From 6241ea7e7b31296956477b311ca8879d14d1a173 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 18 Dec 2024 09:18:51 +0000 Subject: [PATCH 01/35] change file name --- .../region/modules/event_bus/bus.tf | 59 +++++++++++ .../region/modules/event_bus/main.tf | 100 ------------------ 2 files changed, 59 insertions(+), 100 deletions(-) create mode 100644 terraform/environment/region/modules/event_bus/bus.tf delete mode 100644 terraform/environment/region/modules/event_bus/main.tf diff --git a/terraform/environment/region/modules/event_bus/bus.tf b/terraform/environment/region/modules/event_bus/bus.tf new file mode 100644 index 0000000000..30f557ed14 --- /dev/null +++ b/terraform/environment/region/modules/event_bus/bus.tf @@ -0,0 +1,59 @@ +resource "aws_cloudwatch_event_bus" "main" { + count = var.event_bus_enabled ? 1 : 0 + name = var.environment_name + provider = aws.region +} + +resource "aws_cloudwatch_event_archive" "main" { + count = var.event_bus_enabled ? 1 : 0 + name = var.environment_name + event_source_arn = aws_cloudwatch_event_bus.main[0].arn + provider = aws.region +} + + +resource "aws_cloudwatch_event_rule" "receive_events_from_mlpa" { + count = var.event_bus_enabled ? 1 : 0 + name = "${var.environment_name}-mlpa-events-to-use" + description = "Receive events from mlpa" + event_bus_name = aws_cloudwatch_event_bus.main[0].name + + event_pattern = jsonencode({ + source = ["opg.poas.makeregister"], + detail-type = ["lpa-access-granted"] + }) + + provider = aws.region +} + +resource "aws_cloudwatch_event_bus_policy" "cross_account_receive" { + count = length(var.receive_account_ids) > 0 ? 1 : 0 + event_bus_name = aws_cloudwatch_event_bus.main.name + policy = data.aws_iam_policy_document.cross_account_receive.json + provider = aws.region +} + +# Allow MLPA account to send messages +data "aws_iam_policy_document" "cross_account_receive" { + statement { + sid = "CrossAccountAccess" + effect = "Allow" + actions = [ + "events:PutEvents", + ] + resources = [ + aws_cloudwatch_event_bus.main.arn + ] + + principals { + type = "AWS" + identifiers = var.receive_account_ids + } + } +} + +resource "aws_cloudwatch_event_target" "receive_events" { + count = var.event_bus_enabled ? 1 : 0 + rule = aws_cloudwatch_event_rule.receive_events_from_mlpa[0].name + arn = aws_sqs_queue.receive_events_queue.arn +} diff --git a/terraform/environment/region/modules/event_bus/main.tf b/terraform/environment/region/modules/event_bus/main.tf deleted file mode 100644 index 8e8711d41e..0000000000 --- a/terraform/environment/region/modules/event_bus/main.tf +++ /dev/null @@ -1,100 +0,0 @@ -resource "aws_cloudwatch_event_bus" "main" { - count = var.event_bus_enabled ? 1 : 0 - name = var.environment_name - provider = aws.region -} - -resource "aws_cloudwatch_event_archive" "main" { - count = var.event_bus_enabled ? 1 : 0 - name = var.environment_name - event_source_arn = aws_cloudwatch_event_bus.main[0].arn - provider = aws.region -} - -resource "aws_cloudwatch_event_rule" "receive_events_mlpa" { - count = var.event_bus_enabled ? 1 : 0 - name = "${var.environment_name}-mlpa-events-to-use" - description = "receive events from mlpa" - event_bus_name = aws_cloudwatch_event_bus.main[0].name - - event_pattern = jsonencode({ - source = ["opg.poas.makeregister"], - }) - provider = aws.region -} - -data "aws_kms_alias" "sqs" { - name = "alias/sqs-mrk" - provider = aws.region -} - -resource "aws_sqs_queue" "receive_events_queue" { - count = var.event_bus_enabled ? 1 : 0 - name = "${var.environment_name}-receive-events-queue" - kms_master_key_id = data.aws_kms_alias.sqs.target_key_id - kms_data_key_reuse_period_seconds = 300 - - visibility_timeout_seconds = 300 - - redrive_policy = jsonencode({ - deadLetterTargetArn = aws_sqs_queue.receive_events_deadletter[0].arn - maxReceiveCount = 3 - }) - policy = data.aws_iam_policy_document.receive_events_queue_policy[0].json - - provider = aws.region -} - -data "aws_iam_policy_document" "receive_events_queue_policy" { - count = var.event_bus_enabled ? 