NHSDigital
diff --git a/‎infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_quarantine_scan_result.tf‎
Lines changed: 15 additions & 25 deletions b/‎infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_quarantine_scan_result.tf‎
Lines changed: 15 additions & 25 deletions
diff --git a/‎infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_virus_scan_failed.tf‎
Lines changed: 4 additions & 17 deletions b/‎infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_virus_scan_failed.tf‎
Lines changed: 4 additions & 17 deletions
diff --git a/‎infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_virus_scan_passed.tf‎
Lines changed: 4 additions & 17 deletions b/‎infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_virus_scan_passed.tf‎
Lines changed: 4 additions & 17 deletions
diff --git a/‎infrastructure/terraform/modules/backend-api/locals.tf‎
Lines changed: 22 additions & 7 deletions b/‎infrastructure/terraform/modules/backend-api/locals.tf‎
Lines changed: 22 additions & 7 deletions
diff --git a/‎infrastructure/terraform/modules/backend-api/module_build_template_lambda.tf‎
Lines changed: 2 additions & 0 deletions b/‎infrastructure/terraform/modules/backend-api/module_build_template_lambda.tf‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎infrastructure/terraform/modules/backend-api/module_build_virus_scan_lambdas.tf‎
Lines changed: 0 additions & 11 deletions b/‎infrastructure/terraform/modules/backend-api/module_build_virus_scan_lambdas.tf‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎infrastructure/terraform/modules/backend-api/module_create_letter_template_lambda.tf‎
Lines changed: 1 addition & 5 deletions b/‎infrastructure/terraform/modules/backend-api/module_create_letter_template_lambda.tf‎
Lines changed: 1 addition & 5 deletions
diff --git a/‎infrastructure/terraform/modules/backend-api/module_create_template_lambda.tf‎
Lines changed: 1 addition & 3 deletions b/‎infrastructure/terraform/modules/backend-api/module_create_template_lambda.tf‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎infrastructure/terraform/modules/backend-api/module_get_template_lambda.tf‎
Lines changed: 1 addition & 4 deletions b/‎infrastructure/terraform/modules/backend-api/module_get_template_lambda.tf‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎infrastructure/terraform/modules/backend-api/module_lambda_copy_scanned_object_to_internal.tf‎
Lines changed: 3 additions & 9 deletions b/‎infrastructure/terraform/modules/backend-api/module_lambda_copy_scanned_object_to_internal.tf‎
Lines changed: 3 additions & 9 deletions
@@ -1,6 +1,6 @@
-resource "aws_cloudwatch_event_rule" "quarantine_scan_result" {
-  name        = "${local.csi}-quarantine-tags-added"
-  description = "Forwards quarantine 'GuardDuty Malware Protection Object Scan Result' events for enrichment"
+resource "aws_cloudwatch_event_rule" "quarantine_guardduty_scan_result" {
+  name        = "${local.csi}-quarantine-scan"
+  description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events"
 
   event_pattern = jsonencode({
     source      = ["aws.guardduty"]
@@ -15,40 +15,30 @@ resource "aws_cloudwatch_event_rule" "quarantine_scan_result" {
   })
 }
 
-resource "aws_cloudwatch_event_target" "quarantine_scan_to_enrichment" {
-  rule     = aws_cloudwatch_event_rule.quarantine_scan_result.name
-  arn      = module.sqs_quarantine_scan_enrichment.sqs_queue_arn
-  role_arn = aws_iam_role.quarantine_scan_to_enrichment.arn
+resource "aws_cloudwatch_event_target" "quarantine_scan_to_update_status" {
+  rule     = aws_cloudwatch_event_rule.quarantine_guardduty_scan_result.name
+  arn      = module.lambda_set_file_virus_scan_status.function_arn
+  role_arn = aws_iam_role.quarantine_scan_to_update_status.arn
 }
 
-resource "aws_iam_role" "quarantine_scan_to_enrichment" {
+resource "aws_iam_role" "quarantine_scan_to_update_status" {
   name               = "${local.csi}-quarantine-scan-to-enrichment"
   assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
 }
 
