Skip to content

Commit 29f7743

Browse files
chris-elliott-nhsdchris-elliott-nhsd
authored
CCM-8418: Lambda packaging (#470)
1 parent be59760 commit 29f7743

File tree

60 files changed

+819
-812
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

60 files changed

+819
-812
lines changed

infrastructure/terraform/components/acct/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
| <a name="module_kms_sandbox"></a> [kms\_sandbox](#module\_kms\_sandbox) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v1.0.8 |
3737
| <a name="module_obs_datasource"></a> [obs\_datasource](#module\_obs\_datasource) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/obs-datasource | v2.0.3 |
3838
| <a name="module_s3bucket_access_logs"></a> [s3bucket\_access\_logs](#module\_s3bucket\_access\_logs) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.9 |
39+
| <a name="module_s3bucket_artefacts"></a> [s3bucket\_artefacts](#module\_s3bucket\_artefacts) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v2.0.2 |
3940
| <a name="module_s3bucket_backup_reports"></a> [s3bucket\_backup\_reports](#module\_s3bucket\_backup\_reports) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
4041
| <a name="module_s3bucket_data_migration_backups"></a> [s3bucket\_data\_migration\_backups](#module\_s3bucket\_data\_migration\_backups) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v2.0.4 |
4142
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.19.0 |

infrastructure/terraform/components/acct/module_obs_datasource.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,6 @@ module "obs_datasource" {
99
environment = var.environment
1010
component = var.component
1111

12-
oam_sink_id = var.oam_sink_id
13-
observability_account_id = var.observability_account_id
12+
oam_sink_id = var.oam_sink_id
13+
observability_account_id = var.observability_account_id
1414
}

infrastructure/terraform/components/acct/module_s3bucket_artefacts.tf

Lines changed: 130 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,130 @@
1+
module "s3bucket_artefacts" {
2+
source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v2.0.2"
3+
4+
name = "artefacts"
5+
6+
aws_account_id = var.aws_account_id
7+
region = var.region
8+
project = var.project
9+
environment = var.environment
10+
component = var.component
11+
12+
acl = "private"
13+
force_destroy = false
14+
versioning = true
15+
16+
lifecycle_rules = [
17+
{
18+
prefix = ""
19+
enabled = true
20+
21+
noncurrent_version_transition = [
22+
{
23+
noncurrent_days = "30"
24+
storage_class = "STANDARD_IA"
25+
}
26+
]
27+
28+
noncurrent_version_expiration = {
29+
noncurrent_days = "90"
30+
}
31+
32+
abort_incomplete_multipart_upload = {
33+
days = "1"
34+
}
35+
}
36+
]
37+
38+
policy_documents = [
39+
data.aws_iam_policy_document.s3bucket_artefacts.json
40+
]
41+
42+
bucket_logging_target = {
43+
bucket = module.s3bucket_access_logs.id
44+
}
45+
46+
public_access = {
47+
block_public_acls = true
48+
block_public_policy = true
49+
ignore_public_acls = true
50+
restrict_public_buckets = true
51+
}
52+
53+
54+
default_tags = {
55+
Name = "Artefact bucket"
56+
}
57+
}
58+
59+
data "aws_iam_policy_document" "s3bucket_artefacts" {
60+
statement {
61+
sid = "DontAllowNonSecureConnection"
62+
effect = "Deny"
63+
64+
actions = [
65+
"s3:*",
66+
]
67+
68+
resources = [
69+
module.s3bucket_artefacts.arn,
70+
"${module.s3bucket_artefacts.arn}/*",
71+
]
72+
73+
principals {
74+
type = "AWS"
75+
76+
identifiers = [
77+
"*",
78+
]
79+
}
80+
81+
condition {
82+
test = "Bool"
83+
variable = "aws:SecureTransport"
84+
85+
values = [
86+
"false",
87+
]
88+
}
89+
}
90+
91+
statement {
92+
sid = "AllowManagedAccountsToList"
93+
effect = "Allow"
94+
95+
actions = [
96+
"s3:ListBucket",
97+
]
98+
99+
resources = [
100+
module.s3bucket_artefacts.arn,
101+
]
102+
103+
principals {
104+
type = "AWS"
105+
identifiers = [
106+
"arn:aws:iam::${var.aws_account_id}:root"
107+
]
108+
}
109+
}
110+
111+
statement {
112+
sid = "AllowManagedAccountsToGet"
113+
effect = "Allow"
114+
115+
actions = [
116+
"s3:GetObject",
117+
]
118+
119+
resources = [
120+
"${module.s3bucket_artefacts.arn}/*",
121+
]
122+
123+
principals {
124+
type = "AWS"
125+
identifiers = [
126+
"arn:aws:iam::${var.aws_account_id}:root"
127+
]
128+
}
129+
}
130+
}

