CCM-8861: SFTP poll (#419)

Author: chris-elliott-nhsd

infrastructure/terraform/modules/backend-api/README.md

@@ -42,6 +42,7 @@ No requirements.
 | <a name="module_lambda_delete_failed_scanned_object"></a> [lambda\_delete\_failed\_scanned\_object](#module\_lambda\_delete\_failed\_scanned\_object) | ../lambda-function | n/a |
 | <a name="module_lambda_send_letter_proof"></a> [lambda\_send\_letter\_proof](#module\_lambda\_send\_letter\_proof) | ../lambda-function | n/a |
 | <a name="module_lambda_set_file_virus_scan_status"></a> [lambda\_set\_file\_virus\_scan\_status](#module\_lambda\_set\_file\_virus\_scan\_status) | ../lambda-function | n/a |
+| <a name="module_lambda_sftp_poll"></a> [lambda\_sftp\_poll](#module\_lambda\_sftp\_poll) | ../lambda-function | n/a |
 | <a name="module_lambda_validate_letter_template_files"></a> [lambda\_validate\_letter\_template\_files](#module\_lambda\_validate\_letter\_template\_files) | ../lambda-function | n/a |
 | <a name="module_list_template_lambda"></a> [list\_template\_lambda](#module\_list\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_s3bucket_internal"></a> [s3bucket\_internal](#module\_s3bucket\_internal) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |

infrastructure/terraform/modules/backend-api/api_gateway_rest_api_main.tf

@@ -4,5 +4,5 @@ resource "aws_api_gateway_rest_api" "main" {
   description                  = "Templates API"
   disable_execute_api_endpoint = false
 
-  binary_media_types = [ "multipart/form-data" ]
+  binary_media_types = ["multipart/form-data"]
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_sftp_poll.tf

@@ -0,0 +1,27 @@
+resource "aws_cloudwatch_event_rule" "sftp_poll" {
+  for_each = var.letter_suppliers
+
+  name                = "${local.csi}-sftp-poll-${lower(each.key)}"
+  schedule_expression = "rate(1 hour)" # Runs at the top of every hour
+
+  state = each.value.enable_polling ? "ENABLED" : "DISABLED"
+}
+
+resource "aws_cloudwatch_event_target" "sftp_poll" {
+  for_each = var.letter_suppliers
+  rule     = aws_cloudwatch_event_rule.sftp_poll[each.key].name
+  arn      = module.lambda_sftp_poll.function_arn
+
+  input = jsonencode({
+    supplier : each.key
+  })
+}
+
+resource "aws_lambda_permission" "allow_cloudwatch" {
+  for_each      = var.letter_suppliers
+  statement_id  = "AllowExecutionFromCloudWatch${each.key}"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_sftp_poll.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.sftp_poll[each.key].arn
+}

infrastructure/terraform/modules/backend-api/guardduty_malware_protection_plan_quarantine.tf

@@ -4,7 +4,7 @@ resource "aws_guardduty_malware_protection_plan" "quarantine" {
   protected_resource {
     s3_bucket {
       bucket_name     = module.s3bucket_quarantine.id
-      object_prefixes = ["pdf-template/", "test-data/"]
+      object_prefixes = ["pdf-template/", "test-data/", "proofs/"]
     }
   }
 

infrastructure/terraform/modules/backend-api/module_build_sftp_letters_lambdas.tf

@@ -5,5 +5,6 @@ module "build_sftp_letters_lambdas" {
 
   entrypoints = [
     "src/send-proof.ts",
+    "src/sftp-poll.ts",
   ]
 }

infrastructure/terraform/modules/backend-api/module_lambda_send_letter_proof.tf

@@ -17,7 +17,6 @@ module "lambda_send_letter_proof" {
   environment_variables = {
     CREDENTIALS_TTL_SECONDS = 900
     CSI                     = local.csi
-    ENVIRONMENT             = var.environment
     INTERNAL_BUCKET_NAME    = module.s3bucket_internal.id
     NODE_OPTIONS            = "--enable-source-maps",
     REGION                  = var.region

