CCM-8574: add letter file validation

Author: harrim91

.gitignore

@@ -33,6 +33,7 @@ node_modules
 
 # production
 /build
+dist
 
 # misc
 .DS_Store

infrastructure/terraform/modules/backend-api/README.md

@@ -30,18 +30,18 @@ No requirements.
 | <a name="module_authorizer_lambda"></a> [authorizer\_lambda](#module\_authorizer\_lambda) | ../lambda-function | n/a |
 | <a name="module_build_template_client"></a> [build\_template\_client](#module\_build\_template\_client) | ../typescript-build-zip | n/a |
 | <a name="module_build_template_lambda"></a> [build\_template\_lambda](#module\_build\_template\_lambda) | ../typescript-build-zip | n/a |
-| <a name="module_build_virus_scan_lambdas"></a> [build\_virus\_scan\_lambdas](#module\_build\_virus\_scan\_lambdas) | ../typescript-build-zip | n/a |
 | <a name="module_create_letter_template_lambda"></a> [create\_letter\_template\_lambda](#module\_create\_letter\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_create_template_lambda"></a> [create\_template\_lambda](#module\_create\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_get_template_lambda"></a> [get\_template\_lambda](#module\_get\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_lambda_copy_scanned_object_to_internal"></a> [lambda\_copy\_scanned\_object\_to\_internal](#module\_lambda\_copy\_scanned\_object\_to\_internal) | ../lambda-function | n/a |
 | <a name="module_lambda_delete_failed_scanned_object"></a> [lambda\_delete\_failed\_scanned\_object](#module\_lambda\_delete\_failed\_scanned\_object) | ../lambda-function | n/a |
-| <a name="module_lambda_enrich_guardduty_scan_result"></a> [lambda\_enrich\_guardduty\_scan\_result](#module\_lambda\_enrich\_guardduty\_scan\_result) | ../lambda-function | n/a |
+| <a name="module_lambda_layer_pdfjs"></a> [lambda\_layer\_pdfjs](#module\_lambda\_layer\_pdfjs) | ../lambda_layer | n/a |
 | <a name="module_lambda_set_file_virus_scan_status"></a> [lambda\_set\_file\_virus\_scan\_status](#module\_lambda\_set\_file\_virus\_scan\_status) | ../lambda-function | n/a |
+| <a name="module_lambda_validate_letter_template_files"></a> [lambda\_validate\_letter\_template\_files](#module\_lambda\_validate\_letter\_template\_files) | ../lambda-function | n/a |
 | <a name="module_list_template_lambda"></a> [list\_template\_lambda](#module\_list\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_s3bucket_internal"></a> [s3bucket\_internal](#module\_s3bucket\_internal) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_s3bucket_quarantine"></a> [s3bucket\_quarantine](#module\_s3bucket\_quarantine) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
-| <a name="module_sqs_quarantine_scan_enrichment"></a> [sqs\_quarantine\_scan\_enrichment](#module\_sqs\_quarantine\_scan\_enrichment) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v1.0.8 |
+| <a name="module_sqs_validate_letter_template_files_dlq"></a> [sqs\_validate\_letter\_template\_files\_dlq](#module\_sqs\_validate\_letter\_template\_files\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v1.0.8 |
 | <a name="module_sqs_virus_scan_failed_delete_object_dlq"></a> [sqs\_virus\_scan\_failed\_delete\_object\_dlq](#module\_sqs\_virus\_scan\_failed\_delete\_object\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v1.0.8 |
 | <a name="module_sqs_virus_scan_passed_copy_object_dlq"></a> [sqs\_virus\_scan\_passed\_copy\_object\_dlq](#module\_sqs\_virus\_scan\_passed\_copy\_object\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v1.0.8 |
 | <a name="module_sqs_virus_scan_set_file_status_dlq"></a> [sqs\_virus\_scan\_set\_file\_status\_dlq](#module\_sqs\_virus\_scan\_set\_file\_status\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v1.0.8 |