infrastructure/terraform/components/acct/module_sandbox_kms.tf

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,4 +13,45 @@ module "kms_sandbox" {
1313
deletion_window = var.kms_deletion_window
1414
alias = "alias/${local.csi}-sandbox"
1515
iam_delegation = true
16+
17+
key_policy_documents = [data.aws_iam_policy_document.kms.json]
18+
}
19+
20+
data "aws_iam_policy_document" "kms" {
21+
# '*' resource scope is permitted in access policies as as the resource is itself
22+
# https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html
23+
24+
statement {
25+
sid = "AllowCloudWatchEncrypt"
26+
effect = "Allow"
27+
28+
principals {
29+
type = "Service"
30+
31+
identifiers = [
32+
"logs.${var.region}.amazonaws.com",
33+
]
34+
}
35+
36+
actions = [
37+
"kms:Encrypt*",
38+
"kms:Decrypt*",
39+
"kms:ReEncrypt*",
40+
"kms:GenerateDataKey*",
41+
"kms:Describe*"
42+
]
43+
44+
resources = [
45+
"*",
46+
]
47+
48+
condition {
49+
test = "ArnLike"
50+
variable = "kms:EncryptionContext:aws:logs:arn"
51+
52+
values = [
53+
"arn:aws:logs:${var.region}:${var.aws_account_id}:log-group:*",
54+
]
55+
}
56+
}
1657
}

infrastructure/terraform/components/acct/outputs.tf

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,16 @@ output "github_pat_ssm_param_name" {
1212

1313
output "s3_buckets" {
1414
value = {
15+
access_logs = {
16+
arn = module.s3bucket_access_logs.arn
17+
bucket = module.s3bucket_access_logs.bucket
18+
id = module.s3bucket_access_logs.id
19+
}
20+
artefacts = {
21+
arn = module.s3bucket_artefacts.arn
22+
bucket = module.s3bucket_artefacts.bucket
23+
id = module.s3bucket_artefacts.id
24+
}
1525
backup_reports = {
1626
arn = module.s3bucket_backup_reports.arn
1727
bucket = module.s3bucket_backup_reports.bucket

infrastructure/terraform/components/app/cloudfront_distribution_main.tf

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
resource "aws_cloudfront_distribution" "main" {
22
provider = aws.us-east-1
33

4-
enabled = true
5-
is_ipv6_enabled = true
6-
comment = "NHS Notify templates files CDN (${local.csi})"
4+
enabled = true
5+
is_ipv6_enabled = true
6+
comment = "NHS Notify templates files CDN (${local.csi})"
77
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-priceclass
88
price_class = "PriceClass_100"
99

@@ -64,4 +64,3 @@ resource "aws_cloudfront_distribution" "main" {
6464
compress = true
6565
}
6666
}
67-

infrastructure/terraform/components/app/module_backend_api.tf

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,17 +13,19 @@ module "backend_api" {
1313
log_retention_in_days = var.log_retention_in_days
1414
kms_key_arn = module.kms.key_arn
1515
parent_acct_environment = var.parent_acct_environment
16+
function_s3_bucket = local.acct.s3_buckets["artefacts"]["id"]
1617

1718
cloudfront_distribution_arn = aws_cloudfront_distribution.main.arn
1819

1920
cognito_config = jsondecode(aws_ssm_parameter.cognito_config.value)
2021

2122
enable_backup = var.destination_vault_arn != null ? true : false
2223

23-
enable_letters = var.enable_letters
24-
enable_proofing = var.enable_proofing
25-
letter_suppliers = var.letter_suppliers
26-
log_destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
27-
log_subscription_role_arn = local.acct.log_subscription_role_arn
24+
enable_letters = var.enable_letters
25+
enable_proofing = var.enable_proofing
26+
letter_suppliers = var.letter_suppliers
27+
log_destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
28+
log_subscription_role_arn = local.acct.log_subscription_role_arn
2829

30+
send_to_firehose = true
2931
}

infrastructure/terraform/components/app/pre.sh

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,6 @@ npm ci --omit=dev
22

33
npm run generate-dependencies --workspaces --if-present
44

5+
npm run lambda-build --workspaces --if-present
6+
57
$(git rev-parse --show-toplevel)/lambdas/layers/pdfjs/build.sh

infrastructure/terraform/components/sandbox/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ No requirements.
1717
| <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
1818
| <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | <pre>map(object({<br/> enable_polling = bool<br/> default_supplier = optional(bool)<br/> }))</pre> | <pre>{<br/> "WTMMOCK": {<br/> "default_supplier": true,<br/> "enable_polling": true<br/> }<br/>}</pre> | no |
1919
| <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
20+
| <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
2021
| <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
2122
| <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
2223
## Modules

infrastructure/terraform/components/sandbox/locals_remote_state.tf

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
locals {
2+
acct = data.terraform_remote_state.acct.outputs
3+
}
4+
5+
data "terraform_remote_state" "acct" {
6+
backend = "s3"
7+
8+
config = {
9+
bucket = local.terraform_state_bucket
10+
11+
key = format(
12+
"%s/%s/%s/%s/acct.tfstate",
13+
var.project,
14+
var.aws_account_id,
15+
"eu-west-2",
16+
var.parent_acct_environment
17+
)
18+
19+
region = "eu-west-2"
20+
}
21+
}

0 commit comments

Comments
 (0)