Merge pull request #271 from NHSDigital/CCM-7890_TemplateMgmtBackups

CCM-7890 template mgmt backups

Author: aidenvaines-cgi

.github/actions/tfsec/action.yaml

@@ -8,12 +8,13 @@ runs:
     - name: "TFSec Scan - Components"
       shell: bash
       run: |
-        for component in $(find infrastructure/terraform/components -mindepth 1 -type d); do
-          scripts/terraform/tfsec.sh $component
-        done
-    - name: "TFSec Scan - Modules"
-      shell: bash
-      run: |
-        for module in $(find infrastructure/terraform/modules -mindepth 1 -type d); do
-          scripts/terraform/tfsec.sh $module
-        done
+        components_exit_code=0
+        modules_exit_code=0
+
+        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+
+        if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+          echo "One or more TFSec scans failed."
+          exit 1
+        fi

.gitignore

@@ -11,6 +11,7 @@
 !project.code-workspace
 .rej
 *.porig
+.vscode/launch.json
 
 # Please, add your custom content below!
 
@@ -67,17 +68,17 @@ terraform/*_output.json
 group_target-env.tfvars
 *tf_outputs.json
 
+# Amplify
 amplify_outputs.json
+.amplify
+sandbox_cognito_auth_token.json
+frontend/public/testing
+frontend/amplify/functions/send-email/email-template.json
+auth.json
 
 # playwright
 test-results/
 tests/test-team/test-results/
 tests/test-team/playwright-report/
 tests/test-team/blob-report/
 tests/test-team/playwright/.cache/
-
-sandbox_cognito_auth_token.json
-
-frontend/public/testing
-.vscode/launch.json
-auth.json

infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf

@@ -21,6 +21,7 @@ data "aws_iam_policy_document" "github_deploy" {
       "cloudformation:*",
       "cognito-idp:*",
       "ses:*",
+      "sns:*",
     ]
     resources = ["*"]
   }

infrastructure/terraform/components/acct/module_s3bucket_backup_reports.tf

@@ -0,0 +1,146 @@
+module "s3bucket_backup_reports" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v1.0.5"
+
+  name = "backup-reports"
+
+  aws_account_id = var.aws_account_id
+  region         = var.region
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  acl           = "private"
+  force_destroy = false
+  versioning    = true
+
+  lifecycle_rules = [
+    {
+      prefix  = ""
+      enabled = true
+
+      noncurrent_version_transition = [
+        {
+          noncurrent_days = "30"
+          storage_class   = "STANDARD_IA"
+        }
+      ]
+
+      noncurrent_version_expiration = {
+        noncurrent_days = "90"
+      }
+
+      abort_incomplete_multipart_upload = {
+        days = "1"
+      }
+    }
+  ]
+
+  policy_documents = [
+    data.aws_iam_policy_document.s3bucket_backup_reports.json
+  ]
+
+  public_access = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+
+
+  default_tags = {
+    Name = "AWS Backup Reports for enabled environments"
+  }
+}
+
+data "aws_iam_policy_document" "s3bucket_backup_reports" {
+  statement {
+    sid    = "DontAllowNonSecureConnection"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      module.s3bucket_backup_reports.arn,
+      "${module.s3bucket_backup_reports.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "*",
+      ]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+
+      values = [
+        "false",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToList"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      module.s3bucket_backup_reports.arn,
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToGet"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "${module.s3bucket_backup_reports.arn}/*",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    effect  = "Allow"
+    actions = ["s3:PutObject"]
+    resources = [
+      "${module.s3bucket_backup_reports.arn}/*",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.aws_account_id}:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values = [
+        "bucket-owner-full-control"
+      ]
+    }
+  }
+}

infrastructure/terraform/components/acct/outputs.tf

@@ -9,3 +9,13 @@ output "dns_zone" {
 output "github_pat_ssm_param_name" {
   value = aws_ssm_parameter.github_pat.name
 }
+
+output "s3_buckets" {
+  value = {
+    backup_reports = {
+      arn = module.s3bucket_backup_reports.arn
+      bucket = module.s3bucket_backup_reports.bucket
+      id  = module.s3bucket_backup_reports.id
+    }
+  }
+}