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_no_threats.tf

@@ -0,0 +1,47 @@
+resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_no_threats" {
+  name        = "${local.csi}-quarantine-scan-no_threats"
+  description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
+
+  event_pattern = jsonencode({
+    source      = ["aws.guardduty"]
+    detail-type = ["GuardDuty Malware Protection Object Scan Result"]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
+    detail = {
+      s3ObjectDetails = {
+        bucketName = [module.s3bucket_quarantine.id]
+        objectKey  = [{ prefix = "pdf-template/" }, { prefix = "test-data/" }]
+      }
+      scanResultDetails = {
+        scanResultStatus = ["NO_THREATS_FOUND"]
+      }
+    }
+  })
+}
+
+resource "aws_cloudwatch_event_target" "guardduty_quarantine_scan_no_threats_copy_object" {
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_no_threats.name
+  arn      = module.lambda_copy_scanned_object_to_internal.function_arn
+  role_arn = aws_iam_role.guardduty_quarantine_scan_no_threats.arn
+}
+
+resource "aws_iam_role" "guardduty_quarantine_scan_no_threats" {
+  name               = "${local.csi}-quarantine-scan-no-threats"
+  assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
+}
+
+resource "aws_iam_role_policy" "guardduty_quarantine_scan_no_threats" {
+  name   = "${local.csi}-quarantine-scan-no-threats"
+  role   = aws_iam_role.guardduty_quarantine_scan_no_threats.id
+  policy = data.aws_iam_policy_document.guardduty_quarantine_scan_no_threats.json
+}
+
+data "aws_iam_policy_document" "guardduty_quarantine_scan_no_threats" {
+  version = "2012-10-17"
+
+  statement {
+    sid       = "AllowLambdaInvoke"
+    effect    = "Allow"
+    actions   = ["lambda:InvokeFunction"]
+    resources = [module.lambda_copy_scanned_object_to_internal.function_arn]
+  }
+}

…tch_event_rule_quarantine_scan_result.tf …rule_guardduty_quarantine_scan_result.tfinfrastructure/terraform/modules/backend-api/cloudwatch_event_rule_quarantine_scan_result.tf renamed to infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_result.tf infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_quarantine_scan_result.tf renamed to infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_result.tf

@@ -1,5 +1,5 @@
 resource "aws_cloudwatch_event_rule" "quarantine_guardduty_scan_result" {
-  name        = "${local.csi}-quarantine-scan"
+  name        = "${local.csi}-quarantine-scan-result"
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events"
 
   event_pattern = jsonencode({
@@ -22,12 +22,12 @@ resource "aws_cloudwatch_event_target" "quarantine_scan_to_update_status" {
 }
 
 resource "aws_iam_role" "quarantine_scan_to_update_status" {
-  name               = "${local.csi}-quarantine-scan-to-enrichment"
+  name               = "${local.csi}-quarantine-scan-result"
   assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
 }
 
 resource "aws_iam_role_policy" "quarantine_scan_to_update_status" {
-  name   = "${local.csi}-quarantine-scan-to-enrichment"
+  name   = "${local.csi}-quarantine-scan-result"
   role   = aws_iam_role.quarantine_scan_to_update_status.id
   policy = data.aws_iam_policy_document.quarantine_scan_to_update_status.json
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_virus_scan_passed.tf

@@ -11,9 +11,9 @@ resource "aws_cloudwatch_event_rule" "virus_scan_passed" {
   })
 }
 
-resource "aws_cloudwatch_event_target" "scan_passed_copy_object" {
+resource "aws_cloudwatch_event_target" "scan_passed_send_to_validation" {
   rule     = aws_cloudwatch_event_rule.virus_scan_passed.name
-  arn      = module.lambda_copy_scanned_object_to_internal.function_arn
+  arn      = module.lambda_validate_letter_template_files.function_arn
   role_arn = aws_iam_role.handle_scan_passed.arn
 }
 
@@ -36,7 +36,7 @@ data "aws_iam_policy_document" "handle_scan_passed" {
     effect  = "Allow"
     actions = ["lambda:InvokeFunction"]
     resources = [
-      module.lambda_copy_scanned_object_to_internal.function_arn,
+      module.lambda_validate_letter_template_files.function_arn,
     ]
   }
 }

infrastructure/terraform/modules/backend-api/locals.tf

@@ -1,7 +1,9 @@
 locals {
   csi = "${var.csi}-${var.component}"
 
