CCM-10294: merge

Author: mark-r-bjss

infrastructure/terraform/components/acct/module_sandbox_kms.tf

@@ -85,4 +85,33 @@ data "aws_iam_policy_document" "kms" {
       ]
     }
   }
+
+  statement {
+    sid    = "AllowEventBridgeAccessToLetterValidationQueue"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt",
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:sqs:arn"
+      values   = ["arn:aws:sqs:${var.region}:${var.aws_account_id}:*-validate-letter-template-files-queue"]
+    }
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:events:${var.region}:${var.aws_account_id}:rule/*-quarantine-scan-passed-for-upload"]
+    }
+  }
 }

infrastructure/terraform/components/app/module_kms.tf

@@ -106,4 +106,37 @@ data "aws_iam_policy_document" "kms" {
       ]
     }
   }
+
+  statement {
+    sid    = "AllowEventBridgeAccessToLetterValidationQueue"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt",
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "ArnEquals"
+      variable = "kms:EncryptionContext:aws:sqs:arn"
+      values = [
+        "arn:aws:sqs:${var.region}:${var.aws_account_id}:${local.csi}-validate-letter-template-files-queue"
+      ]
+    }
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values = [
+        "arn:aws:events:${var.region}:${var.aws_account_id}:rule/${local.csi}-api-quarantine-scan-passed-for-upload"
+      ]
+    }
+  }
 }

infrastructure/terraform/components/sandbox/README.md

@@ -28,6 +28,7 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_backend_api"></a> [backend\_api](#module\_backend\_api) | ../../modules/backend-api | n/a |
+| <a name="module_cognito_triggers"></a> [cognito\_triggers](#module\_cognito\_triggers) | ../../modules/cognito-triggers | n/a |
 ## Outputs
 
 | Name | Description |

infrastructure/terraform/components/sandbox/aws_cognito_user_pool_sandbox.tf

@@ -1,3 +1,18 @@
 resource "aws_cognito_user_pool" "sandbox" {
   name = local.csi
+
+  lambda_config {
+    pre_token_generation_config {
+      lambda_arn     = module.cognito_triggers.pre_token_generation_lambda_function_arn
+      lambda_version = "V2_0"
+    }
+  }
+
+  schema {
+    name                = "sbx_client_id"
+    attribute_data_type = "String"
+    mutable             = true
+    required            = false
+    string_attribute_constraints {}
+  }
 }

infrastructure/terraform/components/sandbox/module_cognito_triggers.tf

@@ -0,0 +1,15 @@
+module "cognito_triggers" {
+  source = "../../modules/cognito-triggers"
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+  group          = var.group
+
+  function_s3_bucket    = local.acct.s3_buckets["artefacts"]["id"]
+  kms_key_arn           = data.aws_kms_key.sandbox.arn
+  log_retention_in_days = var.log_retention_in_days
+  user_pool_id          = aws_cognito_user_pool.sandbox.id
+}

infrastructure/terraform/modules/backend-api/README.md

@@ -16,7 +16,6 @@ No requirements.
 | <a name="input_csi"></a> [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes |
 | <a name="input_enable_backup"></a> [enable\_backup](#input\_enable\_backup) | Enable Backups for the DynamoDB table? | `bool` | `true` | no |
 | <a name="input_enable_event_stream"></a> [enable\_event\_stream](#input\_enable\_event\_stream) | Enable DynamoDB streaming to SQS? | `bool` | `false` | no |
-| <a name="input_enable_guardduty"></a> [enable\_guardduty](#input\_enable\_guardduty) | Enable GuardDuty | `bool` | `true` | no |
 | <a name="input_enable_proofing"></a> [enable\_proofing](#input\_enable\_proofing) | Enable proofing feature flag | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_function_s3_bucket"></a> [function\_s3\_bucket](#input\_function\_s3\_bucket) | Name of S3 bucket to upload lambda artefacts to | `string` | n/a | yes |

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_for_proof.tf

@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_proof
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = [local.guardduty_source]
+    source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [local.guardduty_resource]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
@@ -21,11 +21,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_proof
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_process_proof" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_proof.name
   arn      = module.lambda_process_proof.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_for_proof.arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_delete_object_for_proof" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_proof.name
   arn      = module.lambda_delete_failed_scanned_object.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_for_proof.arn
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_for_upload.tf

@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_uploa
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = [local.guardduty_source]
+    source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [local.guardduty_resource]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
@@ -21,11 +21,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_uploa
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_set_file_status_for_upload" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_upload.name
   arn      = module.lambda_set_file_virus_scan_status_for_upload.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_for_upload.arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_delete_object_for_upload" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_upload.name
   arn      = module.lambda_delete_failed_scanned_object.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_for_upload.arn
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_for_proof.tf

@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_proof
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = [local.guardduty_source]
+    source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [local.guardduty_resource]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
@@ -21,5 +21,4 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_proof
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_process_proof" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_proof.name
   arn      = module.lambda_process_proof.function_arn
-  role_arn = aws_iam_role.quarantine_scan_passed_for_proof.arn
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_for_upload.tf

@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_uploa
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = [local.guardduty_source]
+    source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [local.guardduty_resource]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
@@ -19,19 +19,16 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_uploa
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_set_file_status_for_upload" {
-  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
-  arn      = module.lambda_set_file_virus_scan_status_for_upload.function_arn
-  role_arn = aws_iam_role.quarantine_scan_passed_for_upload.arn
+  rule = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
+  arn  = module.lambda_set_file_virus_scan_status_for_upload.function_arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_copy_object_for_upload" {
-  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
-  arn      = module.lambda_copy_scanned_object_to_internal.function_arn
-  role_arn = aws_iam_role.quarantine_scan_passed_for_upload.arn
+  rule = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
+  arn  = module.lambda_copy_scanned_object_to_internal.function_arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_validate_files" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
   arn      = module.sqs_validate_letter_template_files.sqs_queue_arn
-  role_arn = aws_iam_role.quarantine_scan_passed_for_upload.arn
 }