From 64b4b29ad16b9c5c34ca3151b6d07b6a38c3ed6e Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 11:01:21 +0000 Subject: [PATCH 01/13] Initial add - to be edited / activated / modified later --- .../cloudwatch-event-rules.tf.deactivated | 4 + .../cloudwatch-event-targets.tf.deactivated | 5 + .../cloudwatch-log-groups.tf.deactivated | 3 + .../ecr-repositories.tf.deactivated | 0 .../lambda-functions.tf.deactivated | 273 ++++++++++++++++++ .../s3-notifications.tf.deactivated | 44 +++ .../s3.tf.deactivated | 74 +++++ .../secrets.tf.deactivated | 11 + .../transfer-servers.tf.deactivated | 34 +++ .../transfer-user.tf.deactivated | 28 ++ .../transform-iam-roles.tf.deactivated | 19 ++ 11 files changed, 495 insertions(+) create mode 100644 terraform/environments/analytical-platform-ingestion/cloudwatch-event-rules.tf.deactivated create mode 100644 terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf.deactivated create mode 100644 terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf.deactivated create mode 100644 terraform/environments/analytical-platform-ingestion/ecr-repositories.tf.deactivated create mode 100644 terraform/environments/analytical-platform-ingestion/lambda-functions.tf.deactivated create mode 100644 terraform/environments/analytical-platform-ingestion/s3-notifications.tf.deactivated create mode 100644 terraform/environments/analytical-platform-ingestion/s3.tf.deactivated create mode 100644 terraform/environments/analytical-platform-ingestion/secrets.tf.deactivated create mode 100644 terraform/environments/analytical-platform-ingestion/transfer-servers.tf.deactivated create mode 100644 terraform/environments/analytical-platform-ingestion/transfer-user.tf.deactivated create mode 100644 terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf.deactivated diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-event-rules.tf.deactivated b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-rules.tf.deactivated new file mode 100644 index 00000000000..1a3cae65f35 --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-rules.tf.deactivated @@ -0,0 +1,4 @@ +resource "aws_cloudwatch_event_rule" "ingestion_scanning_definition_update" { + name = "ingestion-scanning-definition-update" + schedule_expression = "cron(15 6 * * ? *)" # 06:15 every day +} diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf.deactivated b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf.deactivated new file mode 100644 index 00000000000..8e7b9c4baaf --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf.deactivated @@ -0,0 +1,5 @@ +resource "aws_cloudwatch_event_target" "ingestion_scanning_definition_update" { + rule = aws_cloudwatch_event_rule.ingestion_scanning_definition_update.name + target_id = "ingestion_scanning_definition_update" + arn = module.definition_upload_lambda.lambda_function_arn +} diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf.deactivated b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf.deactivated new file mode 100644 index 00000000000..1b18f04364c --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf.deactivated @@ -0,0 +1,3 @@ +resource "aws_cloudwatch_log_group" "transfer_structured_logs" { + name = "/aws/transfer-structured-logs" +} diff --git a/terraform/environments/analytical-platform-ingestion/ecr-repositories.tf.deactivated b/terraform/environments/analytical-platform-ingestion/ecr-repositories.tf.deactivated new file mode 100644 index 00000000000..e69de29bb2d diff --git a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf.deactivated b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf.deactivated new file mode 100644 index 00000000000..d6229d0d054 --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf.deactivated @@ -0,0 +1,273 @@ +module "definition_upload_lambda" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + source = "terraform-aws-modules/lambda/aws" + version = "7.2.1" + + publish = true + create_package = false + + function_name = "ingestion-definition-upload" + description = "" + package_type = "Image" + memory_size = 2048 + timeout = 900 + image_uri = "684969100054.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-family-transfer-server:release-0.0.3" + + environment_variables = { + MODE = "definition-upload", + CLAMAV_DEFINITON_BUCKET_NAME = module.definitions_bucket.s3_bucket_id + } + + attach_policy_statements = true + policy_statements = { + kms_access = { + sid = "AllowKMS" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt" + ] + resources = [module.s3_definitions_kms.key_arn] + }, + s3_access = { + sid = "AllowS3" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:PutObject" + ] + resources = ["arn:aws:s3:::${module.definitions_bucket.s3_bucket_id}/*"] + } + } + + allowed_triggers = { + "eventbridge" = { + principal = "events.amazonaws.com" + source_arn = aws_cloudwatch_event_rule.ingestion_scanning_definition_update.arn + } + } +} + +module "scan_lambda" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + source = "terraform-aws-modules/lambda/aws" + version = "7.2.1" + + publish = true + create_package = false + + function_name = "ingestion-scan" + description = "" + package_type = "Image" + memory_size = 2048 + ephemeral_storage_size = 10240 + timeout = 900 + image_uri = "684969100054.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-family-transfer-server:release-0.0.3" + + environment_variables = { + MODE = "scan", + CLAMAV_DEFINITON_BUCKET_NAME = module.definitions_bucket.s3_bucket_id + LANDING_BUCKET_NAME = module.landing_bucket.s3_bucket_id + QUARANTINE_BUCKET_NAME = module.quarantine_bucket.s3_bucket_id + PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id + } + + attach_policy_statements = true + policy_statements = { + kms_access = { + sid = "AllowKMS" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt" + ] + resources = [ + module.s3_definitions_kms.key_arn, + module.s3_landing_kms.key_arn, + module.s3_quarantine_kms.key_arn, + module.s3_processed_kms.key_arn, + ] + }, + s3_access = { + sid = "AllowS3" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:CopyObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:PutObjectTagging" + ] + resources = [ + "arn:aws:s3:::${module.definitions_bucket.s3_bucket_id}/*", + "arn:aws:s3:::${module.landing_bucket.s3_bucket_id}/*", + "arn:aws:s3:::${module.quarantine_bucket.s3_bucket_id}/*", + "arn:aws:s3:::${module.processed_bucket.s3_bucket_id}/*" + ] + } + } + + allowed_triggers = { + "s3" = { + principal = "s3.amazonaws.com" + source_arn = module.landing_bucket.s3_bucket_arn + } + } +} + +module "notify_lambda" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + source = "terraform-aws-modules/lambda/aws" + version = "7.2.1" + + publish = true + create_package = false + + function_name = "ingestion-notify" + description = "" + package_type = "Image" + memory_size = 2048 + ephemeral_storage_size = 10240 + timeout = 900 + image_uri = "684969100054.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-notify:9" + + environment_variables = { + CLAMAV_DEFINITON_BUCKET_NAME = module.definitions_bucket.s3_bucket_id + LANDING_BUCKET_NAME = module.landing_bucket.s3_bucket_id + QUARANTINE_BUCKET_NAME = module.quarantine_bucket.s3_bucket_id + PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id + GOVUK_NOTIFY_API_KEY_SECRET = "ingestion/govuk-notify/api-key" + GOVUK_NOTIFY_TEMPLATES_SECRET = "ingestion/govuk-notify/templates" + } + + # TODO: Check if KMS key is actually needed below + attach_policy_statements = true + policy_statements = { + kms_access = { + sid = "AllowKMS" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt" + ] + resources = [ + module.sns_kms.key_arn, + module.govuk_notify_kms.key_arn, + module.supplier_data_kms.key_arn + ] + }, + secretsmanager_access = { + sid = "AllowSecretsManager" + effect = "Allow" + actions = ["secretsmanager:GetSecretValue"] + resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:ingestion/*"] + } + } + + allowed_triggers = { + "s3" = { + principal = "s3.amazonaws.com" + source_arn = module.quarantine_bucket.s3_bucket_arn + } + } +} + +module "transfer_lambda" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + source = "terraform-aws-modules/lambda/aws" + version = "7.2.1" + + publish = true + create_package = false + + function_name = "ingestion-transfer" + description = "" + package_type = "Image" + memory_size = 2048 + ephemeral_storage_size = 10240 + timeout = 900 + image_uri = "684969100054.