infrastructure/terraform/components/app/amplify_app.tf

@@ -35,7 +35,7 @@ resource "aws_amplify_app" "main" {
     NEXT_PUBLIC_DISABLE_CONTENT = var.disable_content
     AMPLIFY_MONOREPO_APP_ROOT   = "frontend"
     API_BASE_URL                = module.backend_api.api_base_url
-    USER_POOL_ID                = jsondecode(data.aws_ssm_parameter.cognito_config.value)["USER_POOL_ID"]
-    USER_POOL_CLIENT_ID         = jsondecode(data.aws_ssm_parameter.cognito_config.value)["USER_POOL_CLIENT_ID"]
+    USER_POOL_ID                = jsondecode(aws_ssm_parameter.cognito_config.value)["USER_POOL_ID"]
+    USER_POOL_CLIENT_ID         = jsondecode(aws_ssm_parameter.cognito_config.value)["USER_POOL_CLIENT_ID"]
   }
 }

infrastructure/terraform/components/app/module_backend_api.tf

@@ -1,3 +1,5 @@
+# TODO: CCM-8418
+# tfsec:ignore:aws-iam-no-policy-wildcards
 module "backend_api" {
   source = "../../modules/backend-api"
 
@@ -10,5 +12,7 @@ module "backend_api" {
   log_retention_in_days = var.log_retention_in_days
   email_domain_name     = local.root_domain_name
 
-  cognito_config        = jsondecode(data.aws_ssm_parameter.cognito_config.value)
+  cognito_config = jsondecode(aws_ssm_parameter.cognito_config.value)
+
+  enable_backup = var.destination_vault_arn != null ? true : false
 }

infrastructure/terraform/components/app/module_kms.tf

@@ -0,0 +1,46 @@
+module "kms" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms?ref=v1.0.6"
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+
+  name                 = "main"
+  deletion_window      = var.kms_deletion_window
+  alias                = "alias/${local.csi}"
+  key_policy_documents = [data.aws_iam_policy_document.kms.json]
+  iam_delegation       = true
+}
+
+data "aws_iam_policy_document" "kms" {
+  # '*' resource scope is permitted in access policies as as the resource is itself
+  # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html
+
+  statement {
+    sid    = "AllowCloudWatchEncrypt"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "logs.${var.region}.amazonaws.com",
+        "sns.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}

infrastructure/terraform/components/app/module_nhse_backup_vault.tf

@@ -0,0 +1,46 @@
+module "nhse_backup_vault" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/aws-backup-source?ref=v1.0.7"
+  count = var.destination_vault_arn != null ? 1:0
+
+  component   = var.component
+  environment = var.environment
+  project     = var.project
+  backup_copy_vault_account_id = data.aws_arn.destination_vault_arn[0].account
+  backup_copy_vault_arn        = data.aws_arn.destination_vault_arn[0].arn
+
+  reports_bucket                     = local.acct.s3_buckets["backup_reports"]["bucket"]
+  notifications_target_email_address = var.backup_report_recipient
+  notification_kms_key               = module.kms.key_id
+
+  management_ci_role_arn = local.bootstrap.iam_github_deploy_role["arn"]
+  principal_org_id       = var.aws_principal_org_id
+
+  restore_testing_plan_scheduled_expression = "cron(0 4 ? * wed *)"
+  restore_testing_plan_start_window         = 1
+
+  backup_plan_config_dynamodb = {
+                                  "compliance_resource_types": [
+                                    "DynamoDB"
+                                  ],
+                                  "rules": [
+                                    {
+                                      "name": "${local.csi}-backup-rule",
+                                      "schedule": var.backup_schedule_cron,
+                                      "copy_action": {
+                                        "delete_after": var.retention_period
+                                      },
+                                      "lifecycle": {
+                                        "delete_after": var.retention_period
+                                      }
+                                    }
+                                  ],
+                                  "enable": true,
+                                  "selection_tag": "NHSE-Enable-Dynamo-Backup"
+                                }
+}
+
+data "aws_arn" "destination_vault_arn" {
+  count = var.destination_vault_arn != null ? 1:0
+
+  arn = var.destination_vault_arn
+}

infrastructure/terraform/components/app/ssm_parameter_cognito_config.tf

@@ -1,3 +1,13 @@
-data "aws_ssm_parameter" "cognito_config" {
-  name        = "/${local.csi}/cognito_config"
+resource "aws_ssm_parameter" "cognito_config" {
+  name  = "/${local.csi}/cognito_config"
+  type  = "String"
+
+  value = jsonencode({
+    "USER_POOL_ID":"unset",
+    "USER_POOL_CLIENT_ID":"unset"
+  })
+
+  lifecycle {
+    ignore_changes = [value]
+  }
 }