CCM-12481 migrating the S3 quarantine bucket up to the acct component

infrastructure/terraform/components/acct/README.md

@@ -36,13 +36,15 @@
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_kms"></a> [kms](#module\_kms) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip | n/a |
 | <a name="module_kms_sandbox"></a> [kms\_sandbox](#module\_kms\_sandbox) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip | n/a |
 | <a name="module_obs_datasource"></a> [obs\_datasource](#module\_obs\_datasource) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-obs-datasource.zip | n/a |
 | <a name="module_s3bucket_access_logs"></a> [s3bucket\_access\_logs](#module\_s3bucket\_access\_logs) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_artefacts"></a> [s3bucket\_artefacts](#module\_s3bucket\_artefacts) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_artefacts_us_east_1"></a> [s3bucket\_artefacts\_us\_east\_1](#module\_s3bucket\_artefacts\_us\_east\_1) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_backup_reports"></a> [s3bucket\_backup\_reports](#module\_s3bucket\_backup\_reports) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_data_migration_backups"></a> [s3bucket\_data\_migration\_backups](#module\_s3bucket\_data\_migration\_backups) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
+| <a name="module_s3bucket_quarantine"></a> [s3bucket\_quarantine](#module\_s3bucket\_quarantine) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-s3bucket.zip | n/a |
 | <a name="module_sandbox_ses"></a> [sandbox\_ses](#module\_sandbox\_ses) | ../../modules/ses | n/a |
 | <a name="module_ses_testing"></a> [ses\_testing](#module\_ses\_testing) | ../../modules/acct-ses-testing | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.19.0 |

infrastructure/terraform/components/acct/data_iam_policy_document_kms.tf

@@ -0,0 +1,148 @@
+data "aws_iam_policy_document" "kms" {
+  # '*' resource scope is permitted in access policies as as the resource is itself
+  # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html
+
+  statement {
+    sid    = "AllowCloudWatchEncrypt"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "logs.${var.region}.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:logs:arn"
+
+      values = [
+        "arn:aws:logs:${var.region}:${var.aws_account_id}:log-group:*",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowS3"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "s3.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+
+  statement {
+    sid    = "AllowSES"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "ses.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+
+  statement {
+    sid    = "AllowLogDeliveryEncrypt"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "delivery.logs.amazonaws.com"
+      ]
+    }
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey*",
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    condition {
+      test     = "StringLike"
+      variable = "kms:EncryptionContext:SourceArn"
+
+      values = [
+        "arn:aws:logs:${var.region}:${var.aws_account_id}:*",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowEventBridgeAccessToLetterValidationQueue"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt",
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:sqs:arn"
+      values   = ["arn:aws:sqs:${var.region}:${var.aws_account_id}:*-validate-letter-template-files-queue"]
+    }
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:events:${var.region}:${var.aws_account_id}:rule/*-quarantine-scan-passed-for-upload"]
+    }
+  }
+}

infrastructure/terraform/components/acct/module_kms.tf

@@ -0,0 +1,20 @@
+module "kms" {
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip"
+
+  providers = {
+    aws           = aws
+    aws.us-east-1 = aws.us-east-1
+  }
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+
+  name                 = "main"
+  deletion_window      = var.kms_deletion_window
+  alias                = "alias/${local.csi}"
+  key_policy_documents = [data.aws_iam_policy_document.kms.json]
+  iam_delegation       = true
+}

infrastructure/terraform/modules/backend-api/module_s3bucket_quarantine.tf → infrastructure/terraform/components/acct/module_s3bucket_quarantine.tf

@@ -1,5 +1,5 @@
 module "s3bucket_quarantine" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-s3bucket.zip"
 
   name = "quarantine"
 
@@ -9,7 +9,7 @@ module "s3bucket_quarantine" {
   environment    = var.environment
   component      = var.component
 
-  kms_key_arn = var.kms_key_arn
+  kms_key_arn = module.kms.key_arn
 
   notification_events = {
     eventbridge = true

infrastructure/terraform/components/acct/module_sandbox_kms.tf

@@ -21,152 +21,3 @@ module "kms_sandbox" {
 
   key_policy_documents = [data.aws_iam_policy_document.kms.json]
 }
-
-data "aws_iam_policy_document" "kms" {
-  # '*' resource scope is permitted in access policies as as the resource is itself
-  # https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html
-
-  statement {
-    sid    = "AllowCloudWatchEncrypt"
-    effect = "Allow"
-
-    principals {
-      type = "Service"
-
-      identifiers = [
-        "logs.${var.region}.amazonaws.com",
-      ]
-    }
-
-    actions = [
-      "kms:Encrypt*",
-      "kms:Decrypt*",
-      "kms:ReEncrypt*",
-      "kms:GenerateDataKey*",
-      "kms:Describe*"
-    ]
-
-    resources = [
-      "*",
-    ]
-
-    condition {
-      test     = "ArnLike"
-      variable = "kms:EncryptionContext:aws:logs:arn"
-
-      values = [
-        "arn:aws:logs:${var.region}:${var.aws_account_id}:log-group:*",
-      ]
-    }
-  }
-
-  statement {
-    sid    = "AllowS3"
-    effect = "Allow"
-
-    principals {
-      type = "Service"
-
-      identifiers = [
-        "s3.amazonaws.com",
-      ]
-    }
-
-    actions = [
-      "kms:Encrypt*",
-      "kms:Decrypt*",
-      "kms:ReEncrypt*",
-      "kms:GenerateDataKey*",
-      "kms:Describe*"
-    ]
-
-    resources = [
-      "*",
-    ]
-  }
-
-  statement {
-    sid    = "AllowSES"
-    effect = "Allow"
-
-    principals {
-      type = "Service"
-
-      identifiers = [
-        "ses.amazonaws.com",
-      ]
-    }
-
-    actions = [
-      "kms:Encrypt*",
-      "kms:Decrypt*",
-      "kms:ReEncrypt*",
-      "kms:GenerateDataKey*",
-      "kms:Describe*"
-    ]
-
-    resources = [
-      "*",
-    ]
-  }
-
-  statement {
-    sid    = "AllowLogDeliveryEncrypt"
-    effect = "Allow"
-
-    principals {
-      type = "Service"
-
-      identifiers = [
-        "delivery.logs.amazonaws.com"
-      ]
-    }
-
-    actions = [
-      "kms:Decrypt",
-      "kms:GenerateDataKey*",
-    ]
-
-    resources = [
-      "*",
-    ]
-
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:SourceArn"
-
-      values = [
-        "arn:aws:logs:${var.region}:${var.aws_account_id}:*",
-      ]
-    }
-  }
-
-  statement {
-    sid    = "AllowEventBridgeAccessToLetterValidationQueue"
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["events.amazonaws.com"]
-    }
-
-    actions = [
-      "kms:GenerateDataKey*",
-      "kms:Decrypt",
-    ]
-
-    resources = ["*"]
-
-    condition {
-      test     = "ArnLike"
-      variable = "kms:EncryptionContext:aws:sqs:arn"
-      values   = ["arn:aws:sqs:${var.region}:${var.aws_account_id}:*-validate-letter-template-files-queue"]
-    }
-
-    condition {
-      test     = "ArnLike"
-      variable = "aws:SourceArn"
-      values   = ["arn:aws:events:${var.region}:${var.aws_account_id}:rule/*-quarantine-scan-passed-for-upload"]
-    }
-  }
-}

infrastructure/terraform/components/acct/outputs.tf

@@ -32,6 +32,11 @@ output "s3_buckets" {
       bucket = module.s3bucket_backup_reports.bucket
       id     = module.s3bucket_backup_reports.id
     }
+    quarantine = {
+      arn    = module.s3bucket_quarantine.arn
+      bucket = module.s3bucket_quarantine.bucket
+      id     = module.s3bucket_quarantine.id
+    }
   }
 }
 

infrastructure/terraform/components/app/module_backend_api.tf

@@ -14,6 +14,7 @@ module "backend_api" {
   kms_key_arn             = module.kms.key_arn
   parent_acct_environment = var.parent_acct_environment
   function_s3_bucket      = local.acct.s3_buckets["artefacts"]["id"]
+  quarantine_s3_bucket    = local.acct.s3_buckets["quarantine"]["id"]
 
   cloudfront_distribution_arn = aws_cloudfront_distribution.main.arn
 

infrastructure/terraform/modules/backend-api/README.md

@@ -29,6 +29,7 @@ No requirements.
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_proof_requested_sender_email_address"></a> [proof\_requested\_sender\_email\_address](#input\_proof\_requested\_sender\_email\_address) | Proof requested sender email address | `string` | n/a | yes |
+| <a name="input_quarantine_s3_bucket"></a> [quarantine\_s3\_bucket](#input\_quarantine\_s3\_bucket) | Guardduty Quarantine bucket id/name | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_send_to_firehose"></a> [send\_to\_firehose](#input\_send\_to\_firehose) | Flag indicating whether logs should be sent to firehose | `bool` | n/a | yes |
 | <a name="input_sns_topic_arn"></a> [sns\_topic\_arn](#input\_sns\_topic\_arn) | SNS topic ARN | `string` | `null` | no |
@@ -55,7 +56,6 @@ No requirements.
 | <a name="module_request_proof_lambda"></a> [request\_proof\_lambda](#module\_request\_proof\_lambda) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.22/terraform-lambda.zip | n/a |
 | <a name="module_s3bucket_download"></a> [s3bucket\_download](#module\_s3bucket\_download) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_internal"></a> [s3bucket\_internal](#module\_s3bucket\_internal) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
-| <a name="module_s3bucket_quarantine"></a> [s3bucket\_quarantine](#module\_s3bucket\_quarantine) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
 | <a name="module_sqs_sftp_upload"></a> [sqs\_sftp\_upload](#module\_sqs\_sftp\_upload) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-sqs.zip | n/a |
 | <a name="module_sqs_template_mgmt_events"></a> [sqs\_template\_mgmt\_events](#module\_sqs\_template\_mgmt\_events) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-sqs.zip | n/a |
 | <a name="module_sqs_template_table_events_pipe_dlq"></a> [sqs\_template\_table\_events\_pipe\_dlq](#module\_sqs\_template\_table\_events\_pipe\_dlq) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-sqs.zip | n/a |

infrastructure/terraform/modules/backend-api/data_s3_bucket.tf

@@ -0,0 +1,3 @@
+data "aws_s3_bucket" "quarantine" {
+  bucket = var.quarantine_s3_bucket
+}