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-transfer:14" + + environment_variables = { + PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id + } + + # TODO: Check if KMS key is actually needed below + attach_policy_statements = true + policy_statements = { + kms_access = { + sid = "AllowKMS" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt" + ] + resources = [ + module.s3_processed_kms.key_arn, + module.supplier_data_kms.key_arn + ] + }, + secretsmanager_access = { + sid = "AllowSecretsManager" + effect = "Allow" + actions = ["secretsmanager:GetSecretValue"] + resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:ingestion/*"] + }, + s3_source_object = { + sid = "AllowSourceObject" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:DeleteObject", + "s3:GetObjectTagging" + ], + resources = ["arn:aws:s3:::${module.processed_bucket.s3_bucket_id}/*"] + }, + s3_source_bucket = { + sid = "AllowSourceBucket" + effect = "Allow" + actions = [ + "s3:ListBucket" + ], + resources = ["arn:aws:s3:::${module.processed_bucket.s3_bucket_id}"] + }, + s3_destination_object = { + sid = "AllowDestinationObject" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:PutObjectTagging" + ] + resources = ["arn:aws:s3:::dev-ingestion-testing/*"] + }, + s3_destination_bucket = { + sid = "AllowDestinationBucket" + effect = "Allow" + actions = [ + "s3:ListBucket" + ] + resources = ["arn:aws:s3:::dev-ingestion-testing"] + } + } + + allowed_triggers = { + "s3" = { + principal = "s3.amazonaws.com" + source_arn = module.processed_bucket.s3_bucket_arn + } + } +} diff --git a/terraform/environments/analytical-platform-ingestion/s3-notifications.tf.deactivated b/terraform/environments/analytical-platform-ingestion/s3-notifications.tf.deactivated new file mode 100644 index 00000000000..5376a2d8ddc --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/s3-notifications.tf.deactivated @@ -0,0 +1,44 @@ +module "ingestion_landing" { + source = "terraform-aws-modules/s3-bucket/aws//modules/notification" + version = "4.1.0" + + bucket = module.landing_bucket.s3_bucket_id + + lambda_notifications = { + ingestion_scan = { + function_name = module.scan_lambda.lambda_function_name + function_arn = module.scan_lambda.lambda_function_arn + events = ["s3:ObjectCreated:*"] + } + } +} + +module "ingestion_quarantine" { + source = "terraform-aws-modules/s3-bucket/aws//modules/notification" + version = "4.1.0" + + bucket = module.quarantine_bucket.s3_bucket_id + + lambda_notifications = { + ingestion_notify = { + function_name = module.notify_lambda.lambda_function_name + function_arn = module.notify_lambda.lambda_function_arn + events = ["s3:ObjectCreated:*"] + } + } +} + +module "ingestion_transfer" { + source = "terraform-aws-modules/s3-bucket/aws//modules/notification" + version = "4.1.0" + + bucket = module.processed_bucket.s3_bucket_id + + lambda_notifications = { + ingestion_notify = { + function_name = module.transfer_lambda.lambda_function_name + function_arn = module.transfer_lambda.lambda_function_arn + events = ["s3:ObjectCreated:*"] + } + } +} diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf.deactivated b/terraform/environments/analytical-platform-ingestion/s3.tf.deactivated new file mode 100644 index 00000000000..64203d16e02 --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/s3.tf.deactivated @@ -0,0 +1,74 @@ +module "landing_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.0" + + bucket = "analytical-platform-landing" + # TODO: Is this needed below? + force_destroy = true + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + kms_master_key_id = module.s3_landing_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } +} + +module "quarantine_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.0" + + bucket = "analytical-platform-quarantine" + # TODO: Is this needed below? + force_destroy = true + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + kms_master_key_id = module.s3_quarantine_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } +} + + +module "definitions_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.0" + + bucket = "analytical-platform-definitions" + # TODO: Is this needed below? + force_destroy = true + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + kms_master_key_id = module.s3_definitions_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } +} + + + +module "processed_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.0" + + bucket = "analytical-platform-processed" + # TODO: Is this needed below? + force_destroy = true + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + kms_master_key_id = module.s3_processed_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } +} diff --git a/terraform/environments/analytical-platform-ingestion/secrets.tf.deactivated b/terraform/environments/analytical-platform-ingestion/secrets.tf.deactivated new file mode 100644 index 00000000000..3010c98f433 --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/secrets.tf.deactivated @@ -0,0 +1,11 @@ +# TODO look at using https://registry.terraform.io/modules/terraform-aws-modules/secrets-manager/aws/latest +resource "aws_secretsmanager_secret" "govuk_notify_api_key" { + name = "ingestion/govuk-notify/api-key" + description = "This is Analytical Platform's GOV.UK Notify Team API key" + kms_key_id = module.govuk_notify_kms.key_arn +} + +resource "aws_secretsmanager_secret" "govuk_notify_templates" { + name = "ingestion/govuk-notify/templates" + kms_key_id = module.govuk_notify_kms.key_arn +} diff --git a/terraform/environments/analytical-platform-ingestion/transfer-servers.tf.deactivated b/terraform/environments/analytical-platform-ingestion/transfer-servers.tf.deactivated new file mode 100644 index 00000000000..519b2ac7cfe --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/transfer-servers.tf.deactivated @@ -0,0 +1,34 @@ + +resource "aws_transfer_server" "this" { + protocols = ["SFTP"] + identity_provider_type = "SERVICE_MANAGED" + domain = "S3" + post_authentication_login_banner = "Analytical Platform Ingestion - Development" # This doesn't work, at least on macOS SFTP client + + endpoint_type = "VPC" + endpoint_details { + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.public_subnets + address_allocation_ids = [ + aws_eip.transfer_server[0].id, + aws_eip.transfer_server[1].id, + aws_eip.transfer_server[2].id, + ] + security_group_ids = [ + aws_security_group.transfer_server.id + ] + } + + security_policy_name = "TransferSecurityPolicy-2024-01" + + # Logging role is only required when using Managed workflows. + # logging_role = module.transfer_family_service_role.iam_role_arn + + structured_log_destinations = ["${aws_cloudwatch_log_group.transfer_structured_logs.arn}:*"] +} + +resource "aws_transfer_tag" "this" { + resource_arn = aws_transfer_server.this.arn + key = "aws:transfer:customHostname" + value = "sftp.development.ingestion.analytical-platform.service.justice.gov.uk" +} diff --git a/terraform/environments/analytical-platform-ingestion/transfer-user.tf.deactivated b/terraform/environments/analytical-platform-ingestion/transfer-user.tf.deactivated new file mode 100644 index 00000000000..2499bff2e87 --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/transfer-user.tf.deactivated @@ -0,0 +1,28 @@ +locals { + sftp_users = { + "jacobwoffenden" = { + ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+3qaLVtn6Pd+DasWHhIOBoXEEhF9GZAG+DYfJBeySS Ministry of Justice" + cidr_blocks = ["90.246.52.170/32", "82.132.238.3/32"] + }, + "garyhenderson" = { + ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID2lrI7AhZ9Sy/JAVDfPPEkCZawuuVJ7MHg6NNAwYImb" + cidr_blocks = ["154.47.111.68/32"] + } + } +} + +module "sftp_users" { + for_each = local.sftp_users + + source = "./modules/transfer-family/user" + + name = each.key + ssh_key = each.value.ssh_key + cidr_blocks = each.value.cidr_blocks + + transfer_server = aws_transfer_server.this.id + transfer_server_security_group = aws_security_group.transfer_server.id + landing_bucket = module.landing_bucket.s3_bucket_id + landing_bucket_kms_key = module.s3_landing_kms.key_arn + supplier_data_kms_key = module.supplier_data_kms.key_arn +} diff --git a/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf.deactivated b/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf.deactivated new file mode 100644 index 00000000000..0d25829f5b6 --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf.deactivated @@ -0,0 +1,19 @@ +module "transfer_family_service_role" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "5.37.1" + + create_role = true + + role_name = "transfer-family-service-role" + role_requires_mfa = false + + trusted_role_services = ["transfer.amazonaws.com"] + + custom_role_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSTransferLoggingAccess"] + + + # TODO: Tagging + # tags = local.tags +} From 2eca338b039e97ff18bd3fd8e8078b3602aa2a48 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 11:17:27 +0000 Subject: [PATCH 02/13] Add Transfer server + associated components --- ...h-log-groups.tf.deactivated => cloudwatch-log-groups.tf} | 0 .../environments/analytical-platform-ingestion/eips.tf | 6 ++++++ .../analytical-platform-ingestion/security-groups.tf | 6 ++++++ ...