CCM-9247: Code cleanup and deduplication

Author: chris-elliott-nhsd

infrastructure/terraform/modules/backend-api/README.md

@@ -42,8 +42,7 @@ No requirements.
 | <a name="module_lambda_copy_scanned_object_to_internal"></a> [lambda\_copy\_scanned\_object\_to\_internal](#module\_lambda\_copy\_scanned\_object\_to\_internal) | ../lambda-function | n/a |
 | <a name="module_lambda_delete_failed_scanned_object"></a> [lambda\_delete\_failed\_scanned\_object](#module\_lambda\_delete\_failed\_scanned\_object) | ../lambda-function | n/a |
 | <a name="module_lambda_send_letter_proof"></a> [lambda\_send\_letter\_proof](#module\_lambda\_send\_letter\_proof) | ../lambda-function | n/a |
-| <a name="module_lambda_set_file_virus_scan_status_proofs"></a> [lambda\_set\_file\_virus\_scan\_status\_proofs](#module\_lambda\_set\_file\_virus\_scan\_status\_proofs) | ../lambda-function | n/a |
-| <a name="module_lambda_set_file_virus_scan_status_uploads"></a> [lambda\_set\_file\_virus\_scan\_status\_uploads](#module\_lambda\_set\_file\_virus\_scan\_status\_uploads) | ../lambda-function | n/a |
+| <a name="module_lambda_set_file_virus_scan_status"></a> [lambda\_set\_file\_virus\_scan\_status](#module\_lambda\_set\_file\_virus\_scan\_status) | ../lambda-function | n/a |
 | <a name="module_lambda_sftp_poll"></a> [lambda\_sftp\_poll](#module\_lambda\_sftp\_poll) | ../lambda-function | n/a |
 | <a name="module_lambda_validate_letter_template_files"></a> [lambda\_validate\_letter\_template\_files](#module\_lambda\_validate\_letter\_template\_files) | ../lambda-function | n/a |
 | <a name="module_list_template_lambda"></a> [list\_template\_lambda](#module\_list\_template\_lambda) | ../lambda-function | n/a |
@@ -54,8 +53,7 @@ No requirements.
 | <a name="module_sqs_validate_letter_template_files"></a> [sqs\_validate\_letter\_template\_files](#module\_sqs\_validate\_letter\_template\_files) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
 | <a name="module_sqs_virus_scan_failed_delete_object_dlq"></a> [sqs\_virus\_scan\_failed\_delete\_object\_dlq](#module\_sqs\_virus\_scan\_failed\_delete\_object\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
 | <a name="module_sqs_virus_scan_passed_copy_object_dlq"></a> [sqs\_virus\_scan\_passed\_copy\_object\_dlq](#module\_sqs\_virus\_scan\_passed\_copy\_object\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
-| <a name="module_sqs_virus_scan_set_file_status_proofs_dlq"></a> [sqs\_virus\_scan\_set\_file\_status\_proofs\_dlq](#module\_sqs\_virus\_scan\_set\_file\_status\_proofs\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
-| <a name="module_sqs_virus_scan_set_file_status_uploads_dlq"></a> [sqs\_virus\_scan\_set\_file\_status\_uploads\_dlq](#module\_sqs\_virus\_scan\_set\_file\_status\_uploads\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
+| <a name="module_sqs_virus_scan_set_file_status_dlq"></a> [sqs\_virus\_scan\_set\_file\_status\_dlq](#module\_sqs\_virus\_scan\_set\_file\_status\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
 | <a name="module_submit_template_lambda"></a> [submit\_template\_lambda](#module\_submit\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_update_template_lambda"></a> [update\_template\_lambda](#module\_update\_template\_lambda) | ../lambda-function | n/a |
 ## Outputs

…rdduty_quarantine_scan_failed_uploads.tf …rule_guardduty_quarantine_scan_failed.tfinfrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_uploads.tf renamed to infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed.tf infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_uploads.tf renamed to infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed.tf