-resource "aws_iam_role_policy" "quarantine_scan_to_enrichment" {
+resource "aws_iam_role_policy" "quarantine_scan_to_update_status" {
   name   = "${local.csi}-quarantine-scan-to-enrichment"
-  role   = aws_iam_role.quarantine_scan_to_enrichment.id
-  policy = data.aws_iam_policy_document.quarantine_scan_to_enrichment.json
+  role   = aws_iam_role.quarantine_scan_to_update_status.id
+  policy = data.aws_iam_policy_document.quarantine_scan_to_update_status.json
 }
 
-data "aws_iam_policy_document" "quarantine_scan_to_enrichment" {
+data "aws_iam_policy_document" "quarantine_scan_to_update_status" {
   version = "2012-10-17"
 
   statement {
-    sid       = "AllowSQSSendMessage"
+    sid       = "AllowLambdaInvoke"
     effect    = "Allow"
-    actions   = ["sqs:SendMessage"]
-    resources = [module.sqs_quarantine_scan_enrichment.sqs_queue_arn]
-  }
-
-  statement {
-    sid    = "AllowKMS"
-    effect = "Allow"
-    actions = [
-      "kms:Decrypt",
-      "kms:GenerateDataKey"
-    ]
-    resources = [var.kms_key_arn]
+    actions   = ["lambda:InvokeFunction"]
+    resources = [module.lambda_set_file_virus_scan_status.function_arn]
   }
 }
@@ -1,18 +1,12 @@
 resource "aws_cloudwatch_event_rule" "virus_scan_failed" {
   name        = "${local.csi}-virus-scan-failed"
-  description = "Forwards enriched events from quarantine bucket where GuardDuty virus scan has failed"
+  description = "Forwards 'template-file-scanned' domain events where virus scan has failed"
 
   event_pattern = jsonencode({
-    source      = ["templates.${var.environment}.${var.project}"]
-    detail-type = ["quarantine-scan-result-enriched"]
+    source      = [local.event_source]
+    detail-type = ["template-file-scanned"]
     detail = {
-      s3ObjectDetails = {
-        bucketName = [module.s3bucket_quarantine.id]
-        objectKey  = [{ prefix = "pdf-template/" }, { prefix = "test-data/" }]
-      }
-      scanResultDetails = {
-        scanResultStatus = [{ anything-but = "NO_THREATS_FOUND" }]
-      }
+      virusScanStatus = ["FAILED"]
     }
   })
 }
@@ -23,12 +17,6 @@ resource "aws_cloudwatch_event_target" "scan_failed_delete_object" {
   role_arn = aws_iam_role.handle_scan_failed.arn
 }
 
-resource "aws_cloudwatch_event_target" "scan_failed_set_file_status" {
-  rule     = aws_cloudwatch_event_rule.virus_scan_failed.name
-  arn      = module.lambda_set_file_virus_scan_status.function_arn
-  role_arn = aws_iam_role.handle_scan_failed.arn
-}
-
 resource "aws_iam_role" "handle_scan_failed" {
   name               = "${local.csi}-virus-scan-failed"
   assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
@@ -49,7 +37,6 @@ data "aws_iam_policy_document" "handle_scan_failed" {
     actions = ["lambda:InvokeFunction"]
     resources = [
       module.lambda_delete_failed_scanned_object.function_arn,
-      module.lambda_set_file_virus_scan_status.function_arn,
     ]
   }
 }
@@ -1,18 +1,12 @@
 resource "aws_cloudwatch_event_rule" "virus_scan_passed" {
   name        = "${local.csi}-virus-scan-passed"
-  description = "Forwards enriched events from quarantine bucket where GuardDuty virus scan has passed with no threats"
+  description = "Forwards 'template-file-scanned' domain events where virus scan has passed with no threats"
 
   event_pattern = jsonencode({
-    source      = ["templates.${var.environment}.${var.project}"]
-    detail-type = ["quarantine-scan-result-enriched"]
+    source      = [local.event_source]
+    detail-type = ["template-file-scanned"]
     detail = {
-      s3ObjectDetails = {
-        bucketName = [module.s3bucket_quarantine.id]
-        objectKey  = [{ prefix = "pdf-template/" }, { prefix = "test-data/" }]
-      }
-      scanResultDetails = {
-        scanResultStatus = ["NO_THREATS_FOUND"]
-      }
+      virusScanStatus = ["PASSED"]
     }
   })
 }
@@ -23,12 +17,6 @@ resource "aws_cloudwatch_event_target" "scan_passed_copy_object" {
   role_arn = aws_iam_role.handle_scan_passed.arn
 }
 