{transfer-servers.tf.deactivated => transfer-servers.tf} | 0 4 files changed, 12 insertions(+) rename terraform/environments/analytical-platform-ingestion/{cloudwatch-log-groups.tf.deactivated => cloudwatch-log-groups.tf} (100%) create mode 100644 terraform/environments/analytical-platform-ingestion/eips.tf rename terraform/environments/analytical-platform-ingestion/{transfer-servers.tf.deactivated => transfer-servers.tf} (100%) diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf.deactivated b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf similarity index 100% rename from terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf.deactivated rename to terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf diff --git a/terraform/environments/analytical-platform-ingestion/eips.tf b/terraform/environments/analytical-platform-ingestion/eips.tf new file mode 100644 index 00000000000..45498031c92 --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/eips.tf @@ -0,0 +1,6 @@ +# TODO: make this more elegant, use az count +resource "aws_eip" "transfer_server" { + count = 3 + + domain = "vpc" +} diff --git a/terraform/environments/analytical-platform-ingestion/security-groups.tf b/terraform/environments/analytical-platform-ingestion/security-groups.tf index 17dc9ceeb5f..1faaf16b396 100644 --- a/terraform/environments/analytical-platform-ingestion/security-groups.tf +++ b/terraform/environments/analytical-platform-ingestion/security-groups.tf @@ -4,3 +4,9 @@ resource "aws_security_group" "vpc_endpoints" { vpc_id = module.vpc.vpc_id tags = local.tags } + +resource "aws_security_group" "transfer_server" { + description = "Security Group for Transfer Server" + name = "transfer-server" + vpc_id = module.vpc.vpc_id +} diff --git a/terraform/environments/analytical-platform-ingestion/transfer-servers.tf.deactivated b/terraform/environments/analytical-platform-ingestion/transfer-servers.tf similarity index 100% rename from terraform/environments/analytical-platform-ingestion/transfer-servers.tf.deactivated rename to terraform/environments/analytical-platform-ingestion/transfer-servers.tf From 61893c55022fe8f280d749f7a3b547e5c2750248 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 11:22:17 +0000 Subject: [PATCH 03/13] =?UTF-8?q?=F0=9F=A4=90=20Add=20Secrets=20+=20KMS=20?= =?UTF-8?q?keys?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../analytical-platform-ingestion/kms-keys.tf | 83 +++++++++++++++++++ .../{secrets.tf.deactivated => secrets.tf} | 0 2 files changed, 83 insertions(+) create mode 100644 terraform/environments/analytical-platform-ingestion/kms-keys.tf rename terraform/environments/analytical-platform-ingestion/{secrets.tf.deactivated => secrets.tf} (100%) diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf new file mode 100644 index 00000000000..4e55287e9c1 --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -0,0 +1,83 @@ +module "s3_landing_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" + version = "2.2.1" + + aliases = ["s3/landing"] + description = "Family SFTP Server, Landing S3 KMS Key" + enable_default_policy = true + + deletion_window_in_days = 7 +} + +module "s3_processed_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" + version = "2.2.1" + + aliases = ["s3/processed"] + description = "Family SFTP Server, Processed S3 KMS Key" + enable_default_policy = true + + deletion_window_in_days = 7 +} + +module "s3_quarantine_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" + version = "2.2.1" + + aliases = ["s3/quarantine"] + description = "Family SFTP Server, Quarantine S3 KMS Key" + enable_default_policy = true + + deletion_window_in_days = 7 +} + +module "s3_definitions_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" + version = "2.2.1" + + aliases = ["s3/definitions"] + description = "Ingestion Scanning ClamAV S3 KMS Key" + enable_default_policy = true + + deletion_window_in_days = 7 +} + +module "sns_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" + version = "2.2.1" + + aliases = ["sns/notify"] + description = "Key for SNS notifications" + enable_default_policy = true + + deletion_window_in_days = 7 +} + +module "govuk_notify_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" + version = "2.2.1" + + aliases = ["secretsmanager/govuk-notify"] + description = "Key for GOV.UK Notify data" + enable_default_policy = true + + deletion_window_in_days = 7 +} + +module "supplier_data_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" + version = "2.2.1" + + aliases = ["secretsmanager/supplier-data"] + description = "Key for SFTP supplier data" + enable_default_policy = true + + deletion_window_in_days = 7 +} diff --git a/terraform/environments/analytical-platform-ingestion/secrets.tf.deactivated b/terraform/environments/analytical-platform-ingestion/secrets.tf similarity index 100% rename from terraform/environments/analytical-platform-ingestion/secrets.tf.deactivated rename to terraform/environments/analytical-platform-ingestion/secrets.tf From 539d226b235bccf115b9a7d18cf1abfa5fea1521 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 11:24:50 +0000 Subject: [PATCH 04/13] =?UTF-8?q?=F0=9F=AA=A3=20Add=20S3=20buckets?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../analytical-platform-ingestion/{s3.tf.deactivated => s3.tf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename terraform/environments/analytical-platform-ingestion/{s3.tf.deactivated => s3.tf} (100%) diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf.deactivated b/terraform/environments/analytical-platform-ingestion/s3.tf similarity index 100% rename from terraform/environments/analytical-platform-ingestion/s3.tf.deactivated rename to terraform/environments/analytical-platform-ingestion/s3.tf From f0905175e2ad51eaabf4671f20b6e9b9ff5d3d6c Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 11:28:09 +0000 Subject: [PATCH 05/13] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Refactor=20Bucket=20?= =?UTF-8?q?names?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../environments/analytical-platform-ingestion/s3.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index 64203d16e02..9b5d304295d 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -2,7 +2,7 @@ module "landing_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" - bucket = "analytical-platform-landing" + bucket = "moj-ap-ingestion-${local.environment}-landing" # TODO: Is this needed below? force_destroy = true @@ -20,7 +20,7 @@ module "quarantine_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" - bucket = "analytical-platform-quarantine" + bucket = "moj-ap-ingestion-${local.environment}-quarantine" # TODO: Is this needed below? force_destroy = true @@ -39,7 +39,7 @@ module "definitions_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" - bucket = "analytical-platform-definitions" + bucket = "moj-ap-ingestion-${local.environment}-definitions" # TODO: Is this needed below? force_destroy = true @@ -59,7 +59,7 @@ module "processed_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" - bucket = "analytical-platform-processed" + bucket = "moj-ap-ingestion-${local.environment}-processed" # TODO: Is this needed below? force_destroy = true From bb40b6c4d3ed56f1750ef9479ade6aee42fc9fbe Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 11:54:53 +0000 Subject: [PATCH 06/13] Add Scan + Definition Upload Lambda --- ....deactivated => cloudwatch-event-rules.tf} | 0 .../lambda-functions.tf | 273 ++++++++++++++++++ .../lambda-functions.tf.deactivated | 273 ------------------ 3 files changed, 273 insertions(+), 273 deletions(-) rename terraform/environments/analytical-platform-ingestion/{cloudwatch-event-rules.tf.deactivated => cloudwatch-event-rules.tf} (100%) create mode 100644 terraform/environments/analytical-platform-ingestion/lambda-functions.tf delete mode 100644 terraform/environments/analytical-platform-ingestion/lambda-functions.tf.deactivated diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-event-rules.tf.deactivated b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-rules.tf similarity index 100% rename from terraform/environments/analytical-platform-ingestion/cloudwatch-event-rules.tf.deactivated rename to terraform/environments/analytical-platform-ingestion/cloudwatch-event-rules.tf diff --git a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf new file mode 100644 index 00000000000..a1a0d88b86d --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf @@ -0,0 +1,273 @@ +module "definition_upload_lambda" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + source = "terraform-aws-modules/lambda/aws" + version = "7.2.1" + + publish = true + create_package = false + + function_name = "definition-upload" + description = "Uploads ClamAV definitions to S3 bucket" + package_type = "Image" + memory_size = 2048 + timeout = 900 + image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-ingestion-scan:0.0.3" + + environment_variables = { + MODE = "definition-upload", + CLAMAV_DEFINITON_BUCKET_NAME = module.definitions_bucket.s3_bucket_id + } + + attach_policy_statements = true + policy_statements = { + kms_access = { + sid = "AllowKMS" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt" + ] + resources = [module.s3_definitions_kms.key_arn] + }, + s3_access = { + sid = "AllowS3" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:PutObject" + ] + resources = ["arn:aws:s3:::${module.definitions_bucket.s3_bucket_id}/*"] + } + } + + allowed_triggers = { + "eventbridge" = { + principal = "events.amazonaws.com" + source_arn = aws_cloudwatch_event_rule.ingestion_scanning_definition_update.arn + } + } +} + +module "scan_lambda" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + source = "terraform-aws-modules/lambda/aws" + version = "7.2.1" + + publish = true + create_package = false + + function_name = "scan" + description = "Uses ClamAV to scan files" + package_type = "Image" + memory_size = 2048 + ephemeral_storage_size = 10240 + timeout = 900 + image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-ingestion-scan:0.0.3" + + environment_variables = { + MODE = "scan", + CLAMAV_DEFINITON_BUCKET_NAME = module.definitions_bucket.s3_bucket_id + LANDING_BUCKET_NAME = module.landing_bucket.s3_bucket_id + QUARANTINE_BUCKET_NAME = module.quarantine_bucket.s3_bucket_id + PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id + } + + attach_policy_statements = true + policy_statements = { + kms_access = { + sid = "AllowKMS" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt" + ] + resources = [ + module.s3_definitions_kms.key_arn, + module.s3_landing_kms.key_arn, + module.s3_quarantine_kms.key_arn, + module.s3_processed_kms.key_arn, # TODO: Review + ] + }, + s3_access = { + sid = "AllowS3" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:CopyObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:PutObjectTagging" + ] + resources = [ + "arn:aws:s3:::${module.definitions_bucket.s3_bucket_id}/*", + "arn:aws:s3:::${module.landing_bucket.s3_bucket_id}/*", + "arn:aws:s3:::${module.quarantine_bucket.s3_bucket_id}/*", + "arn:aws:s3:::${module.processed_bucket.s3_bucket_id}/*" # TODO: Review + ] + } + } + + allowed_triggers = { + "s3" = { + principal = "s3.amazonaws.com" + source_arn = module.landing_bucket.s3_bucket_arn + } + } +} + +# module "notify_lambda" { +# #checkov:skip=CKV_TF_1:Module is from Terraform registry +# source = "terraform-aws-modules/lambda/aws" +# version = "7.2.1" + +# publish = true +# create_package = false + +# function_name = "ingestion-notify" +# description = "" +# package_type = "Image" +# memory_size = 2048 +# ephemeral_storage_size = 10240 +# timeout = 900 +# image_uri = "684969100054.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-notify:9" + +# environment_variables = { +# CLAMAV_DEFINITON_BUCKET_NAME = module.definitions_bucket.s3_bucket_id +# LANDING_BUCKET_NAME = module.landing_bucket.s3_bucket_id +# QUARANTINE_BUCKET_NAME = module.quarantine_bucket.s3_bucket_id +# PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id +# GOVUK_NOTIFY_API_KEY_SECRET = "ingestion/govuk-notify/api-key" +# GOVUK_NOTIFY_TEMPLATES_SECRET = "ingestion/govuk-notify/templates" +# } + +# # TODO: Check if KMS key is actually needed below +# attach_policy_statements = true +# policy_statements = { +# kms_access = { +# sid = "AllowKMS" +# effect = "Allow" +# actions = [ +# "kms:ReEncrypt*", +# "kms:GenerateDataKey*", +# "kms:Encrypt", +# "kms:DescribeKey", +# "kms:Decrypt" +# ] +# resources = [ +# module.sns_kms.key_arn, +# module.govuk_notify_kms.key_arn, +# module.supplier_data_kms.key_arn +# ] +# }, +# secretsmanager_access = { +# sid = "AllowSecretsManager" +# effect = "Allow" +# actions = ["secretsmanager:GetSecretValue"] +# resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:ingestion/*"] +# } +# } + +# allowed_triggers = { +# "s3" = { +# principal = "s3.amazonaws.com" +# source_arn = module.quarantine_bucket.s3_bucket_arn +# } +# } +# } + +# module "transfer_lambda" { +# #checkov:skip=CKV_TF_1:Module is from Terraform registry +# source = "terraform-aws-modules/lambda/aws" +# version = "7.2.1" + +# publish = true +# create_package = false + +# function_name = "ingestion-transfer" +# description = "" +# package_type = "Image" +# memory_size = 2048 +# ephemeral_storage_size = 10240 +# timeout = 900 +# image_uri = "684969100054.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-transfer:14" + +# environment_variables = { +# PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id +# } + +# # TODO: Check if KMS key is actually needed below +# attach_policy_statements = true +# policy_statements = { +# kms_access = { +# sid = "AllowKMS" +# effect = "Allow" +# actions = [ +# "kms:ReEncrypt*", +# "kms:GenerateDataKey*", +# "kms:Encrypt", +# "kms:DescribeKey", +# "kms:Decrypt" +# ] +# resources = [ +# module.s3_processed_kms.key_arn, +# module.supplier_data_kms.key_arn +# ] +# }, +# secretsmanager_access = { +# sid = "AllowSecretsManager" +# effect = "Allow" +# actions = ["secretsmanager:GetSecretValue"] +# resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:ingestion/*"] +# }, +# s3_source_object = { +# sid = "AllowSourceObject" +# effect = "Allow" +# actions = [ +# "s3:GetObject", +# "s3:DeleteObject", +# "s3:GetObjectTagging" +# ], +# resources = ["arn:aws:s3:::${module.processed_bucket.s3_bucket_id}/*"] +# }, +# s3_source_bucket = { +# sid = "AllowSourceBucket" +# effect = "Allow" +# actions = [ +# "s3:ListBucket" +# ], +# resources = ["arn:aws:s3:::${module.processed_bucket.s3_bucket_id}"] +# }, +# s3_destination_object = { +# sid = "AllowDestinationObject" +# effect = "Allow" +# actions = [ +# "s3:GetObject", +# "s3:PutObject", +# "s3:DeleteObject", +# "s3:PutObjectTagging" +# ] +# resources = ["arn:aws:s3:::dev-ingestion-testing/*"] +# }, +# s3_destination_bucket = { +# sid = "AllowDestinationBucket" +# effect = "Allow" +# actions = [ +# "s3:ListBucket" +# ] +# resources = ["arn:aws:s3:::dev-ingestion-testing"] +# } +# } + +# allowed_triggers = { +# "s3" = { +# principal = "s3.amazonaws.com" +# source_arn = module.processed_bucket.s3_bucket_arn +# } +# } +# } diff --git a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf.deactivated b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf.deactivated deleted file mode 100644 index d6229d0d054..00000000000 --- a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf.deactivated +++ /dev/null @@ -1,273 +0,0 @@ -module "definition_upload_lambda" { - #checkov:skip=CKV_TF_1:Module is from Terraform registry - source = "terraform-aws-modules/lambda/aws" - version = "7.2.1" - - publish = true - create_package = false - - function_name = "ingestion-definition-upload" - description = "" - package_type = "Image" - memory_size = 2048 - timeout = 900 - image_uri = "684969100054.