_letter_supplier = [
+    for k, v in var.letter_suppliers : merge(v, { name = k }) if v.default_supplier
+  ][0]
 }

infrastructure/terraform/modules/backend-api/module_lambda_send_letter_proof.tf

@@ -10,6 +10,10 @@ module "lambda_send_letter_proof" {
   log_retention_in_days = var.log_retention_in_days
 
   execution_role_policy_document = data.aws_iam_policy_document.send_letter_proof.json
+
+  environment_variables = {
+    CSI = local.csi
+  }
 }
 
 data "aws_iam_policy_document" "send_letter_proof" {
@@ -38,6 +42,17 @@ data "aws_iam_policy_document" "send_letter_proof" {
     resources = ["${module.s3bucket_internal.arn}/*"]
   }
 
+  statement {
+    sid    = "AllowSSMParameterRead"
+    effect = "Allow"
+    actions = [
+      "ssm:GetParameter",
+    ]
+    resources = [
+      "arn:aws:ssm:${var.region}:${var.aws_account_id}:parameter/${local.csi}/*/sftp-config"
+    ]
+  }
+
   statement {
     sid    = "AllowKMSDynamoAccess"
     effect = "Allow"

…modules/backend-api/sftp_upload_queue.tf …kend-api/module_sqs_sftp_upload_queue.tfinfrastructure/terraform/modules/backend-api/sftp_upload_queue.tf renamed to infrastructure/terraform/modules/backend-api/module_sqs_sftp_upload_queue.tf infrastructure/terraform/modules/backend-api/sftp_upload_queue.tf renamed to infrastructure/terraform/modules/backend-api/module_sqs_sftp_upload_queue.tf

@@ -0,0 +1,21 @@
+resource "aws_ssm_parameter" "sftp_config" {
+  for_each = { for k, v in var.letter_suppliers : k => v if k != local.mock_letter_supplier_name }
+
+  name        = "/${local.csi}/sftp-config/${each.key}"
+  description = "Configuration values for accessing an SFTP server"
+  type        = "SecureString"
+  value       = "placeholder"
+
+  lifecycle {
+    ignore_changes = [value]
+  }
+}
+
+resource "aws_ssm_parameter" "sftp_mock_config" {
+  count = local.use_sftp_letter_supplier_mock ? 1 : 0
+
+  name        = "/${local.csi}/sftp-config/${local.mock_letter_supplier_name}"
+  description = "Configuration values for accessing the mock SFTP server"
+  type        = "SecureString"
+  value       = data.aws_ssm_parameter.sftp_mock_config_acct[0].value
+}