-resource "aws_cloudwatch_event_target" "scan_passed_set_file_status" {
-  rule     = aws_cloudwatch_event_rule.virus_scan_passed.name
-  arn      = module.lambda_set_file_virus_scan_status.function_arn
-  role_arn = aws_iam_role.handle_scan_passed.arn
-}
-
 resource "aws_iam_role" "handle_scan_passed" {
   name               = "${local.csi}-virus-scan-passed"
   assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
@@ -49,7 +37,6 @@ data "aws_iam_policy_document" "handle_scan_passed" {
     actions = ["lambda:InvokeFunction"]
     resources = [
       module.lambda_copy_scanned_object_to_internal.function_arn,
-      module.lambda_set_file_virus_scan_status.function_arn,
     ]
   }
 }
@@ -15,14 +15,29 @@ locals {
   })
 
   backend_lambda_entrypoints = {
-    create_template            = "src/templates/create.ts"
-    create_letter_template     = "src/templates/create-letter.ts"
-    get_template               = "src/templates/get.ts"
-    update_template            = "src/templates/update.ts"
-    list_template              = "src/templates/list.ts"
-    set_file_virus_scan_status = "src/templates/set-letter-file-virus-scan-status.ts"
-    template_client            = "src/index.ts"
+    create_template                 = "src/templates/create.ts"
+    create_letter_template          = "src/templates/create-letter.ts"
+    get_template                    = "src/templates/get.ts"
+    update_template                 = "src/templates/update.ts"
+    list_template                   = "src/templates/list.ts"
+    set_file_virus_scan_status      = "src/templates/set-letter-file-virus-scan-status.ts"
+    copy_scanned_object_to_internal = "src/templates/copy-scanned-object-to-internal.ts"
+    delete_failed_scanned_object    = "src/templates/delete-failed-scanned-object.ts"
+    template_client                 = "src/index.ts"
+  }
+
+  backend_lambda_environment_variables = {
+    ENABLE_LETTERS_BACKEND           = var.enable_letters
+    ENVIRONMENT                      = var.environment
+    NODE_OPTIONS                     = "--enable-source-maps"
+    TEMPLATES_QUARANTINE_BUCKET_NAME = module.s3bucket_quarantine.id
+    TEMPLATES_INTERNAL_BUCKET_NAME   = module.s3bucket_internal.id
+    TEMPLATES_EVENT_BUS_NAME         = data.aws_cloudwatch_event_bus.default.name
+    TEMPLATES_EVENT_SOURCE           = local.event_source
+    TEMPLATES_TABLE_NAME             = aws_dynamodb_table.templates.name
   }
 
   dynamodb_kms_key_arn = var.dynamodb_kms_key_arn == "" ? aws_kms_key.dynamo[0].arn : var.dynamodb_kms_key_arn
+
+  event_source = "templates.${var.environment}.${var.project}"
 }
@@ -9,6 +9,8 @@ module "build_template_lambda" {
     local.backend_lambda_entrypoints.update_template,
     local.backend_lambda_entrypoints.list_template,
     local.backend_lambda_entrypoints.set_file_virus_scan_status,
+    local.backend_lambda_entrypoints.copy_scanned_object_to_internal,
+    local.backend_lambda_entrypoints.delete_failed_scanned_object,
   ]
 }
 
 
@@ -13,11 +13,7 @@ module "create_letter_template_lambda" {
 
   log_retention_in_days = var.log_retention_in_days
 
-  environment_variables = {
-    TEMPLATES_TABLE_NAME   = aws_dynamodb_table.templates.name
-    QUARANTINE_BUCKET_NAME = module.s3bucket_quarantine.bucket
-    ENABLE_LETTERS_BACKEND = var.enable_letters
-  }
+  environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.create_letter_template_lambda_policy.json
 }
 
@@ -12,9 +12,7 @@ module "create_template_lambda" {
 
   log_retention_in_days = var.log_retention_in_days
 
-  environment_variables = {
-    TEMPLATES_TABLE_NAME = aws_dynamodb_table.templates.name
-  }
+  environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.create_template_lambda_policy.json
 }
 
