CCM-8574: Code review comments excl lambda layers

Author: ClareJonesBJSS

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed.tf

@@ -1,4 +1,4 @@
-resource "aws_cloudwatch_event_rule" "quarantine_guardduty_scan_failed" {
+resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed" {
   name        = "${local.csi}-quarantine-scan-failed"
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
 
@@ -19,38 +19,13 @@ resource "aws_cloudwatch_event_rule" "quarantine_guardduty_scan_failed" {
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_set_file_status" {
-  rule     = aws_cloudwatch_event_rule.quarantine_guardduty_scan_failed.name
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed.name
   arn      = module.lambda_set_file_virus_scan_status.function_arn
   role_arn = aws_iam_role.quarantine_scan_failed.arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_delete_object" {
-  rule     = aws_cloudwatch_event_rule.quarantine_guardduty_scan_failed.name
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed.name
   arn      = module.lambda_delete_failed_scanned_object.function_arn
   role_arn = aws_iam_role.quarantine_scan_failed.arn
 }
-
-resource "aws_iam_role" "quarantine_scan_failed" {
-  name               = "${local.csi}-quarantine-scan-failed"
-  assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
-}
-
-resource "aws_iam_role_policy" "quarantine_scan_failed" {
-  name   = "${local.csi}-quarantine-scan-failed"
-  role   = aws_iam_role.quarantine_scan_failed.id
-  policy = data.aws_iam_policy_document.quarantine_scan_failed.json
-}
-
-data "aws_iam_policy_document" "quarantine_scan_failed" {
-  version = "2012-10-17"
-
-  statement {
-    sid     = "AllowLambdaInvoke"
-    effect  = "Allow"
-    actions = ["lambda:InvokeFunction"]
-    resources = [
-      module.lambda_set_file_virus_scan_status.function_arn,
-      module.lambda_delete_failed_scanned_object.function_arn
-    ]
-  }
-}

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed.tf

@@ -18,62 +18,20 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed" {
   })
 }
 
-resource "aws_cloudwatch_event_target" "guardduty_quarantine_scan_passed_copy_object" {
+resource "aws_cloudwatch_event_target" "quarantine_scan_passed_set_file_status" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed.name
-  arn      = module.lambda_copy_scanned_object_to_internal.function_arn
-  role_arn = aws_iam_role.guardduty_quarantine_scan_passed.arn
+  arn      = module.lambda_set_file_virus_scan_status.function_arn
+  role_arn = aws_iam_role.quarantine_scan_passed.arn
 }
 
-resource "aws_cloudwatch_event_target" "guardduty_quarantine_scan_passed_set_file_status" {
+resource "aws_cloudwatch_event_target" "quarantine_scan_passed_copy_object" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed.name
-  arn      = module.lambda_set_file_virus_scan_status.function_arn
-  role_arn = aws_iam_role.guardduty_quarantine_scan_passed.arn
+  arn      = module.lambda_copy_scanned_object_to_internal.function_arn
+  role_arn = aws_iam_role.quarantine_scan_passed.arn
 }
 
-resource "aws_cloudwatch_event_target" "guardduty_quarantine_scan_passed_validate_files" {
+resource "aws_cloudwatch_event_target" "quarantine_scan_passed_validate_files" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed.name
   arn      = module.sqs_validate_letter_template_files.sqs_queue_arn
-  role_arn = aws_iam_role.guardduty_quarantine_scan_passed.arn
-}
-
-resource "aws_iam_role" "guardduty_quarantine_scan_passed" {
-  name               = "${local.csi}-quarantine-scan-passed"
-  assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
-}
-
-resource "aws_iam_role_policy" "guardduty_quarantine_scan_passed" {
-  name   = "${local.csi}-quarantine-scan-passed"
-  role   = aws_iam_role.guardduty_quarantine_scan_passed.id
-  policy = data.aws_iam_policy_document.guardduty_quarantine_scan_passed.json
-}
-
-data "aws_iam_policy_document" "guardduty_quarantine_scan_passed" {
-  version = "2012-10-17"
-
-  statement {
-    sid     = "AllowLambdaInvoke"
-    effect  = "Allow"
-    actions = ["lambda:InvokeFunction"]
-    resources = [
-      module.lambda_copy_scanned_object_to_internal.function_arn,
-      module.lambda_set_file_virus_scan_status.function_arn,
-    ]
-  }
-
-  statement {
-    sid       = "AllowSQSSendMessage"
-    effect    = "Allow"
-    actions   = ["sqs:SendMessage"]
-    resources = [module.sqs_validate_letter_template_files.sqs_queue_arn]
-  }
-
-  statement {
-    sid    = "AllowKMS"
-    effect = "Allow"
-    actions = [
-      "kms:Decrypt",
-      "kms:GenerateDataKey"
-    ]
-    resources = [var.kms_key_arn]
-  }
+  role_arn = aws_iam_role.quarantine_scan_passed.arn
 }

infrastructure/terraform/modules/backend-api/guardduty_malware_protection_plan_quarantine.tf