infrastructure/terraform/modules/backend-api/module_lambda_sftp_poll.tf

@@ -0,0 +1,67 @@
+module "lambda_sftp_poll" {
+  source      = "../lambda-function"
+  description = "Lambda to poll the SFTP suppliers and copy proofs to the quarantine bucket"
+
+  function_name    = "${local.csi}-sftp-poll"
+  filename         = module.build_sftp_letters_lambdas.zips["src/sftp-poll.ts"].path
+  source_code_hash = module.build_sftp_letters_lambdas.zips["src/sftp-poll.ts"].base64sha256
+  handler          = "sftp-poll.handler"
+
+  log_retention_in_days = var.log_retention_in_days
+
+  execution_role_policy_document = data.aws_iam_policy_document.sftp_poll.json
+
+  environment_variables = {
+    CREDENTIALS_TTL_SECONDS = 900
+    CSI                     = local.csi
+    QUARANTINE_BUCKET_NAME  = module.s3bucket_quarantine.id
+    NODE_OPTIONS            = "--enable-source-maps",
+    REGION                  = var.region
+    SFTP_ENVIRONMENT        = local.sftp_environment
+  }
+
+  timeout     = 60 * 10
+  memory_size = 2048
+}
+
+data "aws_iam_policy_document" "sftp_poll" {
+
+  statement {
+    sid    = "AllowS3"
+    effect = "Allow"
+
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = ["${module.s3bucket_quarantine.arn}/*"]
+  }
+
+  statement {
+    sid    = "AllowSSMParameterRead"
+    effect = "Allow"
+    actions = [
+      "ssm:GetParameter",
+    ]
+    resources = [
+      "arn:aws:ssm:${var.region}:${var.aws_account_id}:parameter/${local.csi}/sftp-config/*",
+    ]
+  }
+
+  statement {
+    sid    = "AllowKMSAccess"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*",
+      "kms:ReEncrypt*",
+    ]
+
+    resources = [
+      var.kms_key_arn
+    ]
+  }
+}

infrastructure/terraform/modules/lambda-function/README.md

@@ -32,6 +32,7 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_function_arn"></a> [function\_arn](#output\_function\_arn) | n/a |
+| <a name="output_function_name"></a> [function\_name](#output\_function\_name) | n/a |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->

infrastructure/terraform/modules/lambda-function/outputs.tf

@@ -1,3 +1,6 @@
 output "function_arn" {
   value = aws_lambda_function.main.arn
 }
+output "function_name" {
+  value = aws_lambda_function.main.function_name
+}

lambdas/sftp-letters/package.json

@@ -1,12 +1,18 @@
 {
-  "name": "nhs-notify-sftp-letters-lambdas",
-  "version": "0.0.1",
-  "private": true,
-  "scripts": {
-    "test:unit": "jest",
-    "lint": "eslint .",
-    "lint:fix": "eslint . --fix",
-    "typecheck": "tsc --noEmit"
+  "dependencies": {
+    "@aws-sdk/client-dynamodb": "3.775.0",
+    "@aws-sdk/client-s3": "3.775.0",
+    "@aws-sdk/client-ssm": "3.775.0",
+    "@aws-sdk/lib-dynamodb": "3.775.0",
+    "csv-parse": "^5.6.0",
+    "csv-stringify": "^6.4.4",
+    "date-fns": "^4.1.0",
+    "ksuid": "^3.0.0",
+    "nhs-notify-entity-update-command-builder": "*",
+    "nhs-notify-web-template-management-utils": "*",
+    "node-cache": "^5.1.2",
+    "ssh2-sftp-client": "^9.1.0",
+    "zod": "^3.24.2"
   },
   "devDependencies": {
     "@swc/core": "^1.11.3",
@@ -20,24 +26,18 @@
     "esbuild": "^0.24.0",
     "jest": "^29.7.0",
     "jest-mock-extended": "^3.0.7",
+    "nhs-notify-web-template-management-test-helper-utils": "*",
     "ts-jest": "^29.3.0",
     "ts-node": "^10.9.2",
     "typescript": "^5.8.2"
   },
-  "dependencies": {
-    "@aws-sdk/client-dynamodb": "3.775.0",
-    "@aws-sdk/client-s3": "3.775.0",
-    "@aws-sdk/client-ssm": "3.775.0",
-    "@aws-sdk/lib-dynamodb": "3.775.0",
-    "csv-parse": "^5.6.0",
-    "csv-stringify": "^6.4.4",
-    "date-fns": "^4.1.0",
-    "ksuid": "^3.0.0",
-    "nhs-notify-entity-update-command-builder": "*",
-    "nhs-notify-web-template-management-test-helper-utils": "*",
-    "nhs-notify-web-template-management-utils": "*",
-    "node-cache": "^5.1.2",
-    "ssh2-sftp-client": "^9.1.0",
-    "zod": "^3.24.2"
-  }
+  "name": "nhs-notify-sftp-letters-lambdas",
+  "private": true,
+  "scripts": {
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "test:unit": "jest",
+    "typecheck": "tsc --noEmit"
+  },
+  "version": "0.0.1"
 }