@@ -12,10 +12,7 @@ module "get_template_lambda" {
 
   log_retention_in_days = var.log_retention_in_days
 
-  environment_variables = {
-    TEMPLATES_TABLE_NAME   = aws_dynamodb_table.templates.name
-    ENABLE_LETTERS_BACKEND = var.enable_letters
-  }
+  environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.get_template_lambda_policy.json
 }
 
@@ -4,15 +4,13 @@ module "lambda_copy_scanned_object_to_internal" {
 
   dead_letter_target_arn         = module.sqs_virus_scan_passed_copy_object_dlq.sqs_queue_arn
   execution_role_policy_document = data.aws_iam_policy_document.copy_scanned_object_to_internal.json
-  filename                       = module.build_virus_scan_lambdas.zips["src/copy-scanned-object-to-internal.ts"].path
+  filename                       = module.build_template_lambda.zips[local.backend_lambda_entrypoints.copy_scanned_object_to_internal].path
   function_name                  = "${local.csi}-copy-scanned-file"
   handler                        = "copy-scanned-object-to-internal.handler"
   log_retention_in_days          = var.log_retention_in_days
-  source_code_hash               = module.build_virus_scan_lambdas.zips["src/copy-scanned-object-to-internal.ts"].base64sha256
+  source_code_hash               = module.build_template_lambda.zips[local.backend_lambda_entrypoints.copy_scanned_object_to_internal].base64sha256
 
-  environment_variables = {
-    TEMPLATES_INTERNAL_S3_BUCKET_NAME = module.s3bucket_internal.id
-  }
+  environment_variables = local.backend_lambda_environment_variables
 }
 
 data "aws_iam_policy_document" "copy_scanned_object_to_internal" {
@@ -34,9 +32,7 @@ data "aws_iam_policy_document" "copy_scanned_object_to_internal" {
 
     actions = [
       "s3:GetObject",
-      "s3:GetObjectVersion",
       "s3:GetObjectTagging",
-      "s3:GetObjectVersionTagging",
     ]
 
     resources = ["${module.s3bucket_quarantine.arn}/*"]
@@ -48,9 +44,7 @@ data "aws_iam_policy_document" "copy_scanned_object_to_internal" {
 
     actions = [
       "s3:PutObject",
-      "s3:PutObjectVersion",
       "s3:PutObjectTagging",
-      "s3:PutObjectVersionTagging",
     ]
 
     resources = ["${module.s3bucket_internal.arn}/*"]
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,8 @@ module "build_template_lambda" {`
`9`	`9`	`local.backend_lambda_entrypoints.update_template,`
`10`	`10`	`local.backend_lambda_entrypoints.list_template,`
`11`	`11`	`local.backend_lambda_entrypoints.set_file_virus_scan_status,`
	`12`	`+ local.backend_lambda_entrypoints.copy_scanned_object_to_internal,`
	`13`	`+ local.backend_lambda_entrypoints.delete_failed_scanned_object,`
`12`	`14`	`]`
`13`	`15`	`}`
`14`	`16`
Original file line number	Diff line number	Diff line change
`@@ -12,9 +12,7 @@ module "create_template_lambda" {`
`12`	`12`
`13`	`13`	`log_retention_in_days = var.log_retention_in_days`
`14`	`14`
`15`		`- environment_variables = {`
`16`		`- TEMPLATES_TABLE_NAME = aws_dynamodb_table.templates.name`
`17`		`- }`
	`15`	`+ environment_variables = local.backend_lambda_environment_variables`
`18`	`16`
`19`	`17`	`execution_role_policy_document = data.aws_iam_policy_document.create_template_lambda_policy.json`
`20`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12,10 +12,7 @@ module "get_template_lambda" {`
`12`	`12`
`13`	`13`	`log_retention_in_days = var.log_retention_in_days`
`14`	`14`
`15`		`- environment_variables = {`
`16`		`- TEMPLATES_TABLE_NAME = aws_dynamodb_table.templates.name`
`17`		`- ENABLE_LETTERS_BACKEND = var.enable_letters`
`18`		`- }`
	`15`	`+ environment_variables = local.backend_lambda_environment_variables`
`19`	`16`
`20`	`17`	`execution_role_policy_document = data.aws_iam_policy_document.get_template_lambda_policy.json`
`21`	`18`	`}`