1 : 0 - statement { - sid = "${var.current_region}-ReceiveFromMLPA" - effect = "Allow" - - principals { - type = "Service" - identifiers = ["events.amazonaws.com"] - } - - actions = ["sqs:SendMessage"] - resources = ["*"] - - condition { - test = "ArnEquals" - variable = "aws:SourceArn" - values = [ - aws_cloudwatch_event_rule.receive_events_mlpa[0].arn - ] - } - } -} - -resource "aws_sqs_queue" "receive_events_deadletter" { - count = var.event_bus_enabled ? 1 : 0 - name = "${var.environment_name}-receive-events-deadletter" - kms_master_key_id = data.aws_kms_alias.sqs.target_key_id - kms_data_key_reuse_period_seconds = 300 - provider = aws.region -} - -resource "aws_sqs_queue_redrive_allow_policy" "receive_events_redrive_allow_policy" { - count = var.event_bus_enabled ? 1 : 0 - queue_url = aws_sqs_queue.receive_events_deadletter[0].id - - redrive_allow_policy = jsonencode({ - redrivePermission = "byQueue", - sourceQueueArns = [aws_sqs_queue.receive_events_queue[0].arn] - }) - provider = aws.region -} - -/* -resource "aws_lambda_event_source_mapping" "reveive_events_mapping" { - count = var.event_bus_enabled ? 1 : 0 - event_source_arn = aws_sqs_queue.receive_events_queue[0].arn - enabled = false - function_name = var.ingress_lambda_name - batch_size = 10 - provider = aws.region -} -*/ From 4f1b147b7174b44de1d77e723006a206242dc8dd Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 18 Dec 2024 09:19:57 +0000 Subject: [PATCH 02/35] add sqs and variables --- .../region/modules/event_bus/sqs.tf | 73 +++++++++++++++++++ .../region/modules/event_bus/variables.tf | 9 ++- 2 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 terraform/environment/region/modules/event_bus/sqs.tf diff --git a/terraform/environment/region/modules/event_bus/sqs.tf b/terraform/environment/region/modules/event_bus/sqs.tf new file mode 100644 index 0000000000..3fe5737194 --- /dev/null +++ b/terraform/environment/region/modules/event_bus/sqs.tf @@ -0,0 +1,73 @@ +data "aws_kms_alias" "sqs" { + name = "alias/sqs-mrk" + provider = aws.region +} + +resource "aws_sqs_queue" "receive_events_queue" { + count = var.event_bus_enabled ? 1 : 0 + name = "${var.environment_name}-receive-events-queue" + kms_master_key_id = data.aws_kms_alias.sqs.target_key_id + kms_data_key_reuse_period_seconds = 300 + + visibility_timeout_seconds = 300 + + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.receive_events_deadletter[0].arn + maxReceiveCount = 3 + }) + + policy = data.aws_iam_policy_document.receive_events_queue_policy[0].json + + provider = aws.region +} + +resource "aws_sqs_queue" "receive_events_deadletter" { + count = var.event_bus_enabled ? 1 : 0 + name = "${var.environment_name}-receive-events-deadletter" + kms_master_key_id = data.aws_kms_alias.sqs.target_key_id + kms_data_key_reuse_period_seconds = 300 + provider = aws.region +} + +resource "aws_sqs_queue_redrive_allow_policy" "receive_events_redrive_allow_policy" { + count = var.event_bus_enabled ? 1 : 0 + queue_url = aws_sqs_queue.receive_events_deadletter[0].id + + redrive_allow_policy = jsonencode({ + redrivePermission = "byQueue", + sourceQueueArns = [aws_sqs_queue.receive_events_queue[0].arn] + }) + provider = aws.region +} + +data "aws_iam_policy_document" "receive_events_queue_policy" { + count = var.event_bus_enabled ? 1 : 0 + statement { + sid = "${var.current_region}-ReceiveFromMLPA" + effect = "Allow" + + principals { + type = "Service" + identifiers = ["events.amazonaws.com"] + } + + actions = ["sqs:SendMessage"] + resources = ["*"] + + condition { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [ + aws_cloudwatch_event_rule.receive_events_from_mlpa[0].arn + ] + } + } +} + +resource "aws_lambda_event_source_mapping" "receive_events_mapping" { + count = var.event_bus_enabled ? 