CCM-9874: us-east-1 resources for edge lambda

Author: harrim91

infrastructure/terraform/components/acct/README.md

@@ -37,6 +37,7 @@
 | <a name="module_obs_datasource"></a> [obs\_datasource](#module\_obs\_datasource) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/obs-datasource | v2.0.3 |
 | <a name="module_s3bucket_access_logs"></a> [s3bucket\_access\_logs](#module\_s3bucket\_access\_logs) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.9 |
 | <a name="module_s3bucket_artefacts"></a> [s3bucket\_artefacts](#module\_s3bucket\_artefacts) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v2.0.2 |
+| <a name="module_s3bucket_artefacts_us_east_1"></a> [s3bucket\_artefacts\_us\_east\_1](#module\_s3bucket\_artefacts\_us\_east\_1) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v2.0.2 |
 | <a name="module_s3bucket_backup_reports"></a> [s3bucket\_backup\_reports](#module\_s3bucket\_backup\_reports) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.19.0 |
 ## Outputs

infrastructure/terraform/components/acct/module_s3bucket_artefacts_us_east_1.tf

@@ -0,0 +1,134 @@
+module "s3bucket_artefacts_us_east_1" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v2.0.2"
+
+  providers = {
+    aws = aws.us-east-1
+  }
+
+  name = "artefacts"
+
+  aws_account_id = var.aws_account_id
+  region         = "us-east-1"
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  acl           = "private"
+  force_destroy = false
+  versioning    = true
+
+  lifecycle_rules = [
+    {
+      prefix  = ""
+      enabled = true
+
+      noncurrent_version_transition = [
+        {
+          noncurrent_days = "30"
+          storage_class   = "STANDARD_IA"
+        }
+      ]
+
+      noncurrent_version_expiration = {
+        noncurrent_days = "90"
+      }
+
+      abort_incomplete_multipart_upload = {
+        days = "1"
+      }
+    }
+  ]
+
+  policy_documents = [
+    data.aws_iam_policy_document.s3bucket_artefacts_us_east_1.json
+  ]
+
+  bucket_logging_target = {
+    bucket = module.s3bucket_access_logs.id
+  }
+
+  public_access = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+
+
+  default_tags = {
+    Name = "Artefact bucket"
+  }
+}
+
+data "aws_iam_policy_document" "s3bucket_artefacts_us_east_1" {
+  statement {
+    sid    = "DontAllowNonSecureConnection"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      module.s3bucket_artefacts_us_east_1.arn,
+      "${module.s3bucket_artefacts_us_east_1.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "*",
+      ]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+
+      values = [
+        "false",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToList"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      module.s3bucket_artefacts_us_east_1.arn,
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToGet"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "${module.s3bucket_artefacts_us_east_1.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+}

infrastructure/terraform/components/acct/outputs.tf

@@ -17,6 +17,11 @@ output "s3_buckets" {
       bucket = module.s3bucket_artefacts.bucket
       id     = module.s3bucket_artefacts.id
     }
+    artefacts_us_east_1 = {
+      arn    = module.s3bucket_artefacts_us_east_1.arn
+      bucket = module.s3bucket_artefacts_us_east_1.bucket
+      id     = module.s3bucket_artefacts_us_east_1.id
+    }
     backup_reports = {
       arn    = module.s3bucket_backup_reports.arn
       bucket = module.s3bucket_backup_reports.bucket

infrastructure/terraform/components/app/README.md

@@ -54,6 +54,7 @@
 | <a name="module_download_authorizer_lambda"></a> [download\_authorizer\_lambda](#module\_download\_authorizer\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.2 |
 | <a name="module_eventpub"></a> [eventpub](#module\_eventpub) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/eventpub | v1.0.13 |
 | <a name="module_kms"></a> [kms](#module\_kms) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v1.0.8 |
+| <a name="module_kms_us_east_1"></a> [kms\_us\_east\_1](#module\_kms\_us\_east\_1) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v1.0.8 |
 | <a name="module_nhse_backup_vault"></a> [nhse\_backup\_vault](#module\_nhse\_backup\_vault) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/aws-backup-source | v1.0.8 |
 | <a name="module_s3bucket_cf_logs"></a> [s3bucket\_cf\_logs](#module\_s3bucket\_cf\_logs) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v2.0.2 |
 ## Outputs

infrastructure/terraform/components/app/module_download_authorizer_lambda.tf

@@ -16,13 +16,13 @@ module "download_authorizer_lambda" {
   group          = var.group
 
   log_retention_in_days = var.log_retention_in_days
-  kms_key_arn           = module.kms.key_arn
+  kms_key_arn           = module.kms_us_east_1.key_arn
 
   iam_policy_document = {
     body = data.aws_iam_policy_document.authorizer.json
   }
 
-  function_s3_bucket       = local.acct.s3_buckets["artefacts"]["id"]
+  function_s3_bucket       = local.acct.s3_buckets["artefacts_us_east_1"]["id"]
   function_code_base_path  = local.lambdas_source_code_dir
   function_code_dir        = "download-authorizer/dist"
   handler_function_name    = "handler"
@@ -45,7 +45,7 @@ data "aws_iam_policy_document" "authorizer" {
     ]
 
     resources = [
-      module.kms.key_arn,
+      module.kms_us_east_1.key_arn,
     ]
   }
 }

infrastructure/terraform/components/app/module_kms.tf

@@ -66,11 +66,12 @@ data "aws_iam_policy_document" "kms" {
       "*",
     ]
 
-    // TODO, tag conditions don't work
     condition {
       test     = "StringLike"
       variable = "aws:SourceArn"
-      values   = ["arn:aws:cloudfront::${var.aws_account_id}:distribution/*"]
+      values = [
+        aws_cloudfront_distribution.main.arn
+      ]
     }
   }
 }

infrastructure/terraform/components/app/module_kms_us_east_1.tf

@@ -0,0 +1,49 @@
+module "kms_us_east_1" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms?ref=v1.0.8"
+
+  providers = {
+    aws = aws.us-east-1
+  }
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = "us-east-1"
+
+  name                 = "main"
+  deletion_window      = var.kms_deletion_window
+  alias                = "alias/${local.csi}"
+  key_policy_documents = [data.aws_iam_policy_document.kms_us_east_1.json]
+  iam_delegation       = true
+}
+
+data "aws_iam_policy_document" "kms_us_east_1" {
+  # '*' resource scope is permitted in access policies as as the resource is itself
+  # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html
+
+  statement {
+    sid    = "AllowCloudWatchEncrypt"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "logs.${var.region}.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}