-  lambdas_source_code_dir = abspath("${path.module}/../../../../lambdas")
+  monorepo_root               = abspath("${path.module}/../../../..")
+  lambdas_source_code_dir     = abspath("${local.monorepo_root}/lambdas")
+  pdfjs_layer_source_code_dir = abspath("${local.monorepo_root}/layers/pdfjs")
 
   openapi_spec = templatefile("${path.module}/spec.tmpl.json", {
     AWS_REGION               = var.region
@@ -23,6 +25,7 @@ locals {
     set_file_virus_scan_status      = "src/templates/set-letter-file-virus-scan-status.ts"
     copy_scanned_object_to_internal = "src/templates/copy-scanned-object-to-internal.ts"
     delete_failed_scanned_object    = "src/templates/delete-failed-scanned-object.ts"
+    validate_letter_template_files  = "src/templates/validate-letter-template-files.ts"
     template_client                 = "src/index.ts"
   }
 

infrastructure/terraform/modules/backend-api/module_build_template_lambda.tf

@@ -11,7 +11,10 @@ module "build_template_lambda" {
     local.backend_lambda_entrypoints.set_file_virus_scan_status,
     local.backend_lambda_entrypoints.copy_scanned_object_to_internal,
     local.backend_lambda_entrypoints.delete_failed_scanned_object,
+    local.backend_lambda_entrypoints.validate_letter_template_files,
   ]
+
+  externals = ["pdfjs-dist"]
 }
 
 module "build_template_client" {

infrastructure/terraform/modules/backend-api/module_lambda_copy_scanned_object_to_internal.tf

@@ -32,7 +32,9 @@ data "aws_iam_policy_document" "copy_scanned_object_to_internal" {
 
     actions = [
       "s3:GetObject",
+      "s3:GetObjectVersion",
       "s3:GetObjectTagging",
+      "s3:GetObjectVersionTagging",
     ]
 
     resources = ["${module.s3bucket_quarantine.arn}/*"]
@@ -44,7 +46,9 @@ data "aws_iam_policy_document" "copy_scanned_object_to_internal" {
 
     actions = [
       "s3:PutObject",
+      "s3:PutObjectVersion",
       "s3:PutObjectTagging",
+      "s3:PutObjectVersionTagging",
     ]
 
     resources = ["${module.s3bucket_internal.arn}/*"]

infrastructure/terraform/modules/backend-api/module_lambda_layer_pdfjs.tf

@@ -0,0 +1,7 @@
+module "lambda_layer_pdfjs" {
+  source                 = "../lambda_layer"
+  name                   = "${local.csi}-nodejs20-pdfjs-dist"
+  description            = "pdfjs-dist dependencies for Node.js v20"
+  source_code_dir        = local.pdfjs_layer_source_code_dir
+  nodejs_runtime_version = "20"
+}

infrastructure/terraform/modules/backend-api/module_lambda_validate_letter_template_files.tf

@@ -0,0 +1,87 @@
+module "lambda_validate_letter_template_files" {
+  source      = "../lambda-function"
+  description = "Validates content of letter template files"
+
+  dead_letter_target_arn         = module.sqs_validate_letter_template_files_dlq.sqs_queue_arn
+  execution_role_policy_document = data.aws_iam_policy_document.validate_letter_template_files.json
+  filename                       = module.build_template_lambda.zips[local.backend_lambda_entrypoints.validate_letter_template_files].path
+  function_name                  = "${local.csi}-validate-letter-template-files"
+  handler                        = "validate-letter-template-files.handler"
+  log_retention_in_days          = var.log_retention_in_days
+  source_code_hash               = module.build_template_lambda.zips[local.backend_lambda_entrypoints.validate_letter_template_files].base64sha256
+  timeout                        = 10
+  memory_size                    = 512
+  layer_arns                     = [module.lambda_layer_pdfjs.layer_arn]
+  environment_variables          = local.backend_lambda_environment_variables
+}
+
+data "aws_iam_policy_document" "validate_letter_template_files" {
+  statement {
+    sid    = "AllowDynamoAccess"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:GetItem",
+      "dynamodb:UpdateItem",
+    ]
+
+    resources = [
+      aws_dynamodb_table.templates.arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowKMSAccessDynamo"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*",
+      "kms:ReEncrypt*",
+    ]
+
+    resources = [
+      local.dynamodb_kms_key_arn
+    ]
+  }
+
+  statement {
+    sid    = "AllowS3InternalGetObject"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject"
+    ]
+
+    resources = ["${module.s3bucket_internal.arn}/*"]
+  }
+
+  statement {
+    sid    = "AllowKMSAccessSQSS3"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+    ]
+
+    resources = [
+      var.kms_key_arn
+    ]
+  }
+
+  statement {
+    sid    = "AllowSQSDLQ"
+    effect = "Allow"
+
+    actions = [
+      "sqs:SendMessage",
+    ]
+
+    resources = [
+      module.sqs_validate_letter_template_files_dlq.sqs_queue_arn,
+    ]
+  }
+}