CCM-8572: add lambdas tf and set up routing

Author: harrim91

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_virus_scan_complete.tf

@@ -1,6 +1,6 @@
 resource "aws_cloudwatch_event_rule" "virus_scan_failed" {
   name        = "${local.csi}-virus-scan-failed"
-  description = "Forwards enriched events to SQS from quarantine bucket where GuardDuty virus scan has failed"
+  description = "Forwards enriched events from quarantine bucket where GuardDuty virus scan has failed"
 
   event_pattern = jsonencode({
     source      = ["templates.${var.environment}.${var.project}"]
@@ -18,40 +18,39 @@ resource "aws_cloudwatch_event_rule" "virus_scan_failed" {
   })
 }
 
-resource "aws_cloudwatch_event_target" "virus_scan_failed" {
+resource "aws_cloudwatch_event_target" "scan_failed_delete_object" {
   rule     = aws_cloudwatch_event_rule.virus_scan_failed.name
-  arn      = module.sqs_virus_scan_failed.sqs_queue_arn
-  role_arn = aws_iam_role.virus_scan_failed_to_sqs.arn
+  arn      = module.lambda_delete_failed_scanned_object.function_arn
+  role_arn = aws_iam_role.handle_scan_failed.arn
 }
 
-resource "aws_iam_role" "virus_scan_failed_to_sqs" {
-  name               = "${local.csi}-virus-scan-failed-to-sqs"
+resource "aws_cloudwatch_event_target" "scan_failed_set_file_status" {
+  rule     = aws_cloudwatch_event_rule.virus_scan_failed.name
+  arn      = module.lambda_set_letter_file_virus_scan_status.function_arn
+  role_arn = aws_iam_role.handle_scan_failed.arn
+}
+
+resource "aws_iam_role" "handle_scan_failed" {
+  name               = "${local.csi}-virus-scan-failed"
   assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
 }
 
-resource "aws_iam_role_policy" "virus_scan_failed_to_sqs" {
-  name   = "${local.csi}-virus-scan-failed-to-sqs"
-  role   = aws_iam_role.virus_scan_failed_to_sqs.id
-  policy = data.aws_iam_policy_document.virus_scan_failed_to_sqs.json
+resource "aws_iam_role_policy" "handle_scan_failed" {
+  name   = "${local.csi}-virus-scan-failed"
+  role   = aws_iam_role.handle_scan_failed.id
+  policy = data.aws_iam_policy_document.handle_scan_failed.json
 }
 
-data "aws_iam_policy_document" "virus_scan_failed_to_sqs" {
+data "aws_iam_policy_document" "handle_scan_failed" {
   version = "2012-10-17"
 
   statement {
-    sid       = "AllowSQSSendMessage"
-    effect    = "Allow"
-    actions   = ["sqs:SendMessage"]
-    resources = [module.sqs_virus_scan_failed.sqs_queue_arn]
-  }
-
-  statement {
-    sid    = "AllowKMS"
-    effect = "Allow"
-    actions = [
-      "kms:Decrypt",
-      "kms:GenerateDataKey"
+    sid     = "AllowLambdaInvoke"
+    effect  = "Allow"
+    actions = ["lambda:InvokeFunction"]
+    resources = [
+      module.lambda_delete_failed_scanned_object.function_arn,
+      module.lambda_set_letter_file_virus_scan_status.function_arn,
     ]
-    resources = [var.kms_key_arn]
   }
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_virus_scan_failed.tf

@@ -15,12 +15,13 @@ locals {
   })
 
   backend_lambda_entrypoints = {
-    create_template        = "src/templates/create.ts"
-    create_letter_template = "src/templates/create-letter.ts"
-    get_template           = "src/templates/get.ts"
-    update_template        = "src/templates/update.ts"
-    list_template          = "src/templates/list.ts"
-    template_client        = "src/index.ts"
+    create_template                   = "src/templates/create.ts"
+    create_letter_template            = "src/templates/create-letter.ts"
+    get_template                      = "src/templates/get.ts"
+    update_template                   = "src/templates/update.ts"
+    list_template                     = "src/templates/list.ts"
+    template_client                   = "src/index.ts"
+    set_letter_file_virus_scan_status = "src/set-letter-file-virus-scan-status.ts"
   }
 
   dynamodb_kms_key_arn = var.dynamodb_kms_key_arn == "" ? aws_kms_key.dynamo[0].arn : var.dynamodb_kms_key_arn

infrastructure/terraform/modules/backend-api/locals.tf

@@ -8,6 +8,7 @@ module "build_template_lambda" {
     local.backend_lambda_entrypoints.get_template,
     local.backend_lambda_entrypoints.update_template,
     local.backend_lambda_entrypoints.list_template,
+    local.backend_lambda_entrypoints.set_letter_file_virus_scan_status,
   ]
 }
 

infrastructure/terraform/modules/backend-api/module_build_template_lambda.tf

@@ -0,0 +1,11 @@
+module "build_virus_scan_lambdas" {
+  source = "../typescript-build-zip"
+
+  source_code_dir = abspath("${path.module}/../../../../lambdas/virus-scan")
+
+  entrypoints = [
+    "src/copy-scanned-object-to-internal.ts",
+    "src/delete-failed-scanned-object.ts",
+    "src/get-s3-object-tags.ts"
+  ]
+}

infrastructure/terraform/modules/backend-api/module_build_virus_scan_lambdas.tf

@@ -0,0 +1,59 @@
+module "lambda_copy_scanned_object_to_internal" {
+  source      = "../lambda-function"
+  description = "Copies quarantine files that have passed virus scan check to internal bucket"
+
+  function_name    = "${local.csi}-copy-scanned-object-to-internal"
+  filename         = module.build_virus_scan_lambdas.zips["src/copy-scanned-object-to-internal.ts"].path
+  source_code_hash = module.build_virus_scan_lambdas.zips["src/copy-scanned-object-to-internal.ts"].base64sha256
+  handler          = "copy-scanned-object-to-internal.handler"
+
+  environment_variables = {
+    TEMPLATES_INTERNAL_S3_BUCKET_NAME = module.s3bucket_internal.id
+  }
+
+  log_retention_in_days = var.log_retention_in_days
+
+  execution_role_policy_document = data.aws_iam_policy_document.copy_scanned_object_to_internal.json
+}
+
+data "aws_iam_policy_document" "copy_scanned_object_to_internal" {
+  statement {
+    sid    = "AllowS3QuarantineList"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+      "s3:ListBucketVersions",
+    ]
+
+    resources = [module.s3bucket_quarantine.arn]
+  }
+
+  statement {
+    sid    = "AllowS3QuarantineGetObject"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+      "s3:GetObjectTagging",
+      "s3:GetObjectVersionTagging",
+    ]
+
+    resources = ["${module.s3bucket_quarantine.arn}/*"]
+  }
+
+  statement {
+    sid    = "AllowS3InternalWrite"
+    effect = "Allow"
+
+    actions = [
+      "s3:PutObject",
+      "s3:PutObjectVersion",
+      "s3:PutObjectTagging",
+      "s3:PutObjectVersionTagging",
+    ]
+
+    resources = ["${module.s3bucket_internal.arn}/*"]
+  }
+}

infrastructure/terraform/modules/backend-api/module_lambda_copy_scanned_object_to_internal.tf

@@ -0,0 +1,26 @@
+module "lambda_delete_failed_scanned_object" {
+  source      = "../lambda-function"
+  description = "Deletes quarantine files that have failed virus scan check"
+
+  function_name    = "${local.csi}-delete-failed-scanned-object"
+  filename         = module.build_virus_scan_lambdas.zips["src/delete-failed-scanned-object.ts"].path
+  source_code_hash = module.build_virus_scan_lambdas.zips["src/delete-failed-scanned-object.ts"].base64sha256
+  handler          = "delete-failed-scanned-object.handler"
+
+  log_retention_in_days = var.log_retention_in_days
+
+  execution_role_policy_document = data.aws_iam_policy_document.delete_failed_scanned_object.json
+}
+
+data "aws_iam_policy_document" "delete_failed_scanned_object" {
+  statement {
+    sid    = "AllowS3QuarantineDelete"
+    effect = "Allow"
+
+    actions = [
+      "s3:DeleteObject"
+    ]
+
+    resources = ["${module.s3bucket_quarantine.arn}/*"]
+  }
+}

infrastructure/terraform/modules/backend-api/module_lambda_delete_failed_scanned_object.tf