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-family-transfer-server:release-0.0.3" - - environment_variables = { - MODE = "definition-upload", - CLAMAV_DEFINITON_BUCKET_NAME = module.definitions_bucket.s3_bucket_id - } - - attach_policy_statements = true - policy_statements = { - kms_access = { - sid = "AllowKMS" - effect = "Allow" - actions = [ - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Encrypt", - "kms:DescribeKey", - "kms:Decrypt" - ] - resources = [module.s3_definitions_kms.key_arn] - }, - s3_access = { - sid = "AllowS3" - effect = "Allow" - actions = [ - "s3:GetObject", - "s3:PutObject" - ] - resources = ["arn:aws:s3:::${module.definitions_bucket.s3_bucket_id}/*"] - } - } - - allowed_triggers = { - "eventbridge" = { - principal = "events.amazonaws.com" - source_arn = aws_cloudwatch_event_rule.ingestion_scanning_definition_update.arn - } - } -} - -module "scan_lambda" { - #checkov:skip=CKV_TF_1:Module is from Terraform registry - source = "terraform-aws-modules/lambda/aws" - version = "7.2.1" - - publish = true - create_package = false - - function_name = "ingestion-scan" - description = "" - package_type = "Image" - memory_size = 2048 - ephemeral_storage_size = 10240 - timeout = 900 - image_uri = "684969100054.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-family-transfer-server:release-0.0.3" - - environment_variables = { - MODE = "scan", - CLAMAV_DEFINITON_BUCKET_NAME = module.definitions_bucket.s3_bucket_id - LANDING_BUCKET_NAME = module.landing_bucket.s3_bucket_id - QUARANTINE_BUCKET_NAME = module.quarantine_bucket.s3_bucket_id - PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id - } - - attach_policy_statements = true - policy_statements = { - kms_access = { - sid = "AllowKMS" - effect = "Allow" - actions = [ - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Encrypt", - "kms:DescribeKey", - "kms:Decrypt" - ] - resources = [ - module.s3_definitions_kms.key_arn, - module.s3_landing_kms.key_arn, - module.s3_quarantine_kms.key_arn, - module.s3_processed_kms.key_arn, - ] - }, - s3_access = { - sid = "AllowS3" - effect = "Allow" - actions = [ - "s3:GetObject", - "s3:CopyObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:PutObjectTagging" - ] - resources = [ - "arn:aws:s3:::${module.definitions_bucket.s3_bucket_id}/*", - "arn:aws:s3:::${module.landing_bucket.s3_bucket_id}/*", - "arn:aws:s3:::${module.quarantine_bucket.s3_bucket_id}/*", - "arn:aws:s3:::${module.processed_bucket.s3_bucket_id}/*" - ] - } - } - - allowed_triggers = { - "s3" = { - principal = "s3.amazonaws.com" - source_arn = module.landing_bucket.s3_bucket_arn - } - } -} - -module "notify_lambda" { - #checkov:skip=CKV_TF_1:Module is from Terraform registry - source = "terraform-aws-modules/lambda/aws" - version = "7.2.1" - - publish = true - create_package = false - - function_name = "ingestion-notify" - description = "" - package_type = "Image" - memory_size = 2048 - ephemeral_storage_size = 10240 - timeout = 900 - image_uri = "684969100054.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-notify:9" - - environment_variables = { - CLAMAV_DEFINITON_BUCKET_NAME = module.definitions_bucket.s3_bucket_id - LANDING_BUCKET_NAME = module.landing_bucket.s3_bucket_id - QUARANTINE_BUCKET_NAME = module.quarantine_bucket.s3_bucket_id - PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id - GOVUK_NOTIFY_API_KEY_SECRET = "ingestion/govuk-notify/api-key" - GOVUK_NOTIFY_TEMPLATES_SECRET = "ingestion/govuk-notify/templates" - } - - # TODO: Check if KMS key is actually needed below - attach_policy_statements = true - policy_statements = { - kms_access = { - sid = "AllowKMS" - effect = "Allow" - actions = [ - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Encrypt", - "kms:DescribeKey", - "kms:Decrypt" - ] - resources = [ - module.sns_kms.key_arn, - module.govuk_notify_kms.key_arn, - module.supplier_data_kms.key_arn - ] - }, - secretsmanager_access = { - sid = "AllowSecretsManager" - effect = "Allow" - actions = ["secretsmanager:GetSecretValue"] - resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:ingestion/*"] - } - } - - allowed_triggers = { - "s3" = { - principal = "s3.amazonaws.com" - source_arn = module.quarantine_bucket.s3_bucket_arn - } - } -} - -module "transfer_lambda" { - #checkov:skip=CKV_TF_1:Module is from Terraform registry - source = "terraform-aws-modules/lambda/aws" - version = "7.2.1" - - publish = true - create_package = false - - function_name = "ingestion-transfer" - description = "" - package_type = "Image" - memory_size = 2048 - ephemeral_storage_size = 10240 - timeout = 900 - image_uri = "684969100054.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-transfer:14" - - environment_variables = { - PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id - } - - # TODO: Check if KMS key is actually needed below - attach_policy_statements = true - policy_statements = { - kms_access = { - sid = "AllowKMS" - effect = "Allow" - actions = [ - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Encrypt", - "kms:DescribeKey", - "kms:Decrypt" - ] - resources = [ - module.s3_processed_kms.key_arn, - module.supplier_data_kms.key_arn - ] - }, - secretsmanager_access = { - sid = "AllowSecretsManager" - effect = "Allow" - actions = ["secretsmanager:GetSecretValue"] - resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:ingestion/*"] - }, - s3_source_object = { - sid = "AllowSourceObject" - effect = "Allow" - actions = [ - "s3:GetObject", - "s3:DeleteObject", - "s3:GetObjectTagging" - ], - resources = ["arn:aws:s3:::${module.processed_bucket.s3_bucket_id}/*"] - }, - s3_source_bucket = { - sid = "AllowSourceBucket" - effect = "Allow" - actions = [ - "s3:ListBucket" - ], - resources = ["arn:aws:s3:::${module.processed_bucket.s3_bucket_id}"] - }, - s3_destination_object = { - sid = "AllowDestinationObject" - effect = "Allow" - actions = [ - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:PutObjectTagging" - ] - resources = ["arn:aws:s3:::dev-ingestion-testing/*"] - }, - s3_destination_bucket = { - sid = "AllowDestinationBucket" - effect = "Allow" - actions = [ - "s3:ListBucket" - ] - resources = ["arn:aws:s3:::dev-ingestion-testing"] - } - } - - allowed_triggers = { - "s3" = { - principal = "s3.amazonaws.com" - source_arn = module.processed_bucket.s3_bucket_arn - } - } -} From e0c5b94f78281d8925936bb436df2a2e08e28e52 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 12:12:02 +0000 Subject: [PATCH 07/13] Remove TODOs --- .../lambda-functions.tf | 174 +++++++++--------- 1 file changed, 87 insertions(+), 87 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf index a1a0d88b86d..2b49a38f41f 100644 --- a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf +++ b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf @@ -91,7 +91,7 @@ module "scan_lambda" { module.s3_definitions_kms.key_arn, module.s3_landing_kms.key_arn, module.s3_quarantine_kms.key_arn, - module.s3_processed_kms.key_arn, # TODO: Review + module.s3_processed_kms.key_arn, ] }, s3_access = { @@ -108,7 +108,7 @@ module "scan_lambda" { "arn:aws:s3:::${module.definitions_bucket.s3_bucket_id}/*", "arn:aws:s3:::${module.landing_bucket.s3_bucket_id}/*", "arn:aws:s3:::${module.quarantine_bucket.s3_bucket_id}/*", - "arn:aws:s3:::${module.processed_bucket.s3_bucket_id}/*" # TODO: Review + "arn:aws:s3:::${module.processed_bucket.s3_bucket_id}/*" ] } } @@ -181,93 +181,93 @@ module "scan_lambda" { # } # } -# module "transfer_lambda" { -# #checkov:skip=CKV_TF_1:Module is from Terraform registry -# source = "terraform-aws-modules/lambda/aws" -# version = "7.2.1" +module "transfer_lambda" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + source = "terraform-aws-modules/lambda/aws" + version = "7.2.1" -# publish = true -# create_package = false + publish = true + create_package = false -# function_name = "ingestion-transfer" -# description = "" -# package_type = "Image" -# memory_size = 2048 -# ephemeral_storage_size = 10240 -# timeout = 900 -# image_uri = "684969100054.