@@ -14,155 +14,3 @@ resource "aws_guardduty_malware_protection_plan" "quarantine" {
     }
   }
 }
-
-resource "aws_iam_role" "guardduty_quarantine" {
-  name               = "${local.csi}-guardduty-quarantine"
-  description        = "IAM Role for GuardDuty to provide S3 malware protection"
-  assume_role_policy = data.aws_iam_policy_document.guardduty_assumerole.json
-}
-
-resource "aws_iam_role_policy_attachment" "guardduty_quarantine" {
-  role       = aws_iam_role.guardduty_quarantine.name
-  policy_arn = aws_iam_policy.guardduty_quarantine.arn
-}
-
-resource "aws_iam_policy" "guardduty_quarantine" {
-  name        = "${local.csi}-guardduty"
-  description = "Permissions for GuardDuty to provide S3 malware protection"
-  policy      = data.aws_iam_policy_document.guardduty_quarantine.json
-}
-
-data "aws_iam_policy_document" "guardduty_assumerole" {
-  statement {
-    sid    = "GuardDutyAssumeRole"
-    effect = "Allow"
-
-    actions = [
-      "sts:AssumeRole",
-    ]
-
-    principals {
-      type = "Service"
-
-      identifiers = [
-        "malware-protection-plan.guardduty.amazonaws.com"
-      ]
-    }
-  }
-}
-
-#tfsec:ignore:aws-iam-no-policy-wildcards
-data "aws_iam_policy_document" "guardduty_quarantine" {
-  statement {
-    sid    = "AllowManagedRuleToSendS3EventsToGuardDuty"
-    effect = "Allow"
-    actions = [
-      "events:PutRule",
-      "events:DeleteRule",
-      "events:PutTargets",
-      "events:RemoveTargets"
-    ]
-    resources = [
-      "arn:aws:events:${var.region}:${var.aws_account_id}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
-    ]
-    condition {
-      test     = "StringLike"
-      variable = "events:ManagedBy"
-      values = [
-        "malware-protection-plan.guardduty.amazonaws.com"
-      ]
-    }
-  }
-
-  statement {
-    sid    = "AllowGuardDutyToMonitorEventBridgeManagedRule"
-    effect = "Allow"
-    actions = [
-      "events:DescribeRule",
-      "events:ListTargetsByRule"
-    ]
-    resources = [
-      "arn:aws:events:${var.region}:${var.aws_account_id}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
-    ]
-  }
-
-  statement {
-    sid    = "AllowPostScanTag"
-    effect = "Allow"
-    actions = [
-      "S3:PutObjectTagging",
-      "S3:GetObjectTagging",
-      "S3:PutObjectVersionTagging",
-      "S3:GetObjectVersionTagging"
-    ]
-
-    resources = [
-      "${module.s3bucket_quarantine.arn}/*"
-    ]
-  }
-
-  statement {
-    sid    = "AllowEnableS3EventBridgeEvents"
-    effect = "Allow"
-    actions = [
-      "s3:PutBucketNotification",
-      "s3:GetBucketNotification"
-    ]
-    resources = [
-      module.s3bucket_quarantine.arn
-    ]
-  }
-
-  statement {
-    sid    = "AllowPutValidationObject"
-    effect = "Allow"
-    actions = [
-      "s3:PutObject"
-    ]
-    resources = [
-      "${module.s3bucket_quarantine.arn}/malware-protection-resource-validation-object"
-    ]
-  }
-
-  statement {
-    sid    = "AllowCheckBucketOwnership"
-    effect = "Allow"
-    actions = [
-      "s3:ListBucket"
-    ]
-    resources = [
-      module.s3bucket_quarantine.arn
-    ]
-  }
-  statement {
-    sid    = "AllowMalwareScan"
-    effect = "Allow"
-    actions = [
-      "s3:GetObject",
-      "s3:GetObjectVersion"
-    ]
-
-    resources = [
-      "${module.s3bucket_quarantine.arn}/*"
-    ]
-  }
-
-  statement {
-    sid    = "AllowKMSDecrypt"
-    effect = "Allow"
-    actions = [
-      "kms:GenerateDataKey",
-      "kms:Decrypt"
-    ]
-    resources = [
-      var.kms_key_arn
-    ]
-    condition {
-      test     = "StringLike"
-      variable = "kms:ViaService"
-      values = [
-        "s3.*.amazonaws.com"
-      ]
-    }
-  }
-}