Final first ppas

terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf

@@ -0,0 +1,5 @@
+resource "aws_cloudwatch_event_target" "definition_update" {
+  rule      = aws_cloudwatch_event_rule.definition_update.name
+  target_id = "definition-update"
+  arn       = module.definition_upload_lambda.lambda_function_arn
+}

terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf

@@ -1,3 +1,4 @@
-resource "aws_cloudwatch_log_group" "transfer_structured_logs" {
-  name = "/aws/transfer-structured-logs"
-}
+# Deactivated for now
+# resource "aws_cloudwatch_log_group" "transfer_structured_logs" {
+#   name = "/aws/transfer-structured-logs"
+# }

terraform/environments/analytical-platform-ingestion/eips.tf

@@ -1,6 +1,5 @@
-# TODO: make this more elegant, use az count
 resource "aws_eip" "transfer_server" {
-  count = 3
+  count = length(data.aws_availability_zones.available.names)
 
   domain = "vpc"
 }

terraform/environments/analytical-platform-ingestion/lambda-functions.tf

@@ -46,7 +46,7 @@ module "definition_upload_lambda" {
   allowed_triggers = {
     "eventbridge" = {
       principal  = "events.amazonaws.com"
-      source_arn = aws_cloudwatch_event_rule.ingestion_scanning_definition_update.arn
+      source_arn = aws_cloudwatch_event_rule.definition_update.arn
     }
   }
 }

terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf

@@ -0,0 +1,100 @@
+data "aws_iam_policy_document" "this" {
+  statement {
+    sid    = "AllowKMS"
+    effect = "Allow"
+    actions = [
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Encrypt",
+      "kms:DescribeKey",
+      "kms:Decrypt",
+    ]
+    resources = [var.landing_bucket_kms_key]
+  }
+  # TODO: review the permissions
+  statement {
+    sid     = "AllowS3ListBucket"
+    effect  = "Allow"
+    actions = ["s3:ListBucket"]
+    resources = [
+      "arn:aws:s3:::${var.landing_bucket}",
+      "arn:aws:s3:::${var.landing_bucket}/${var.name}/*"
+    ]
+  }
+  # TODO: review the permissions
+  statement {
+    sid       = "AllowS3ObjectActions"
+    effect    = "Allow"
+    actions   = ["s3:*"]
+    resources = ["arn:aws:s3:::${var.landing_bucket}/${var.name}/*"]
+  }
+}
+
+module "policy" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "5.37.1"
+
+  name_prefix = "transfer-user-${var.name}"
+
+  policy = data.aws_iam_policy_document.this.json
+}
+
+module "role" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "5.37.1"
+
+  create_role = true
+
+  role_name         = "transfer-user-${var.name}"
+  role_requires_mfa = false
+
+  trusted_role_services = ["transfer.amazonaws.com"]
+
+  custom_role_policy_arns = [module.policy.arn]
+}
+
+resource "aws_transfer_user" "this" {
+  server_id = var.transfer_server
+  user_name = var.name
+  role      = module.role.iam_role_arn
+
+  # This doesn't work unless optimised directory is disabled, and that isn't available in Terraform
+  # home_directory_type = "LOGICAL"
+  # home_directory_mappings {
+  #   entry  = "/upload"
+  #   target = "/${var.landing_bucket}/${var.name}/upload"
+  # }
+
+  # home_directory_mappings {
+  #   entry  = "/download"
+  #   target = "/${var.landing_bucket}/${var.name}/download"
+  # }
+
+  # This works
+  home_directory = "/${var.landing_bucket}/${var.name}" # TODO: do we need an SFTP specific landing bucket?
+}
+
+resource "aws_transfer_ssh_key" "this" {
+  server_id = var.transfer_server
+  user_name = aws_transfer_user.this.user_name
+  body      = var.ssh_key
+}
+
+resource "aws_security_group_rule" "this" {
+  type              = "ingress"
+  from_port         = 2222
+  to_port           = 2222
+  protocol          = "tcp"
+  cidr_blocks       = var.cidr_blocks
+  security_group_id = var.transfer_server_security_group
+}
+
+resource "aws_secretsmanager_secret" "this" {
+  for_each = toset(["technical-contact", "data-contact", "target-bucket"])
+
+  name       = "ingestion/sftp/${var.name}/${each.key}"
+  kms_key_id = var.supplier_data_kms_key
+}

terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/variables.tf

@@ -0,0 +1,31 @@
+variable "name" {
+  type = string
+}
+
+variable "ssh_key" {
+  type = string
+}
+
+variable "cidr_blocks" {
+  type = list(string)
+}
+
+variable "transfer_server" {
+  type = string
+}
+
+variable "transfer_server_security_group" {
+  type = string
+}
+
+variable "landing_bucket" {
+  type = string
+}
+
+variable "landing_bucket_kms_key" {
+  type = string
+}
+
+variable "supplier_data_kms_key" {
+  type = string
+}

terraform/environments/analytical-platform-ingestion/s3-notifications.tf

@@ -1,4 +1,4 @@
-module "ingestion_landing" {
+module "ingestion_landing_bucket_notification" {
   source  = "terraform-aws-modules/s3-bucket/aws//modules/notification"
   version = "4.1.0"
 
@@ -13,7 +13,7 @@ module "ingestion_landing" {
   }
 }
 
-module "ingestion_transfer" {
+module "ingestion_transfer_bucket_notification" {
   source  = "terraform-aws-modules/s3-bucket/aws//modules/notification"
   version = "4.1.0"
 

terraform/environments/analytical-platform-ingestion/transfer-servers.tf

@@ -24,7 +24,7 @@ resource "aws_transfer_server" "this" {
   # Logging role is only required when using Managed workflows.
   # logging_role                = module.transfer_family_service_role.iam_role_arn
 
-  structured_log_destinations = ["${aws_cloudwatch_log_group.transfer_structured_logs.arn}:*"]
+  # structured_log_destinations = ["${aws_cloudwatch_log_group.transfer_structured_logs.arn}:*"]
 }
 
 resource "aws_transfer_tag" "this" {