@@ -3,8 +3,8 @@ module "lambda_get_s3_object_tags" {
   description = "Get S3 Object Tags"
 
   function_name    = "${local.csi}-get-s3-object-tags"
-  filename         = module.build_get_s3_object_tags_lambda.zips["src/get-s3-object-tags.ts"].path
-  source_code_hash = module.build_get_s3_object_tags_lambda.zips["src/get-s3-object-tags.ts"].base64sha256
+  filename         = module.build_virus_scan_lambdas.zips["src/get-s3-object-tags.ts"].path
+  source_code_hash = module.build_virus_scan_lambdas.zips["src/get-s3-object-tags.ts"].base64sha256
   handler          = "get-s3-object-tags.handler"
 
   log_retention_in_days = var.log_retention_in_days
@@ -13,29 +13,30 @@ module "lambda_get_s3_object_tags" {
 }
 
 data "aws_iam_policy_document" "get_s3_object_tags" {
-  statement {
-    sid    = "AllowSQS"
-    effect = "Allow"
+  # TODO: should this be here? Not on the pipe?
+  # statement {
+  #   sid    = "AllowSQS"
+  #   effect = "Allow"
 
-    actions = [
-      "sqs:DeleteMessage",
-      "sqs:GetQueueAttributes",
-      "sqs:ReceiveMessage",
-    ]
+  #   actions = [
+  #     "sqs:DeleteMessage",
+  #     "sqs:GetQueueAttributes",
+  #     "sqs:ReceiveMessage",
+  #   ]
 
-    resources = [module.sqs_quarantine_tags_added.sqs_queue_arn]
-  }
+  #   resources = [module.sqs_quarantine_tags_added.sqs_queue_arn]
+  # }
 
-  statement {
-    sid    = "AllowKMS"
-    effect = "Allow"
+  # statement {
+  #   sid    = "AllowKMS"
+  #   effect = "Allow"
 
-    actions = [
-      "kms:Decrypt",
-    ]
+  #   actions = [
+  #     "kms:Decrypt",
+  #   ]
 
-    resources = [var.kms_key_arn]
-  }
+  #   resources = [var.kms_key_arn]
+  # }
 
   statement {
     sid    = "AllowS3Read"
@@ -51,14 +52,3 @@ data "aws_iam_policy_document" "get_s3_object_tags" {
     resources = ["${module.s3bucket_quarantine.arn}/*"]
   }
 }
-
-module "build_get_s3_object_tags_lambda" {
-  source = "../typescript-build-zip"
-
-  source_code_dir = abspath("${path.module}/../../../../lambdas/get-s3-object-tags")
-
-  entrypoints = [
-    "src/get-s3-object-tags.ts"
-  ]
-}
-

infrastructure/terraform/modules/backend-api/module_lambda_get_s3_object_tags.tf

@@ -0,0 +1,50 @@
+module "lambda_set_letter_file_virus_scan_status" {
+  source      = "../lambda-function"
+  description = "Sets virus scan status on letter files"
+
+  function_name    = "${local.csi}-set-letter-file-virus-scan-status"
+  filename         = module.build_template_lambda.zips[local.backend_lambda_entrypoints.set_letter_file_virus_scan_status].path
+  source_code_hash = module.build_template_lambda.zips[local.backend_lambda_entrypoints.set_letter_file_virus_scan_status].base64sha256
+  handler          = "set-letter-file-virus-scan-status.handler"
+
+  environment_variables = {
+    TEMPLATES_TABLE_NAME = aws_dynamodb_table.templates.name
+  }
+
+
+  log_retention_in_days = var.log_retention_in_days
+
+  execution_role_policy_document = data.aws_iam_policy_document.set_letter_file_virus_scan_status.json
+}
+
+data "aws_iam_policy_document" "set_letter_file_virus_scan_status" {
+  statement {
+    sid    = "AllowDynamoAccess"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:UpdateItem",
+    ]
+
+    resources = [
+      aws_dynamodb_table.templates.arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowKMSAccess"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*",
+      "kms:ReEncrypt*",
+    ]
+
+    resources = [
+      local.dynamodb_kms_key_arn,
+    ]
+  }
+}