@@ -1,5 +1,5 @@
-resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_uploads" {
-  name        = "${local.csi}-quarantine-scan-failed-uploads"
+resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed" {
+  name        = "${local.csi}-quarantine-scan-failed"
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
@@ -9,7 +9,7 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_uploads"
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
-        objectKey  = [{ prefix = "pdf-template/" }, { prefix = "test-data/" }]
+        objectKey  = [{ prefix = "pdf-template/" }, { prefix = "test-data/" }, { prefix = "proofs/" }]
       }
       scanResultDetails = {
         scanResultStatus = [{ anything-but = "NO_THREATS_FOUND" }]
@@ -18,14 +18,14 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_uploads"
   })
 }
 
-resource "aws_cloudwatch_event_target" "quarantine_scan_failed_set_file_status_uploads" {
-  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_uploads.name
-  arn      = module.lambda_set_file_virus_scan_status_uploads.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_uploads.arn
+resource "aws_cloudwatch_event_target" "quarantine_scan_failed_set_file_status" {
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed.name
+  arn      = module.lambda_set_file_virus_scan_status.function_arn
+  role_arn = aws_iam_role.quarantine_scan_failed.arn
 }
 
-resource "aws_cloudwatch_event_target" "quarantine_scan_failed_delete_object_uploads" {
-  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_uploads.name
+resource "aws_cloudwatch_event_target" "quarantine_scan_failed_delete_object" {
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed.name
   arn      = module.lambda_delete_failed_scanned_object.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_uploads.arn
+  role_arn = aws_iam_role.quarantine_scan_failed.arn
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_proofs.tf

@@ -20,7 +20,7 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_proofs" {
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_set_file_status_proofs" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_proofs.name
-  arn      = module.lambda_set_file_virus_scan_status_proofs.function_arn
+  arn      = module.lambda_set_file_virus_scan_status.function_arn
   role_arn = aws_iam_role.quarantine_scan_passed_proofs.arn
 }
 

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_proofs.tf

@@ -20,7 +20,7 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_uploads"
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_set_file_status_uploads" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_uploads.name
-  arn      = module.lambda_set_file_virus_scan_status_uploads.function_arn
+  arn      = module.lambda_set_file_virus_scan_status.function_arn
   role_arn = aws_iam_role.quarantine_scan_passed_uploads.arn
 }
 

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_uploads.tf

@@ -0,0 +1,25 @@
+resource "aws_iam_role" "quarantine_scan_failed" {
+  name               = "${local.csi}-quarantine-scan-failed"
+  description        = "IAM Role for GuardDuty failure CloudWatch events to trigger follow up actions"
+  assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
+}
+
+resource "aws_iam_role_policy" "quarantine_scan_failed" {
+  name   = "${local.csi}-quarantine-scan-failed"
+  role   = aws_iam_role.quarantine_scan_failed.id
+  policy = data.aws_iam_policy_document.quarantine_scan_failed.json
+}
+
+data "aws_iam_policy_document" "quarantine_scan_failed" {
+  version = "2012-10-17"
+
+  statement {
+    sid     = "AllowLambdaInvoke"
+    effect  = "Allow"
+    actions = ["lambda:InvokeFunction"]
+    resources = [
+      module.lambda_set_file_virus_scan_status.function_arn,
+      module.lambda_delete_failed_scanned_object.function_arn
+    ]
+  }
+}

infrastructure/terraform/modules/backend-api/iam_role_quarantine_scan_failed.tf

@@ -18,7 +18,7 @@ data "aws_iam_policy_document" "quarantine_scan_passed_proofs" {
     actions = ["lambda:InvokeFunction"]
     resources = [
       module.lambda_copy_scanned_object_to_internal.function_arn,
-      module.lambda_set_file_virus_scan_status_proofs.function_arn,
+      module.lambda_set_file_virus_scan_status.function_arn,
     ]
   }
 }

infrastructure/terraform/modules/backend-api/iam_role_quarantine_scan_failed_proofs.tf

@@ -18,7 +18,7 @@ data "aws_iam_policy_document" "quarantine_scan_passed_uploads" {
     actions = ["lambda:InvokeFunction"]
     resources = [
       module.lambda_copy_scanned_object_to_internal.function_arn,
-      module.lambda_set_file_virus_scan_status_uploads.function_arn,
+      module.lambda_set_file_virus_scan_status.function_arn,
     ]
   }