Delete Quarantined files after 90 days (#5924)

* Delete Infected files after 90 days * Linting * Linting * Linting * Linting * 📌 add versions * Linting --------- Co-authored-by: Aaron Robinson <aaron.robinson@digital.justice.gov.uk>
ministryofjustice · May 2, 2024 · fabf92a · fabf92a
1 parent bd497ba
commit fabf92a
Show file tree

Hide file tree

Showing 8 changed files with 52 additions and 0 deletions.
diff --git a/...vironments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/main.tf b/...vironments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/main.tf
@@ -1,3 +1,5 @@
+# tflint-ignore-file: terraform_required_version, terraform_required_providers
+
 data "aws_iam_policy_document" "this" {
   statement {
     sid    = "AllowKMS"
@@ -102,6 +104,8 @@ resource "aws_security_group_rule" "this" {
 }
 
 resource "aws_secretsmanager_secret" "this" {
+  #checkov:skip=CKV2_AWS_57:Automatic rotation is not required for this secret
+
   for_each = toset(["technical-contact", "data-contact", "target-bucket", "slack-channel"])
 
   name       = "ingestion/sftp/${var.name}/${each.key}"

diff --git a/...nments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/versions.tf b/...nments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    aws = {
+      version = "~> 5.0"
+      source  = "hashicorp/aws"
+    }
+
+  }
+  required_version = "~> 1.0"
+}
diff --git a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf
@@ -1,3 +1,5 @@
+# tflint-ignore-file: terraform_required_version, terraform_required_providers
+
 data "aws_iam_policy_document" "this" {
   statement {
     sid    = "AllowKMS"
@@ -79,6 +81,8 @@ resource "aws_security_group_rule" "this" {
 }
 
 resource "aws_secretsmanager_secret" "this" {
+  #checkov:skip=CKV2_AWS_57:Automatic rotation is not required for this secret
+
   for_each = toset(["technical-contact", "data-contact", "target-bucket", "slack-channel"])
 
   name       = "ingestion/sftp/${var.name}/${each.key}"

diff --git a/...aform/environments/analytical-platform-ingestion/modules/transfer-family/user/versions.tf b/...aform/environments/analytical-platform-ingestion/modules/transfer-family/user/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    aws = {
+      version = "~> 5.0"
+      source  = "hashicorp/aws"
+    }
+
+  }
+  required_version = "~> 1.0"
+}
diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf
@@ -60,6 +60,17 @@ module "quarantine_bucket" {
       }
     }
   }
+
+  lifecycle_rule = [
+    {
+      id      = "delete-infected-objects-after-90-days"
+      enabled = true
+
+      expiration = {
+        days = 90
+      }
+    }
+  ]
 }
 
 module "definitions_bucket" {
@@ -121,6 +132,8 @@ data "aws_iam_policy_document" "bold_egress_bucket_policy" {
   }
 }
 
+#tfsec:ignore:avd-aws-0088 - The bucket policy is attached to the bucket
+#tfsec:ignore:avd-aws-0132 - The bucket policy is attached to the bucket
 module "bold_egress_bucket" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
 

diff --git a/terraform/environments/analytical-platform-ingestion/secrets.tf b/terraform/environments/analytical-platform-ingestion/secrets.tf
@@ -1,15 +1,21 @@
 # TODO: look at using https://registry.terraform.io/modules/terraform-aws-modules/secrets-manager/aws/latest
 resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
+  #checkov:skip=CKV2_AWS_57:Automatic rotation is not required for this secret
+
   name       = "ingestion/govuk-notify/api-key"
   kms_key_id = module.govuk_notify_kms.key_arn
 }
 
 resource "aws_secretsmanager_secret" "govuk_notify_templates" {
+  #checkov:skip=CKV2_AWS_57:Automatic rotation is not required for this secret
+
   name       = "ingestion/govuk-notify/templates"
   kms_key_id = module.govuk_notify_kms.key_arn
 }
 
 resource "aws_secretsmanager_secret" "slack_token" {
+  #checkov:skip=CKV2_AWS_57:Automatic rotation is not required for this secret
+
   name       = "ingestion/slack-token"
   kms_key_id = module.slack_token_kms.key_arn
 }
diff --git a/terraform/environments/analytical-platform-ingestion/security-groups.tf b/terraform/environments/analytical-platform-ingestion/security-groups.tf
@@ -1,4 +1,6 @@
 resource "aws_security_group" "vpc_endpoints" {
+  #checkov:skip=CKV2_AWS_5
+
   description = "Security Group for controlling all VPC endpoint traffic"
   name        = format("%s-vpc-endpoint-sg", local.application_name)
   vpc_id      = module.vpc.vpc_id

diff --git a/terraform/environments/analytical-platform-ingestion/sns.tf b/terraform/environments/analytical-platform-ingestion/sns.tf
@@ -1,4 +1,6 @@
 module "quarantined_topic" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
   source  = "terraform-aws-modules/sns/aws"
   version = "6.0.1"
 
@@ -39,6 +41,7 @@ module "quarantined_topic" {
 }
 
 module "transferred_topic" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
   source  = "terraform-aws-modules/sns/aws"
   version = "6.0.1"