Merge pull request #8661 from ministryofjustice/feature/add-ithc-user…

…s-to-ingestion Adding external SFTP users
ministryofjustice · Nov 14, 2024 · 1fe982f · 1fe982f
2 parents 1d0075b + 8ec96a9
commit 1fe982f
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 0 deletions.
diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf
@@ -92,6 +92,20 @@ locals {
           egress_bucket         = module.bold_egress_bucket.s3_bucket_id
           egress_bucket_kms_key = module.s3_bold_egress_kms.key_arn
         }
+        "darren-brooke" = {
+          ssh_key               = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAxeaj85/JshqYMQ1B97TtHyy81oF3L33s89NWCIiHSM/Hql6aFfxCCivsN4Y1OZic8S5drgxe7MdETaWeEKfaWIMgqESGOw5yhCuNSEvt896cc0hSU8/ZwUZrTzYfiCAwqBQHI13JBAP7VcWBR6v6CYQL8JB7lSEvq7vY2BJJ4N9HchlXBHvxHHOu7Y6+ta7BrODvCc0zLHWANE65U4DmZpXmwHHsBao4cOUIlrBIDIAGtXAJB/L+cByH2OPMsRPhUe2UMfTgRHCJdekics/7DzrR+hhZRnHM9du52TFT89eAKpQGpp0wEkFoYKntXesGFr1R/uhRtqzanzBggXIv db@ubuntu"
+          cidr_blocks           = ["54.37.241.156/30", "167.71.136.237/32"]
+          egress_bucket         = module.ext_2024_egress_bucket.s3_bucket_id
+          egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn
+
+        }
+        "aaron-willetts" = {
+          ssh_key               = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtHz+QozotArRIjRcmD4GDdiQLtXPTX+GGAXqpeqpBZ aaron@kali"
+          cidr_blocks           = ["54.37.241.156/30", "167.71.136.237/32"]
+          egress_bucket         = module.ext_2024_egress_bucket.s3_bucket_id
+          egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn
+
+        }
       }
 
       /* DataSync */

diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf
@@ -119,6 +119,35 @@ module "s3_bold_egress_kms" {
   deletion_window_in_days = 7
 }
 
+module "s3_ext_2024_egress_kms" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/kms/aws"
+  version = "3.1.0"
+
+  aliases               = ["s3/ext-2024-egress"]
+  description           = "Used in the External 2024 Egress Solution"
+  enable_default_policy = true
+  key_statements = [
+    {
+      sid = "AllowReadOnlyRole"
+      actions = [
+        "kms:Encrypt",
+        "kms:GenerateDataKey"
+      ]
+      resources = ["*"]
+      effect    = "Allow"
+      principals = [
+        {
+          type        = "AWS"
+          identifiers = ["arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/read-only"] # placeholder -- will change
+        }
+      ]
+    }
+  ]
+  deletion_window_in_days = 7
+}
+
 module "quarantined_sns_kms" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
 

diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf
@@ -161,6 +161,32 @@ module "bold_egress_bucket" {
   }
 }
 
+#tfsec:ignore:avd-aws-0088 - The bucket policy is attached to the bucket
+#tfsec:ignore:avd-aws-0132 - The bucket policy is attached to the bucket
+module "ext_2024_egress_bucket" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "4.1.2"
+
+  bucket = "mojap-ingestion-${local.environment}-ext-2024-egress"
+
+  force_destroy = true
+
+  versioning = {
+    enabled = true
+  }
+
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        kms_master_key_id = module.s3_bold_egress_kms.key_arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+
 module "datasync_bucket" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions