From 2b2cdc1e42579e218d7c422fb239aa507a125f13 Mon Sep 17 00:00:00 2001
From: Gary H <26419401+Gary-H9@users.noreply.github.com>
Date: Wed, 20 Mar 2024 14:48:13 +0000
Subject: [PATCH] Final first ppas

---
 .../cloudwatch-event-targets.tf               |   5 +
 .../cloudwatch-event-targets.tf.deactivated   |   5 -
 .../cloudwatch-log-groups.tf                  |   7 +-
 .../analytical-platform-ingestion/eips.tf     |   3 +-
 .../lambda-functions.tf                       |   2 +-
 .../modules/transfer-family/user/main.tf      | 100 ++++++++++++++++++
 .../modules/transfer-family/user/variables.tf |  31 ++++++
 .../s3-notifications.tf                       |   4 +-
 .../transfer-servers.tf                       |   2 +-
 ...r-user.tf.deactivated => transfer-user.tf} |   0
 ....tf.deactivated => transform-iam-roles.tf} |   0
 11 files changed, 145 insertions(+), 14 deletions(-)
 create mode 100644 terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf
 delete mode 100644 terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf.deactivated
 create mode 100644 terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf
 create mode 100644 terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/variables.tf
 rename terraform/environments/analytical-platform-ingestion/{transfer-user.tf.deactivated => transfer-user.tf} (100%)
 rename terraform/environments/analytical-platform-ingestion/{transform-iam-roles.tf.deactivated => transform-iam-roles.tf} (100%)

diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf
new file mode 100644
index 00000000000..39249807af8
--- /dev/null
+++ b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf
@@ -0,0 +1,5 @@
+resource "aws_cloudwatch_event_target" "definition_update" {
+  rule      = aws_cloudwatch_event_rule.definition_update.name
+  target_id = "definition-update"
+  arn       = module.definition_upload_lambda.lambda_function_arn
+}
diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf.deactivated b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf.deactivated
deleted file mode 100644
index 8e7b9c4baaf..00000000000
--- a/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf.deactivated
+++ /dev/null
@@ -1,5 +0,0 @@
-resource "aws_cloudwatch_event_target" "ingestion_scanning_definition_update" {
-  rule      = aws_cloudwatch_event_rule.ingestion_scanning_definition_update.name
-  target_id = "ingestion_scanning_definition_update"
-  arn       = module.definition_upload_lambda.lambda_function_arn
-}
diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf
index 1b18f04364c..1a41e48d3a8 100644
--- a/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf
+++ b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf
@@ -1,3 +1,4 @@
-resource "aws_cloudwatch_log_group" "transfer_structured_logs" {
-  name = "/aws/transfer-structured-logs"
-}
+# Deactivated for now
+# resource "aws_cloudwatch_log_group" "transfer_structured_logs" {
+#   name = "/aws/transfer-structured-logs"
+# }
diff --git a/terraform/environments/analytical-platform-ingestion/eips.tf b/terraform/environments/analytical-platform-ingestion/eips.tf
index 45498031c92..5f31df297f2 100644
--- a/terraform/environments/analytical-platform-ingestion/eips.tf
+++ b/terraform/environments/analytical-platform-ingestion/eips.tf
@@ -1,6 +1,5 @@
-# TODO: make this more elegant, use az count
 resource "aws_eip" "transfer_server" {
-  count = 3
+  count = length(data.aws_availability_zones.available.names)
 
   domain = "vpc"
 }
diff --git a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf
index ca17acb89fb..8e4f86fb4d5 100644
--- a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf
+++ b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf
@@ -46,7 +46,7 @@ module "definition_upload_lambda" {
   allowed_triggers = {
     "eventbridge" = {
       principal  = "events.amazonaws.com"
-      source_arn = aws_cloudwatch_event_rule.ingestion_scanning_definition_update.arn
+      source_arn = aws_cloudwatch_event_rule.definition_update.arn
     }
   }
 }
diff --git a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf
new file mode 100644
index 00000000000..fc0e7f75edc
--- /dev/null
+++ b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf
@@ -0,0 +1,100 @@
+data "aws_iam_policy_document" "this" {
+  statement {
+    sid    = "AllowKMS"
+    effect = "Allow"
+    actions = [
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Encrypt",
+      "kms:DescribeKey",
+      "kms:Decrypt",
+    ]
+    resources = [var.landing_bucket_kms_key]
+  }
+  # TODO: review the permissions
+  statement {
+    sid     = "AllowS3ListBucket"
+    effect  = "Allow"
+    actions = ["s3:ListBucket"]
+    resources = [
+      "arn:aws:s3:::${var.landing_bucket}",
+      "arn:aws:s3:::${var.landing_bucket}/${var.name}/*"
+    ]
+  }
+  # TODO: review the permissions
+  statement {
+    sid       = "AllowS3ObjectActions"
+    effect    = "Allow"
+    actions   = ["s3:*"]
+    resources = ["arn:aws:s3:::${var.landing_bucket}/${var.name}/*"]
+  }
+}
+
+module "policy" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "5.37.1"
+
+  name_prefix = "transfer-user-${var.name}"
+
+  policy = data.aws_iam_policy_document.this.json
+}
+
+module "role" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "5.37.1"
+
+  create_role = true
+
+  role_name         = "transfer-user-${var.name}"
+  role_requires_mfa = false
+
+  trusted_role_services = ["transfer.amazonaws.com"]
+
+  custom_role_policy_arns = [module.policy.arn]
+}
+
+resource "aws_transfer_user" "this" {
+  server_id = var.transfer_server
+  user_name = var.name
+  role      = module.role.iam_role_arn
+
+  # This doesn't work unless optimised directory is disabled, and that isn't available in Terraform
+  # home_directory_type = "LOGICAL"
+  # home_directory_mappings {
+  #   entry  = "/upload"
+  #   target = "/${var.landing_bucket}/${var.name}/upload"
+  # }
+
+  # home_directory_mappings {
+  #   entry  = "/download"
+  #   target = "/${var.landing_bucket}/${var.name}/download"
+  # }
+
+  # This works
+  home_directory = "/${var.landing_bucket}/${var.name}" # TODO: do we need an SFTP specific landing bucket?
+}
+
+resource "aws_transfer_ssh_key" "this" {
+  server_id = var.transfer_server
+  user_name = aws_transfer_user.this.user_name
+  body      = var.ssh_key
+}
+
+resource "aws_security_group_rule" "this" {
+  type              = "ingress"
+  from_port         = 2222
+  to_port           = 2222
+  protocol          = "tcp"
+  cidr_blocks       = var.cidr_blocks
+  security_group_id = var.transfer_server_security_group
+}
+
+resource "aws_secretsmanager_secret" "this" {
+  for_each = toset(["technical-contact", "data-contact", "target-bucket"])
+
+  name       = "ingestion/sftp/${var.name}/${each.key}"
+  kms_key_id = var.supplier_data_kms_key
+}
diff --git a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/variables.tf b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/variables.tf
new file mode 100644
index 00000000000..0015ee5558c
--- /dev/null
+++ b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/variables.tf
@@ -0,0 +1,31 @@
+variable "name" {
+  type = string
+}
+
+variable "ssh_key" {
+  type = string
+}
+
+variable "cidr_blocks" {
+  type = list(string)
+}
+
+variable "transfer_server" {
+  type = string
+}
+
+variable "transfer_server_security_group" {
+  type = string
+}
+
+variable "landing_bucket" {
+  type = string
+}
+
+variable "landing_bucket_kms_key" {
+  type = string
+}
+
+variable "supplier_data_kms_key" {
+  type = string
+}
diff --git a/terraform/environments/analytical-platform-ingestion/s3-notifications.tf b/terraform/environments/analytical-platform-ingestion/s3-notifications.tf
index 8d7352057dc..66271190cc1 100644
--- a/terraform/environments/analytical-platform-ingestion/s3-notifications.tf
+++ b/terraform/environments/analytical-platform-ingestion/s3-notifications.tf
@@ -1,4 +1,4 @@
-module "ingestion_landing" {
+module "ingestion_landing_bucket_notification" {
   source  = "terraform-aws-modules/s3-bucket/aws//modules/notification"
   version = "4.1.0"
 
@@ -13,7 +13,7 @@ module "ingestion_landing" {
   }
 }
 
-module "ingestion_transfer" {
+module "ingestion_transfer_bucket_notification" {
   source  = "terraform-aws-modules/s3-bucket/aws//modules/notification"
   version = "4.1.0"
 
diff --git a/terraform/environments/analytical-platform-ingestion/transfer-servers.tf b/terraform/environments/analytical-platform-ingestion/transfer-servers.tf
index 519b2ac7cfe..6d42123e120 100644
--- a/terraform/environments/analytical-platform-ingestion/transfer-servers.tf
+++ b/terraform/environments/analytical-platform-ingestion/transfer-servers.tf
@@ -24,7 +24,7 @@ resource "aws_transfer_server" "this" {
   # Logging role is only required when using Managed workflows.
   # logging_role                = module.transfer_family_service_role.iam_role_arn
 
-  structured_log_destinations = ["${aws_cloudwatch_log_group.transfer_structured_logs.arn}:*"]
+  # structured_log_destinations = ["${aws_cloudwatch_log_group.transfer_structured_logs.arn}:*"]
 }
 
 resource "aws_transfer_tag" "this" {
diff --git a/terraform/environments/analytical-platform-ingestion/transfer-user.tf.deactivated b/terraform/environments/analytical-platform-ingestion/transfer-user.tf
similarity index 100%
rename from terraform/environments/analytical-platform-ingestion/transfer-user.tf.deactivated
rename to terraform/environments/analytical-platform-ingestion/transfer-user.tf
diff --git a/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf.deactivated b/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf
similarity index 100%
rename from terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf.deactivated
rename to terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf