From bf32f5eb31dfc55c81c1bc9c9c963167305647e6 Mon Sep 17 00:00:00 2001 From: sidnhs Date: Mon, 22 Dec 2025 13:58:38 +0000 Subject: [PATCH 1/3] CCM-13611: Allow access to Core PDF pipeline bucket for getletterdata lambda --- .../terraform/components/api/locals.tf | 3 ++ .../api/module_lambda_get_letter_data.tf | 36 +++++++++++++++++-- .../terraform/components/api/variables.tf | 12 +++++++ 3 files changed, 49 insertions(+), 2 deletions(-) diff --git a/infrastructure/terraform/components/api/locals.tf b/infrastructure/terraform/components/api/locals.tf index bfadfd30..2b206fd5 100644 --- a/infrastructure/terraform/components/api/locals.tf +++ b/infrastructure/terraform/components/api/locals.tf @@ -28,4 +28,7 @@ locals { APIM_CORRELATION_HEADER = "nhsd-correlation-id", DOWNLOAD_URL_TTL_SECONDS = 60 } + +core_pdf_bucket_arn = "arn:aws:s3:::comms-${var.core_account_id}-eu-west-2-${var.core_environment}-api-stg-pdf-pipeline" +core_s3_kms_key_alias_name = "alias/comms-${var.core_environment}-api-s3" } diff --git a/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf b/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf index a1ac8ef7..ae0f920f 100644 --- a/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf +++ b/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf @@ -68,11 +68,43 @@ data "aws_iam_policy_document" "get_letter_data_lambda" { ] } + statement { + sid = "S3ListBucketForPresign" + actions = [ + "s3:ListBucket" + ] + resources = [ + module.s3bucket_test_letters.arn, + local.core_pdf_bucket_arn + ] + } + statement { sid = "S3GetObjectForPresign" actions = [ "s3:GetObject", - "s3:ListBucket"] # allows 404 response instead of 403 if object missing - resources = ["${module.s3bucket_test_letters.arn}/*"] + "s3:PutObject", + ] # allows 404 response instead of 403 if object missing + resources = [ + "${module.s3bucket_test_letters.arn}/*", + "${local.core_pdf_bucket_arn}/*", + ] + } + + statement { + sid = "KMSForCoreS3Access" + actions = [ + "kms:Decrypt", + "kms:GenerateDataKey", + "kms:DescribeKey" + ] + resources = [ + "arn:aws:kms:${var.region}:${var.core_account_id}:key/*" + ] + condition { + test = "ForAnyValue:StringEquals" + variable = "kms:ResourceAliases" + values = [local.core_s3_kms_key_alias_name] + } } } diff --git a/infrastructure/terraform/components/api/variables.tf b/infrastructure/terraform/components/api/variables.tf index 5c3bb9a8..eddc2554 100644 --- a/infrastructure/terraform/components/api/variables.tf +++ b/infrastructure/terraform/components/api/variables.tf @@ -134,3 +134,15 @@ variable "eventpub_control_plane_bus_arn" { description = "ARN of the EventBridge control plane bus for eventpub" default = "" } + +variable "core_account_id" { + type = string + description = "AWS Account ID for Core" + default = "000000000000" +} + +variable "core_environment" { + type = string + description = "Environment of Core" + default = "prod" +} From a420f2730bed551bde902edb8b08c959073e631d Mon Sep 17 00:00:00 2001 From: sidnhs Date: Mon, 22 Dec 2025 14:36:54 +0000 Subject: [PATCH 2/3] CCM-13611: Allow access to Core PDF pipeline bucket for getletterdata lambda --- .github/workflows/stage-1-commit.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index 44921ed9..6063d464 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -152,9 +152,16 @@ jobs: timeout-minutes: 10 needs: detect-terraform-changes if: needs.detect-terraform-changes.outputs.terraform_changed == 'true' + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: "Checkout code" uses: actions/checkout@v5 + - name: Setup NodeJS + uses: actions/setup-node@v4 + with: + node-version: ${{ inputs.nodejs_version }} + registry-url: 'https://npm.pkg.github.com' - name: "Setup ASDF" uses: asdf-vm/actions/setup@v4 - name: "Perform Setup" From 78a448a9aea1c4183778725d7aeca32844cde49d Mon Sep 17 00:00:00 2001 From: sidnhs Date: Tue, 23 Dec 2025 11:33:05 +0000 Subject: [PATCH 3/3] CCM-13611: Allow access to Core PDF pipeline bucket for getletterdata lambda --- .../api/event_source_mapping_letter_updates.tf | 12 ++++++------ infrastructure/terraform/components/api/locals.tf | 4 ++-- .../components/api/module_lambda_get_letter_data.tf | 10 +++++----- infrastructure/terraform/components/api/variables.tf | 2 +- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/infrastructure/terraform/components/api/event_source_mapping_letter_updates.tf b/infrastructure/terraform/components/api/event_source_mapping_letter_updates.tf index 219b01ad..5b83a9f2 100644 --- a/infrastructure/terraform/components/api/event_source_mapping_letter_updates.tf +++ b/infrastructure/terraform/components/api/event_source_mapping_letter_updates.tf @@ -1,11 +1,11 @@ resource "aws_lambda_event_source_mapping" "letter_updates_transformer_kinesis" { - event_source_arn = aws_kinesis_stream.letter_change_stream.arn - function_name = module.letter_updates_transformer.function_arn - starting_position = "LATEST" - batch_size = 10 - maximum_batching_window_in_seconds = 1 + event_source_arn = aws_kinesis_stream.letter_change_stream.arn + function_name = module.letter_updates_transformer.function_arn + starting_position = "LATEST" + batch_size = 10 + maximum_batching_window_in_seconds = 1 depends_on = [ - module.letter_updates_transformer # ensures updates transformer exists + module.letter_updates_transformer # ensures updates transformer exists ] } diff --git a/infrastructure/terraform/components/api/locals.tf b/infrastructure/terraform/components/api/locals.tf index 2b206fd5..683156a0 100644 --- a/infrastructure/terraform/components/api/locals.tf +++ b/infrastructure/terraform/components/api/locals.tf @@ -29,6 +29,6 @@ locals { DOWNLOAD_URL_TTL_SECONDS = 60 } -core_pdf_bucket_arn = "arn:aws:s3:::comms-${var.core_account_id}-eu-west-2-${var.core_environment}-api-stg-pdf-pipeline" -core_s3_kms_key_alias_name = "alias/comms-${var.core_environment}-api-s3" + core_pdf_bucket_arn = "arn:aws:s3:::comms-${var.core_account_id}-eu-west-2-${var.core_environment}-api-stg-pdf-pipeline" + core_s3_kms_key_alias_name = "alias/comms-${var.core_environment}-api-s3" } diff --git a/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf b/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf index ae0f920f..1116336e 100644 --- a/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf +++ b/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf @@ -71,12 +71,12 @@ data "aws_iam_policy_document" "get_letter_data_lambda" { statement { sid = "S3ListBucketForPresign" actions = [ - "s3:ListBucket" + "s3:ListBucket" ] resources = [ module.s3bucket_test_letters.arn, local.core_pdf_bucket_arn - ] + ] } statement { @@ -88,7 +88,7 @@ data "aws_iam_policy_document" "get_letter_data_lambda" { resources = [ "${module.s3bucket_test_letters.arn}/*", "${local.core_pdf_bucket_arn}/*", - ] + ] } statement { @@ -102,9 +102,9 @@ data "aws_iam_policy_document" "get_letter_data_lambda" { "arn:aws:kms:${var.region}:${var.core_account_id}:key/*" ] condition { - test = "ForAnyValue:StringEquals" + test = "ForAnyValue:StringEquals" variable = "kms:ResourceAliases" - values = [local.core_s3_kms_key_alias_name] + values = [local.core_s3_kms_key_alias_name] } } } diff --git a/infrastructure/terraform/components/api/variables.tf b/infrastructure/terraform/components/api/variables.tf index eddc2554..d3843a29 100644 --- a/infrastructure/terraform/components/api/variables.tf +++ b/infrastructure/terraform/components/api/variables.tf @@ -142,7 +142,7 @@ variable "core_account_id" { } variable "core_environment" { - type = string + type = string description = "Environment of Core" default = "prod" }