Merge branch 'feature/CCM-9037_internal-bucket' into feature/CCM-8585-upload-pdf-backend-squash

Author: alexnuttall

infrastructure/terraform/components/acct/module_s3bucket_access_logs.tf

@@ -92,7 +92,7 @@ data "aws_iam_policy_document" "s3bucket_access_logs" {
     ]
 
     resources = [
-      module.s3bucket_lambda_artefacts.arn,
+      module.s3bucket_access_logs.arn,
     ]
 
     principals {
@@ -112,7 +112,7 @@ data "aws_iam_policy_document" "s3bucket_access_logs" {
     ]
 
     resources = [
-      "${module.s3bucket_lambda_artefacts.arn}/*",
+      "${module.s3bucket_access_logs.arn}/*",
     ]
 
     principals {

infrastructure/terraform/components/acct/module_sandbox_kms.tf

@@ -0,0 +1,15 @@
+module "kms_sandbox" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms?ref=v1.0.8"
+
+  count = var.support_sandbox_environments ? 1 : 0
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+
+  name            = "sandbox"
+  deletion_window = var.kms_deletion_window
+  alias           = "alias/${local.csi}-sandbox"
+}

infrastructure/terraform/components/acct/variables.tf

@@ -70,3 +70,15 @@ variable "initial_cli_secrets_provision_override" {
   # Usage like:
   #  ... -a apply -- -var initial_cli_secrets_provision_override={\"github_pat\":\"l0ngstr1ng"}
 }
+
+variable "kms_deletion_window" {
+  type        = string
+  description = "When a kms key is deleted, how long should it wait in the pending deletion state?"
+  default     = "30"
+}
+
+variable "support_sandbox_environments" {
+  type        = bool
+  description = "Does this account support dev sandbox environments?"
+  default     = false
+}

infrastructure/terraform/components/app/module_backend_api.tf

@@ -18,4 +18,6 @@ module "backend_api" {
   enable_backup = var.destination_vault_arn != null ? true : false
 
   enable_letters = var.enable_letters
+
+  kms_key_arn = module.kms.key_arn
 }

infrastructure/terraform/components/sandbox/data_acct_kms_key.tf

@@ -0,0 +1,3 @@
+data "aws_kms_key" "sandbox" {
+  key_id = "${var.project}-main-acct-sandbox"
+}

infrastructure/terraform/components/sandbox/module_backend_api.tf

@@ -6,15 +6,18 @@ module "backend_api" {
   aws_account_id        = var.aws_account_id
   region                = var.region
   group                 = var.group
+  component             = var.component
   csi                   = local.csi
   log_retention_in_days = var.log_retention_in_days
 
-  shared_kms_key_arn = module.kms.key_arn
 
   cognito_config = {
     USER_POOL_ID        = aws_cognito_user_pool.sandbox.id
     USER_POOL_CLIENT_ID = aws_cognito_user_pool_client.sandbox.id
   }
 
   enable_letters = true
+
+  kms_key_arn          = data.aws_kms_key.sandbox.arn
+  dynamodb_kms_key_arn = data.aws_kms_key.sandbox.arn
 }

infrastructure/terraform/modules/backend-api/README.md

@@ -17,6 +17,7 @@ No requirements.
 | <a name="input_enable_letters"></a> [enable\_letters](#input\_enable\_letters) | Enable letters feature flag | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
+| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS Key ARN | `string` | n/a | yes |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |

infrastructure/terraform/modules/backend-api/dynamodb_table_templates.tf

@@ -26,12 +26,12 @@ resource "aws_dynamodb_table" "templates" {
 
   server_side_encryption {
     enabled     = true
-    kms_key_arn = aws_kms_key.dynamo.arn
+    kms_key_arn = local.dynamodb_kms_key_arn
   }
 
-    tags = {
-      "NHSE-Enable-Dynamo-Backup" = var.enable_backup ? "True": "False"
-    }
+  tags = {
+    "NHSE-Enable-Dynamo-Backup" = var.enable_backup ? "True" : "False"
+  }
 
   lifecycle {
     ignore_changes = [

infrastructure/terraform/modules/backend-api/kms_key_dynamo.tf

@@ -1,4 +1,5 @@
 resource "aws_kms_key" "dynamo" {
+  count                   = var.dynamodb_kms_key_arn == "" ? 1 : 0
   description             = "CMK for encrypting dynamodb data"
   deletion_window_in_days = 14
   enable_key_rotation     = true

infrastructure/terraform/modules/backend-api/locals.tf

@@ -1,5 +1,5 @@
 locals {
-  csi        = "${var.csi}-${var.component}"
+  csi = "${var.csi}-${var.component}"
 
   lambdas_source_code_dir = abspath("${path.module}/../../../../lambdas")
 
@@ -22,4 +22,6 @@ locals {
     list_template          = "src/templates/list.ts"
     template_client        = "src/index.ts"
   }
+
+  dynamodb_kms_key_arn = var.dynamodb_kms_key_arn == "" ? aws_kms_key.dynamo[0].arn : var.dynamodb_kms_key_arn
 }