Merge branch 'feature/CCM-9037_internal-bucket' into feature/CCM-8572_template-security-scan

Author: harrim91

.github/actions/normalize-branch-name/action.yaml

@@ -2,11 +2,17 @@ name: "Normalize branch name"
 description: "Normalize branch name"
 outputs:
   normalized_branch_name:
+    description: 10 character branch identifier (0000-branch)
     value: ${{ steps.normalize_branch_name.outputs.normalized_branch_name }}
 runs:
   using: "composite"
   steps:
     - id: normalize_branch_name
       shell: bash
-      run: echo "normalized_branch_name=$(sed -e 's/[^a-zA-Z0-9-]//g' <<< $(git rev-parse --abbrev-ref HEAD) | tr '[:upper:]' '[:lower:]' | head -c 25)" >> $GITHUB_OUTPUT
-
+      run: |
+        branch=$(git rev-parse --abbrev-ref HEAD)
+        stripped=$(echo $branch | sed -e 's/[^a-zA-Z0-9-]//g' | tr '[:upper:]' '[:lower:]')
+        starting_from_jira_ref=$(echo $stripped | sed -n 's/.*\([0-9]\{4,\}.*\)/\1/p')
+        with_fallback=${starting_from_jira_ref:-$stripped}
+        chopped=$(echo $with_fallback | head -c 10)
+        echo "normalized_branch_name=$chopped" >> $GITHUB_OUTPUT

infrastructure/terraform/components/acct/README.md

@@ -18,14 +18,17 @@
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_initial_cli_secrets_provision_override"></a> [initial\_cli\_secrets\_provision\_override](#input\_initial\_cli\_secrets\_provision\_override) | A map of default value to intialise SSM secret values with. Only useful for initial setup of the account due to lifecycle rules. | `map(string)` | `{}` | no |
+| <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_root_domain_name"></a> [root\_domain\_name](#input\_root\_domain\_name) | The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk | `string` | `"nonprod.nhsnotify.national.nhs.uk"` | no |
+| <a name="input_support_sandbox_environments"></a> [support\_sandbox\_environments](#input\_support\_sandbox\_environments) | Does this account support dev sandbox environments? | `bool` | `false` | no |
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_kms_sandbox"></a> [kms\_sandbox](#module\_kms\_sandbox) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v1.0.8 |
 | <a name="module_s3bucket_access_logs"></a> [s3bucket\_access\_logs](#module\_s3bucket\_access\_logs) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_s3bucket_backup_reports"></a> [s3bucket\_backup\_reports](#module\_s3bucket\_backup\_reports) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 ## Outputs

infrastructure/terraform/components/acct/module_s3bucket_access_logs.tf

@@ -92,7 +92,7 @@ data "aws_iam_policy_document" "s3bucket_access_logs" {
     ]
 
     resources = [
-      module.s3bucket_lambda_artefacts.arn,
+      module.s3bucket_access_logs.arn,
     ]
 
     principals {
@@ -112,7 +112,7 @@ data "aws_iam_policy_document" "s3bucket_access_logs" {
     ]
 
     resources = [
-      "${module.s3bucket_lambda_artefacts.arn}/*",
+      "${module.s3bucket_access_logs.arn}/*",
     ]
 
     principals {

infrastructure/terraform/components/acct/module_sandbox_kms.tf

@@ -0,0 +1,15 @@
+module "kms_sandbox" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms?ref=v1.0.8"
+
+  count = var.support_sandbox_environments ? 1 : 0
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+
+  name            = "sandbox"
+  deletion_window = var.kms_deletion_window
+  alias           = "alias/${local.csi}-sandbox"
+}

infrastructure/terraform/components/acct/variables.tf

@@ -70,3 +70,15 @@ variable "initial_cli_secrets_provision_override" {
   # Usage like:
   #  ... -a apply -- -var initial_cli_secrets_provision_override={\"github_pat\":\"l0ngstr1ng"}
 }
+
+variable "kms_deletion_window" {
+  type        = string
+  description = "When a kms key is deleted, how long should it wait in the pending deletion state?"
+  default     = "30"
+}
+
+variable "support_sandbox_environments" {
+  type        = bool
+  description = "Does this account support dev sandbox environments?"
+  default     = false
+}

infrastructure/terraform/components/app/README.md

@@ -36,6 +36,7 @@
 | <a name="input_event_delivery_logging_success_sample_percentage"></a> [event\_delivery\_logging\_success\_sample\_percentage](#input\_event\_delivery\_logging\_success\_sample\_percentage) | Enable caching of events to an S3 bucket | `number` | `0` | no |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
+| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of KMS Key used for encrypting application data | `string` | n/a | yes |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |

infrastructure/terraform/components/app/module_backend_api.tf

@@ -17,4 +17,5 @@ module "backend_api" {
   enable_backup = var.destination_vault_arn != null ? true : false
 
   enable_letters = var.enable_letters
+
 }

infrastructure/terraform/components/sandbox/README.md

@@ -14,6 +14,7 @@ No requirements.
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonymous with account short-name) | `string` | n/a | yes |
+| <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |

infrastructure/terraform/components/sandbox/data_acct_kms_key.tf

@@ -0,0 +1,3 @@
+data "aws_kms_key" "sandbox" {
+  key_id = "alias/${var.project}-main-acct-sandbox"
+}

infrastructure/terraform/components/sandbox/module_backend_api.tf

@@ -6,14 +6,17 @@ module "backend_api" {
   aws_account_id        = var.aws_account_id
   region                = var.region
   group                 = var.group
+  component             = var.component
   csi                   = local.csi
   log_retention_in_days = var.log_retention_in_days
-  kms_key_arn           = module.kms.key_arn
 
   cognito_config = {
     USER_POOL_ID        = aws_cognito_user_pool.sandbox.id
     USER_POOL_CLIENT_ID = aws_cognito_user_pool_client.sandbox.id
   }
 
   enable_letters = true
+
+  kms_key_arn          = data.aws_kms_key.sandbox.arn
+  dynamodb_kms_key_arn = data.aws_kms_key.sandbox.arn
 }