Merge branch 'main' into feature/CCM-9874-dl-edge-auth

Author: harrim91

.tool-versions

@@ -12,8 +12,8 @@ vale 3.6.0
 # The section below is reserved for Docker image versions.
 
 # TODO: Move this section - consider using a different file for the repository template dependencies.
-# docker/ghcr.io/anchore/grype v0.69.1@sha256:d41fcb371d0af59f311e72123dff46900ebd6d0482391b5a830853ee4f9d1a76 # SEE: https://github.com/anchore/grype/pkgs/container/grype
-# docker/ghcr.io/anchore/syft v0.92.0@sha256:63c60f0a21efb13e80aa1359ab243e49213b6cc2d7e0f8179da38e6913b997e0 # SEE: https://github.com/anchore/syft/pkgs/container/syft
+# docker/ghcr.io/anchore/grype v0.92.2@sha256:651e558f9ba84f2a790b3449c8a57cbbf4f34e004f7d3f14ae8f8cbeede4cd33  # SEE: https://github.com/anchore/grype/pkgs/container/grype
+# docker/ghcr.io/anchore/syft v1.26.0@sha256:de078f51704a213906970b1475edd6006b8af50aa159852e125518237487b8c6  # SEE: https://github.com/anchore/syft/pkgs/container/syft
 # docker/ghcr.io/gitleaks/gitleaks v8.24.0@sha256:2bcceac45179b3a91bff11a824d0fb952585b429e54fc928728b1d4d5c3e5176 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
 # docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli
 # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc

infrastructure/terraform/components/acct/module_obs_datasource.tf

@@ -9,6 +9,6 @@ module "obs_datasource" {
   environment    = var.environment
   component      = var.component
 
-  oam_sink_id               = var.oam_sink_id
-  observability_account_id  = var.observability_account_id
+  oam_sink_id              = var.oam_sink_id
+  observability_account_id = var.observability_account_id
 }

infrastructure/terraform/components/acct/module_sandbox_kms.tf

@@ -13,4 +13,45 @@ module "kms_sandbox" {
   deletion_window = var.kms_deletion_window
   alias           = "alias/${local.csi}-sandbox"
   iam_delegation  = true
+
+  key_policy_documents = [data.aws_iam_policy_document.kms.json]
+}
+
+data "aws_iam_policy_document" "kms" {
+  # '*' resource scope is permitted in access policies as as the resource is itself
+  # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html
+
+  statement {
+    sid    = "AllowCloudWatchEncrypt"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "logs.${var.region}.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:logs:arn"
+
+      values = [
+        "arn:aws:logs:${var.region}:${var.aws_account_id}:log-group:*",
+      ]
+    }
+  }
 }

infrastructure/terraform/components/acct/outputs.tf

@@ -12,6 +12,11 @@ output "github_pat_ssm_param_name" {
 
 output "s3_buckets" {
   value = {
+    access_logs = {
+      arn    = module.s3bucket_access_logs.arn
+      bucket = module.s3bucket_access_logs.bucket
+      id     = module.s3bucket_access_logs.id
+    }
     artefacts = {
       arn    = module.s3bucket_artefacts.arn
       bucket = module.s3bucket_artefacts.bucket

infrastructure/terraform/components/app/module_backend_api.tf

@@ -13,17 +13,19 @@ module "backend_api" {
   log_retention_in_days   = var.log_retention_in_days
   kms_key_arn             = module.kms.key_arn
   parent_acct_environment = var.parent_acct_environment
+  function_s3_bucket      = local.acct.s3_buckets["artefacts"]["id"]
 
   cloudfront_distribution_arn = aws_cloudfront_distribution.main.arn
 
   cognito_config = jsondecode(aws_ssm_parameter.cognito_config.value)
 
   enable_backup = var.destination_vault_arn != null ? true : false
 
-  enable_letters                 = var.enable_letters
-  enable_proofing                = var.enable_proofing
-  letter_suppliers               = var.letter_suppliers
-  log_destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
-  log_subscription_role_arn      = local.acct.log_subscription_role_arn
+  enable_letters            = var.enable_letters
+  enable_proofing           = var.enable_proofing
+  letter_suppliers          = var.letter_suppliers
+  log_destination_arn       = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
+  log_subscription_role_arn = local.acct.log_subscription_role_arn
 
+  send_to_firehose = true
 }

infrastructure/terraform/components/sandbox/README.md

@@ -17,6 +17,7 @@ No requirements.
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
 | <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | <pre>map(object({<br/>    enable_polling   = bool<br/>    default_supplier = optional(bool)<br/>  }))</pre> | <pre>{<br/>  "WTMMOCK": {<br/>    "default_supplier": true,<br/>    "enable_polling": true<br/>  }<br/>}</pre> | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 ## Modules

infrastructure/terraform/components/sandbox/locals_remote_state.tf

@@ -0,0 +1,21 @@
+locals {
+  acct = data.terraform_remote_state.acct.outputs
+}
+
+data "terraform_remote_state" "acct" {
+  backend = "s3"
+
+  config = {
+    bucket = local.terraform_state_bucket
+
+    key = format(
+      "%s/%s/%s/%s/acct.tfstate",
+      var.project,
+      var.aws_account_id,
+      "eu-west-2",
+      var.parent_acct_environment
+    )
+
+    region = "eu-west-2"
+  }
+}

infrastructure/terraform/components/sandbox/locals_tfscaffold.tf

@@ -1,4 +1,11 @@
 locals {
+  terraform_state_bucket = format(
+    "%s-tfscaffold-%s-%s",
+    var.project,
+    var.aws_account_id,
+    var.region,
+  )
+
   csi = replace(
     format(
       "%s-%s-%s",

infrastructure/terraform/components/sandbox/module_backend_api.tf

@@ -9,7 +9,8 @@ module "backend_api" {
   group                   = var.group
   csi                     = local.csi
   log_retention_in_days   = var.log_retention_in_days
-  parent_acct_environment = "main"
+  parent_acct_environment = var.parent_acct_environment
+  function_s3_bucket      = local.acct.s3_buckets["artefacts"]["id"]
 
   cognito_config = {
     USER_POOL_ID        = aws_cognito_user_pool.sandbox.id
@@ -22,4 +23,6 @@ module "backend_api" {
 
   kms_key_arn          = data.aws_kms_key.sandbox.arn
   dynamodb_kms_key_arn = data.aws_kms_key.sandbox.arn
+
+  send_to_firehose = false
 }

infrastructure/terraform/components/sandbox/pre.sh

@@ -1,3 +1,5 @@
 if [ -z "$SKIP_SANDBOX_INSTALL" ]; then npm ci --omit=dev; fi
 
 npm run generate-dependencies --workspaces --if-present
+
+npm run lambda-build --workspaces --if-present