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-transfer:14" + function_name = "ingestion-transfer" + description = "" + package_type = "Image" + memory_size = 2048 + ephemeral_storage_size = 10240 + timeout = 900 + image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-ingestion-transfer:0.0.1" -# environment_variables = { -# PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id -# } + environment_variables = { + PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id + } -# # TODO: Check if KMS key is actually needed below -# attach_policy_statements = true -# policy_statements = { -# kms_access = { -# sid = "AllowKMS" -# effect = "Allow" -# actions = [ -# "kms:ReEncrypt*", -# "kms:GenerateDataKey*", -# "kms:Encrypt", -# "kms:DescribeKey", -# "kms:Decrypt" -# ] -# resources = [ -# module.s3_processed_kms.key_arn, -# module.supplier_data_kms.key_arn -# ] -# }, -# secretsmanager_access = { -# sid = "AllowSecretsManager" -# effect = "Allow" -# actions = ["secretsmanager:GetSecretValue"] -# resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:ingestion/*"] -# }, -# s3_source_object = { -# sid = "AllowSourceObject" -# effect = "Allow" -# actions = [ -# "s3:GetObject", -# "s3:DeleteObject", -# "s3:GetObjectTagging" -# ], -# resources = ["arn:aws:s3:::${module.processed_bucket.s3_bucket_id}/*"] -# }, -# s3_source_bucket = { -# sid = "AllowSourceBucket" -# effect = "Allow" -# actions = [ -# "s3:ListBucket" -# ], -# resources = ["arn:aws:s3:::${module.processed_bucket.s3_bucket_id}"] -# }, -# s3_destination_object = { -# sid = "AllowDestinationObject" -# effect = "Allow" -# actions = [ -# "s3:GetObject", -# "s3:PutObject", -# "s3:DeleteObject", -# "s3:PutObjectTagging" -# ] -# resources = ["arn:aws:s3:::dev-ingestion-testing/*"] -# }, -# s3_destination_bucket = { -# sid = "AllowDestinationBucket" -# effect = "Allow" -# actions = [ -# "s3:ListBucket" -# ] -# resources = ["arn:aws:s3:::dev-ingestion-testing"] -# } -# } + # TODO: Check if KMS key is actually needed below + attach_policy_statements = true + policy_statements = { + kms_access = { + sid = "AllowKMS" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt" + ] + resources = [ + module.s3_processed_kms.key_arn, + module.supplier_data_kms.key_arn + ] + }, + secretsmanager_access = { + sid = "AllowSecretsManager" + effect = "Allow" + actions = ["secretsmanager:GetSecretValue"] + resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:ingestion/*"] + }, + s3_source_object = { + sid = "AllowSourceObject" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:DeleteObject", + "s3:GetObjectTagging" + ], + resources = ["arn:aws:s3:::${module.processed_bucket.s3_bucket_id}/*"] + }, + s3_source_bucket = { + sid = "AllowSourceBucket" + effect = "Allow" + actions = [ + "s3:ListBucket" + ], + resources = ["arn:aws:s3:::${module.processed_bucket.s3_bucket_id}"] + }, + s3_destination_object = { + sid = "AllowDestinationObject" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:PutObjectTagging" + ] + resources = ["arn:aws:s3:::dev-ingestion-testing/*"] # TODO: Update to correct bucket + }, + s3_destination_bucket = { + sid = "AllowDestinationBucket" + effect = "Allow" + actions = [ + "s3:ListBucket" + ] + resources = ["arn:aws:s3:::dev-ingestion-testing"] # TODO: Update to correct bucket + } + } -# allowed_triggers = { -# "s3" = { -# principal = "s3.amazonaws.com" -# source_arn = module.processed_bucket.s3_bucket_arn -# } -# } -# } + allowed_triggers = { + "s3" = { + principal = "s3.amazonaws.com" + source_arn = module.processed_bucket.s3_bucket_arn + } + } +} From 7132651bb50bcb9002bbc4e664d8ae64b5989386 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 12:15:09 +0000 Subject: [PATCH 08/13] Remove ECR Repository TF --- .../analytical-platform-ingestion/ecr-repositories.tf.deactivated | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 terraform/environments/analytical-platform-ingestion/ecr-repositories.tf.deactivated diff --git a/terraform/environments/analytical-platform-ingestion/ecr-repositories.tf.deactivated b/terraform/environments/analytical-platform-ingestion/ecr-repositories.tf.deactivated deleted file mode 100644 index e69de29bb2d..00000000000 From 20abafa186851c0eacf6768c170c33114211da3d Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 12:16:57 +0000 Subject: [PATCH 09/13] Remove notify lambda for MVP --- .../lambda-functions.tf | 60 ------------------- 1 file changed, 60 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf index 2b49a38f41f..722ebd7d7a6 100644 --- a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf +++ b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf @@ -121,66 +121,6 @@ module "scan_lambda" { } } -# module "notify_lambda" { -# #checkov:skip=CKV_TF_1:Module is from Terraform registry -# source = "terraform-aws-modules/lambda/aws" -# version = "7.2.1" - -# publish = true -# create_package = false - -# function_name = "ingestion-notify" -# description = "" -# package_type = "Image" -# memory_size = 2048 -# ephemeral_storage_size = 10240 -# timeout = 900 -# image_uri = "684969100054.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-notify:9" - -# environment_variables = { -# CLAMAV_DEFINITON_BUCKET_NAME = module.definitions_bucket.s3_bucket_id -# LANDING_BUCKET_NAME = module.landing_bucket.s3_bucket_id -# QUARANTINE_BUCKET_NAME = module.quarantine_bucket.s3_bucket_id -# PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id -# GOVUK_NOTIFY_API_KEY_SECRET = "ingestion/govuk-notify/api-key" -# GOVUK_NOTIFY_TEMPLATES_SECRET = "ingestion/govuk-notify/templates" -# } - -# # TODO: Check if KMS key is actually needed below -# attach_policy_statements = true -# policy_statements = { -# kms_access = { -# sid = "AllowKMS" -# effect = "Allow" -# actions = [ -# "kms:ReEncrypt*", -# "kms:GenerateDataKey*", -# "kms:Encrypt", -# "kms:DescribeKey", -# "kms:Decrypt" -# ] -# resources = [ -# module.sns_kms.key_arn, -# module.govuk_notify_kms.key_arn, -# module.supplier_data_kms.key_arn -# ] -# }, -# secretsmanager_access = { -# sid = "AllowSecretsManager" -# effect = "Allow" -# actions = ["secretsmanager:GetSecretValue"] -# resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:ingestion/*"] -# } -# } - -# allowed_triggers = { -# "s3" = { -# principal = "s3.amazonaws.com" -# source_arn = module.quarantine_bucket.s3_bucket_arn -# } -# } -# } - module "transfer_lambda" { #checkov:skip=CKV_TF_1:Module is from Terraform registry source = "terraform-aws-modules/lambda/aws" From 5aff9beae6e9ec0d9d8639696fe2acc9bb77670e Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 14:36:44 +0000 Subject: [PATCH 10/13] Lambdas done --- .../cloudwatch-event-rules.tf | 4 ++-- .../environment-configuration.tf | 14 ++++++++++++++ .../lambda-functions.tf | 10 +++++----- ...cations.tf.deactivated => s3-notifications.tf} | 15 --------------- .../analytical-platform-ingestion/s3.tf | 8 ++++---- .../transform-iam-roles.tf.deactivated | 4 ---- 6 files changed, 25 insertions(+), 30 deletions(-) rename terraform/environments/analytical-platform-ingestion/{s3-notifications.tf.deactivated => s3-notifications.tf} (66%) diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-event-rules.tf b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-rules.tf index 1a3cae65f35..bfe319d827e 100644 --- a/terraform/environments/analytical-platform-ingestion/cloudwatch-event-rules.tf +++ b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-rules.tf @@ -1,4 +1,4 @@ -resource "aws_cloudwatch_event_rule" "ingestion_scanning_definition_update" { - name = "ingestion-scanning-definition-update" +resource "aws_cloudwatch_event_rule" "definition_update" { + name = "definition-update" schedule_expression = "cron(15 6 * * ? *)" # 06:15 every day } diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index 72d2000d238..6f48ded10ca 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -11,6 +11,13 @@ locals { /* Observability Platform */ observability_platform = "development" + + /* Image Versions */ + scan_image_version = "0.0.4" + transfer_image_version = "0.0.1" + + /* Target Buckets */ + target_buckets = ["dev-ingestion-testing"] } production = { /* VPC */ @@ -22,6 +29,13 @@ locals { /* Observability Platform */ observability_platform = "production" + + /* Image Versions */ + scan_image_version = "0.0.4" + transfer_image_version = "0.0.1" + + /* Target Buckets */ + target_buckets = ["dev-ingestion-testing"] } } } diff --git a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf index 722ebd7d7a6..ca17acb89fb 100644 --- a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf +++ b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf @@ -11,7 +11,7 @@ module "definition_upload_lambda" { package_type = "Image" memory_size = 2048 timeout = 900 - image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-ingestion-scan:0.0.3" + image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-ingestion-scan:${local.environment_configuration.scan_image_version}" environment_variables = { MODE = "definition-upload", @@ -65,7 +65,7 @@ module "scan_lambda" { memory_size = 2048 ephemeral_storage_size = 10240 timeout = 900 - image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-ingestion-scan:0.0.3" + image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-ingestion-scan:${local.environment_configuration.scan_image_version}" environment_variables = { MODE = "scan", @@ -135,7 +135,7 @@ module "transfer_lambda" { memory_size = 2048 ephemeral_storage_size = 10240 timeout = 900 - image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-ingestion-transfer:0.0.1" + image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-ingestion-transfer:${local.environment_configuration.transfer_image_version}" environment_variables = { PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id @@ -192,7 +192,7 @@ module "transfer_lambda" { "s3:DeleteObject", "s3:PutObjectTagging" ] - resources = ["arn:aws:s3:::dev-ingestion-testing/*"] # TODO: Update to correct bucket + resources = formatlist("arn:aws:s3:::%s/*", local.environment_configuration.target_buckets) }, s3_destination_bucket = { sid = "AllowDestinationBucket" @@ -200,7 +200,7 @@ module "transfer_lambda" { actions = [ "s3:ListBucket" ] - resources = ["arn:aws:s3:::dev-ingestion-testing"] # TODO: Update to correct bucket + resources = formatlist("arn:aws:s3:::%s", local.environment_configuration.target_buckets) } } diff --git a/terraform/environments/analytical-platform-ingestion/s3-notifications.tf.deactivated b/terraform/environments/analytical-platform-ingestion/s3-notifications.tf similarity index 66% rename from terraform/environments/analytical-platform-ingestion/s3-notifications.tf.deactivated rename to terraform/environments/analytical-platform-ingestion/s3-notifications.tf index 5376a2d8ddc..8d7352057dc 100644 --- a/terraform/environments/analytical-platform-ingestion/s3-notifications.tf.deactivated +++ b/terraform/environments/analytical-platform-ingestion/s3-notifications.tf @@ -13,21 +13,6 @@ module "ingestion_landing" { } } -module "ingestion_quarantine" { - source = "terraform-aws-modules/s3-bucket/aws//modules/notification" - version = "4.1.0" - - bucket = module.quarantine_bucket.s3_bucket_id - - lambda_notifications = { - ingestion_notify = { - function_name = module.notify_lambda.lambda_function_name - function_arn = module.notify_lambda.lambda_function_arn - events = ["s3:ObjectCreated:*"] - } - } -} - module "ingestion_transfer" { source = "terraform-aws-modules/s3-bucket/aws//modules/notification" version = "4.1.0" diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index 9b5d304295d..749f7fd478d 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -2,7 +2,7 @@ module "landing_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" - bucket = "moj-ap-ingestion-${local.environment}-landing" + bucket = "mojap-ingestion-${local.environment}-landing" # TODO: Is this needed below? force_destroy = true @@ -20,7 +20,7 @@ module "quarantine_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" - bucket = "moj-ap-ingestion-${local.environment}-quarantine" + bucket = "mojap-ingestion-${local.environment}-quarantine" # TODO: Is this needed below? force_destroy = true @@ -39,7 +39,7 @@ module "definitions_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" - bucket = "moj-ap-ingestion-${local.environment}-definitions" + bucket = "mojap-ingestion-${local.environment}-definitions" # TODO: Is this needed below? force_destroy = true @@ -59,7 +59,7 @@ module "processed_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" - bucket = "moj-ap-ingestion-${local.environment}-processed" + bucket = "mojap-ingestion-${local.environment}-processed" # TODO: Is this needed below? force_destroy = true diff --git a/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf.deactivated b/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf.deactivated index 0d25829f5b6..496d92a70e4 100644 --- a/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf.deactivated +++ b/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf.deactivated @@ -12,8 +12,4 @@ module "transfer_family_service_role" { trusted_role_services = ["transfer.amazonaws.com"] custom_role_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSTransferLoggingAccess"] - - - # TODO: Tagging - # tags = local.tags } From 2b2cdc1e42579e218d7c422fb239aa507a125f13 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 14:48:13 +0000 Subject: [PATCH 11/13] Final first ppas --- .../cloudwatch-event-targets.tf | 5 + .../cloudwatch-event-targets.tf.deactivated | 5 - .../cloudwatch-log-groups.tf | 7 +- .../analytical-platform-ingestion/eips.tf | 3 +- .../lambda-functions.tf | 2 +- .../modules/transfer-family/user/main.tf | 100 ++++++++++++++++++ .../modules/transfer-family/user/variables.tf | 31 ++++++ .../s3-notifications.tf | 4 +- .../transfer-servers.tf | 2 +- ...r-user.tf.deactivated => transfer-user.tf} | 0 ....tf.deactivated => transform-iam-roles.tf} | 0 11 files changed, 145 insertions(+), 14 deletions(-) create mode 100644 terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf delete mode 100644 terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf.deactivated create mode 100644 terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf create mode 100644 terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/variables.tf rename terraform/environments/analytical-platform-ingestion/{transfer-user.tf.deactivated => transfer-user.tf} (100%) rename terraform/environments/analytical-platform-ingestion/{transform-iam-roles.tf.deactivated => transform-iam-roles.tf} (100%) diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf new file mode 100644 index 00000000000..39249807af8 --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf @@ -0,0 +1,5 @@ +resource "aws_cloudwatch_event_target" "definition_update" { + rule = aws_cloudwatch_event_rule.definition_update.name + target_id = "definition-update" + arn = module.definition_upload_lambda.lambda_function_arn +} diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf.deactivated b/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf.deactivated deleted file mode 100644 index 8e7b9c4baaf..00000000000 --- a/terraform/environments/analytical-platform-ingestion/cloudwatch-event-targets.tf.deactivated +++ /dev/null @@ -1,5 +0,0 @@ -resource "aws_cloudwatch_event_target" "ingestion_scanning_definition_update" { - rule = aws_cloudwatch_event_rule.ingestion_scanning_definition_update.name - target_id = "ingestion_scanning_definition_update" - arn = module.definition_upload_lambda.lambda_function_arn -} diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf index 1b18f04364c..1a41e48d3a8 100644 --- a/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf +++ b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf @@ -1,3 +1,4 @@ -resource "aws_cloudwatch_log_group" "transfer_structured_logs" { - name = "/aws/transfer-structured-logs" -} +# Deactivated for now +# resource "aws_cloudwatch_log_group" "transfer_structured_logs" { +# name = "/aws/transfer-structured-logs" +# } diff --git a/terraform/environments/analytical-platform-ingestion/eips.tf b/terraform/environments/analytical-platform-ingestion/eips.tf index 45498031c92..5f31df297f2 100644 --- a/terraform/environments/analytical-platform-ingestion/eips.tf +++ b/terraform/environments/analytical-platform-ingestion/eips.tf @@ -1,6 +1,5 @@ -# TODO: make this more elegant, use az count resource "aws_eip" "transfer_server" { - count = 3 + count = length(data.aws_availability_zones.available.names) domain = "vpc" } diff --git a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf index ca17acb89fb..8e4f86fb4d5 100644 --- a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf +++ b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf @@ -46,7 +46,7 @@ module "definition_upload_lambda" { allowed_triggers = { "eventbridge" = { principal = "events.amazonaws.com" - source_arn = aws_cloudwatch_event_rule.ingestion_scanning_definition_update.arn + source_arn = aws_cloudwatch_event_rule.definition_update.arn } } } diff --git a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf new file mode 100644 index 00000000000..fc0e7f75edc --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf @@ -0,0 +1,100 @@ +data "aws_iam_policy_document" "this" { + statement { + sid = "AllowKMS" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt", + ] + resources = [var.landing_bucket_kms_key] + } + # TODO: review the permissions + statement { + sid = "AllowS3ListBucket" + effect = "Allow" + actions = ["s3:ListBucket"] + resources = [ + "arn:aws:s3:::${var.landing_bucket}", + "arn:aws:s3:::${var.landing_bucket}/${var.name}/*" + ] + } + # TODO: review the permissions + statement { + sid = "AllowS3ObjectActions" + effect = "Allow" + actions = ["s3:*"] + resources = ["arn:aws:s3:::${var.landing_bucket}/${var.name}/*"] + } +} + +module "policy" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "5.37.1" + + name_prefix = "transfer-user-${var.name}" + + policy = data.aws_iam_policy_document.this.json +} + +module "role" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "5.37.1" + + create_role = true + + role_name = "transfer-user-${var.name}" + role_requires_mfa = false + + trusted_role_services = ["transfer.amazonaws.com"] + + custom_role_policy_arns = [module.policy.arn] +} + +resource "aws_transfer_user" "this" { + server_id = var.transfer_server + user_name = var.name + role = module.role.iam_role_arn + + # This doesn't work unless optimised directory is disabled, and that isn't available in Terraform + # home_directory_type = "LOGICAL" + # home_directory_mappings { + # entry = "/upload" + # target = "/${var.landing_bucket}/${var.name}/upload" + # } + + # home_directory_mappings { + # entry = "/download" + # target = "/${var.landing_bucket}/${var.name}/download" + # } + + # This works + home_directory = "/${var.landing_bucket}/${var.name}" # TODO: do we need an SFTP specific landing bucket? +} + +resource "aws_transfer_ssh_key" "this" { + server_id = var.transfer_server + user_name = aws_transfer_user.this.user_name + body = var.ssh_key +} + +resource "aws_security_group_rule" "this" { + type = "ingress" + from_port = 2222 + to_port = 2222 + protocol = "tcp" + cidr_blocks = var.cidr_blocks + security_group_id = var.transfer_server_security_group +} + +resource "aws_secretsmanager_secret" "this" { + for_each = toset(["technical-contact", "data-contact", "target-bucket"]) + + name = "ingestion/sftp/${var.name}/${each.key}" + kms_key_id = var.supplier_data_kms_key +} diff --git a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/variables.tf b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/variables.tf new file mode 100644 index 00000000000..0015ee5558c --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/variables.tf @@ -0,0 +1,31 @@ +variable "name" { + type = string +} + +variable "ssh_key" { + type = string +} + +variable "cidr_blocks" { + type = list(string) +} + +variable "transfer_server" { + type = string +} + +variable "transfer_server_security_group" { + type = string +} + +variable "landing_bucket" { + type = string +} + +variable "landing_bucket_kms_key" { + type = string +} + +variable "supplier_data_kms_key" { + type = string +} diff --git a/terraform/environments/analytical-platform-ingestion/s3-notifications.tf b/terraform/environments/analytical-platform-ingestion/s3-notifications.tf index 8d7352057dc..66271190cc1 100644 --- a/terraform/environments/analytical-platform-ingestion/s3-notifications.tf +++ b/terraform/environments/analytical-platform-ingestion/s3-notifications.tf @@ -1,4 +1,4 @@ -module "ingestion_landing" { +module "ingestion_landing_bucket_notification" { source = "terraform-aws-modules/s3-bucket/aws//modules/notification" version = "4.1.0" @@ -13,7 +13,7 @@ module "ingestion_landing" { } } -module "ingestion_transfer" { +module "ingestion_transfer_bucket_notification" { source = "terraform-aws-modules/s3-bucket/aws//modules/notification" version = "4.1.0" diff --git a/terraform/environments/analytical-platform-ingestion/transfer-servers.tf b/terraform/environments/analytical-platform-ingestion/transfer-servers.tf index 519b2ac7cfe..6d42123e120 100644 --- a/terraform/environments/analytical-platform-ingestion/transfer-servers.tf +++ b/terraform/environments/analytical-platform-ingestion/transfer-servers.tf @@ -24,7 +24,7 @@ resource "aws_transfer_server" "this" { # Logging role is only required when using Managed workflows. # logging_role = module.transfer_family_service_role.iam_role_arn - structured_log_destinations = ["${aws_cloudwatch_log_group.transfer_structured_logs.arn}:*"] + # structured_log_destinations = ["${aws_cloudwatch_log_group.transfer_structured_logs.arn}:*"] } resource "aws_transfer_tag" "this" { diff --git a/terraform/environments/analytical-platform-ingestion/transfer-user.tf.deactivated b/terraform/environments/analytical-platform-ingestion/transfer-user.tf similarity index 100% rename from terraform/environments/analytical-platform-ingestion/transfer-user.tf.deactivated rename to terraform/environments/analytical-platform-ingestion/transfer-user.tf diff --git a/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf.deactivated b/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf similarity index 100% rename from terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf.deactivated rename to terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf From 60f1fb7c0c4303eaf4fd063243e7f00f4b3ce5c7 Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 15:35:22 +0000 Subject: [PATCH 12/13] Tagging --- .../environments/analytical-platform-ingestion/eips.tf | 7 +++++++ .../analytical-platform-ingestion/lambda-functions.tf | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-ingestion/eips.tf b/terraform/environments/analytical-platform-ingestion/eips.tf index 5f31df297f2..f0977ee4805 100644 --- a/terraform/environments/analytical-platform-ingestion/eips.tf +++ b/terraform/environments/analytical-platform-ingestion/eips.tf @@ -2,4 +2,11 @@ resource "aws_eip" "transfer_server" { count = length(data.aws_availability_zones.available.names) domain = "vpc" + + tags = merge( + local.tags, + { + Name = "${local.application_name}-${local.environment}-transfer-server" + } + ) } diff --git a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf index 8e4f86fb4d5..48642bcbd76 100644 --- a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf +++ b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf @@ -129,7 +129,7 @@ module "transfer_lambda" { publish = true create_package = false - function_name = "ingestion-transfer" + function_name = "transfer" description = "" package_type = "Image" memory_size = 2048 From 6dc7dd4de57378c134030bd570121d066fee745a Mon Sep 17 00:00:00 2001 From: Gary H <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 20 Mar 2024 16:16:14 +0000 Subject: [PATCH 13/13] Variabilise Transfer Server hostname --- .../environment-configuration.tf | 6 ++++++ .../analytical-platform-ingestion/transfer-servers.tf | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index 6f48ded10ca..0fd1842c041 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -18,6 +18,9 @@ locals { /* Target Buckets */ target_buckets = ["dev-ingestion-testing"] + + /* Transfer Server */ + transfer_server_hostname = "sftp.development.ingestion.analytical-platform.service.justice.gov.uk" } production = { /* VPC */ @@ -36,6 +39,9 @@ locals { /* Target Buckets */ target_buckets = ["dev-ingestion-testing"] + + /* Transfer Server */ + transfer_server_hostname = "sftp.ingestion.analytical-platform.service.justice.gov.uk" } } } diff --git a/terraform/environments/analytical-platform-ingestion/transfer-servers.tf b/terraform/environments/analytical-platform-ingestion/transfer-servers.tf index 6d42123e120..4ac1650b835 100644 --- a/terraform/environments/analytical-platform-ingestion/transfer-servers.tf +++ b/terraform/environments/analytical-platform-ingestion/transfer-servers.tf @@ -30,5 +30,5 @@ resource "aws_transfer_server" "this" { resource "aws_transfer_tag" "this" { resource_arn = aws_transfer_server.this.arn key = "aws:transfer:customHostname" - value = "sftp.development.ingestion.analytical-platform.service.justice.gov.uk" + value = local.environment_configuration.transfer_server_hostname }