Add email_alert_notifications project

This project sets up an S3 bucket and a lambda function that parses
files and renames them with a prefix (currently only
`travel-advice-alerts`) and the `govuk_request_id` parsed from the email
body.

This allows us to more reliably verify that email alerts have
been sent when a travel advice update has been published.

An SES domain and RuleSet and an S3 event source are also required but
can't currently be configured via Terraform.

projects/email_alert_notifications/README.md

@@ -0,0 +1 @@
+

projects/email_alert_notifications/files/rename_email_files_with_request_id.py

@@ -0,0 +1,44 @@
+import boto3
+import urllib
+import re
+import uuid
+from botocore.exceptions import ClientError
+
+S3 = boto3.client('s3')
+
+REQUEST_ID_REGEX = re.compile(r'data-govuk-request-id=(?:3D){,1}"([0-9\-\.]+)"')
+
+def lambda_handler(event, context):
+    bucket_name = source_bucket_name(event)
+    key = source_key(event)
+    request_id = parse_request_id(bucket_name, key)
+    prefix = file_prefix(event, request_id)
+    move_file(bucket_name, key, request_id, prefix)
+
+def source_bucket_name(event):
+    return event['Records'][0]['s3']['bucket']['name']
+
+def source_key(event):
+    return urllib.unquote_plus(event['Records'][0]['s3']['object']['key']).decode('utf8')
+
+def parse_request_id(bucket_name, key):
+    m = REQUEST_ID_REGEX.search(email_body(bucket_name, key))
+    if m:
+        return m.group(1)
+
+def email_body(bucket_name, key):
+    response = S3.get_object(Bucket=bucket_name, Key=key)
+    return response["Body"].read()
+
+def move_file(bucket_name, key, request_id, prefix):
+    S3.copy_object(
+        Bucket=bucket_name,
+        CopySource='%s/%s' % (bucket_name, key),
+        Key='%s/%s.msg' % (prefix, request_id or uuid.uuid4()))
+    S3.delete_object(Bucket=bucket_name, Key=key)
+
+def file_prefix(event, request_id):
+    if request_id:
+        return "travel-advice-alerts"
+    else:
+        return "no-request-id"

projects/email_alert_notifications/resources/email_alert_notifications.tf

@@ -0,0 +1,53 @@
+variable "s3_bucket_name" {
+  default = "govuk-email-alert-notifications"
+}
+
+resource "template_file" "s3_bucket_policy" {
+  template = "${file("templates/email_alert_s3_bucket_policy.json")}"
+  vars {
+    account_id = "${element(split(":", aws_iam_role.lambda_execute_and_write_to_email_alert_bucket.arn), 4)}"
+    bucket_name = "${var.s3_bucket_name}"
+    lambda_role = "${aws_iam_role.lambda_execute_and_write_to_email_alert_bucket.arn}"
+  }
+}
+
+resource "template_file" "put_and_delete_to_email_alert_bucket_policy" {
+  template = "${file("templates/put_and_delete_to_s3_policy.json")}"
+  vars {
+    resource_arn = "${aws_s3_bucket.email_alert_inbox_bucket.arn}"
+  }
+}
+
+resource "aws_s3_bucket" "email_alert_inbox_bucket" {
+  bucket = "${var.s3_bucket_name}"
+  acl = "public-read"
+  policy = "${template_file.s3_bucket_policy.rendered}"
+}
+
+resource "aws_iam_role" "lambda_execute_and_write_to_email_alert_bucket" {
+  name = "lambda_execute_and_write_to_email_alert_bucket" 
+  assume_role_policy = "${file("templates/lambda_assume_role_policy.json")}"
+}
+
+resource "aws_iam_role_policy" "put_and_delete_to_email_alert_bucket" {
+  name = "put_and_delete_to_email_alert_bucket"
+  role = "${aws_iam_role.lambda_execute_and_write_to_email_alert_bucket.id}"
+  policy = "${template_file.put_and_delete_to_email_alert_bucket_policy.rendered}"
+}
+
+resource "aws_iam_role_policy" "write_to_logs" {
+  name = "write_to_logs"
+  role = "${aws_iam_role.lambda_execute_and_write_to_email_alert_bucket.id}"
+  policy = "${file("templates/write_to_logs_policy.json")}"
+}
+
+resource "aws_lambda_function" "rename_email_files_with_request_id"{
+  filename = "rename_email_files_with_request_id.zip"
+  function_name = "rename_email_files_with_request_id"
+  role = "${aws_iam_role.lambda_execute_and_write_to_email_alert_bucket.arn}"
+  handler = "rename_email_files_with_request_id.lambda_handler"
+  runtime = "python2.7"
+  source_code_hash = "${base64sha256(file("rename_email_files_with_request_id.zip"))}"
+}
+
+

projects/email_alert_notifications/templates/email_alert_s3_bucket_policy.json

@@ -0,0 +1,32 @@
+{
+  "Version": "2012-10-17",
+  "Id": "${uuid()}",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${lambda_role}"
+      },
+      "Action": [
+        "s3:PutObject",
+        "s3:DeleteObject",
+        "s3:GetObject"
+      ],
+      "Resource": "arn:aws:s3:::${bucket_name}/*"
+    },
+    {
+      "Sid": "GiveSESPermissionToWriteEmail",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ses.amazonaws.com"
+      },
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::${bucket_name}/*",
+      "Condition": {
+        "StringEquals": {
+          "aws:Referer": "${account_id}"
+        }
+      }
+    }
+  ]
+}

projects/email_alert_notifications/templates/lambda_assume_role_policy.json

@@ -0,0 +1,13 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}

projects/email_alert_notifications/templates/put_and_delete_to_s3_policy.json

@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:getObject",
+        "s3:putObject",
+        "s3:deleteObject",
+        "s3:putObjectAcl"
+      ],
+      "Effect": "Allow",
+      "Resource": "${resource_arn}"
+    }
+  ]
+}

projects/email_alert_notifications/templates/write_to_logs_policy.json

@@ -0,0 +1,14 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": "arn:aws:logs:*:*:*"
+    }
+  ]
+}