1 : 0 + event_source_arn = aws_sqs_queue.receive_events_queue.arn + function_name = var.lambda_function_name + enabled = true + provider = aws.region +} diff --git a/terraform/environment/region/modules/event_bus/variables.tf b/terraform/environment/region/modules/event_bus/variables.tf index c1bb1610a2..4ee3c7d48a 100644 --- a/terraform/environment/region/modules/event_bus/variables.tf +++ b/terraform/environment/region/modules/event_bus/variables.tf @@ -9,14 +9,17 @@ variable "event_bus_enabled" { default = false } -/* -variable "ingress_lambda_name" { +variable "lambda_function_name" { description = "The name of the ingress lambda" type = string } -*/ variable "current_region" { description = "The current region" type = string } + +variable "receive_account_ids" { + description = "The account ids that can send events to the event bus" + type = list(string) +} From 09e4c27c3f579a2eb4810c78f2c09bcd5f89c535 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 18 Dec 2024 10:38:33 +0000 Subject: [PATCH 03/35] update variable names --- terraform/environment/modules/lambda/outputs.tf | 5 +++++ terraform/environment/region.tf | 4 ++++ terraform/environment/region/event_bus.tf | 10 ++++++---- .../environment/region/modules/event_bus/bus.tf | 6 +++--- .../environment/region/modules/event_bus/sqs.tf | 4 ++-- .../region/modules/event_bus/variables.tf | 5 +++-- terraform/environment/region/variables.tf | 11 +++++++++++ terraform/environment/terraform.tfvars.json | 15 +++++++++++++++ terraform/environment/variables.tf | 1 + 9 files changed, 50 insertions(+), 11 deletions(-) diff --git a/terraform/environment/modules/lambda/outputs.tf b/terraform/environment/modules/lambda/outputs.tf index 9b6894875d..2bb0c98882 100644 --- a/terraform/environment/modules/lambda/outputs.tf +++ b/terraform/environment/modules/lambda/outputs.tf @@ -12,3 +12,8 @@ output "lambda_role" { description = "The lambda role" value = aws_iam_role.lambda_role } + +output "lambda_name" { + description = "The lambda name" + value = aws_lambda_function.lambda_function.function_name +} diff --git a/terraform/environment/region.tf b/terraform/environment/region.tf index 1f5bad5cd9..67dc8829a5 100644 --- a/terraform/environment/region.tf +++ b/terraform/environment/region.tf @@ -20,6 +20,7 @@ module "eu_west_1" { ecs_task_roles = module.iam.ecs_task_roles environment_name = local.environment_name event_bus_enabled = local.environment.event_bus_enabled + event_receiver_lambda_name = module.event_receiver.lambda_name google_analytics_id_use = local.environment.google_analytics_id_use google_analytics_id_view = local.environment.google_analytics_id_view gov_uk_onelogin_client_id_secret_name = local.environment.gov_uk_onelogin_client_id_secret_name @@ -33,6 +34,7 @@ module "eu_west_1" { lpa_codes_endpoint = local.environment.lpa_codes_endpoint lpas_collection_endpoint = local.environment.lpas_collection_endpoint lpa_data_store_endpoint = local.environment.lpa_data_store_endpoint + receive_account_ids = local.environment.receive_account_ids mock_onelogin_enabled = local.environment.mock_onelogin_enabled mock_onelogin_service_container_version = local.mock_onelogin_version mock_onelogin_service_repository_url = data.aws_ecr_repository.mock_onelogin.repository_url @@ -108,6 +110,7 @@ module "eu_west_2" { ecs_task_roles = module.iam.ecs_task_roles environment_name = local.environment_name event_bus_enabled = local.environment.event_bus_enabled + event_receiver_lambda_name = module.event_receiver.lambda_name google_analytics_id_use = local.environment.google_analytics_id_use google_analytics_id_view = local.environment.google_analytics_id_view gov_uk_onelogin_client_id_secret_name = local.environment.gov_uk_onelogin_client_id_secret_name @@ -121,6 +124,7 @@ module "eu_west_2" { lpa_codes_endpoint = local.environment.lpa_codes_endpoint lpas_collection_endpoint = local.environment.lpas_collection_endpoint lpa_data_store_endpoint = local.environment.lpa_data_store_endpoint + receive_account_ids = local.environment.receive_account_ids mock_onelogin_enabled = local.environment.mock_onelogin_enabled mock_onelogin_service_container_version = local.mock_onelogin_version mock_onelogin_service_repository_url = data.aws_ecr_repository.mock_onelogin.repository_url diff --git a/terraform/environment/region/event_bus.tf b/terraform/environment/region/event_bus.tf index 264fe0b882..5ef9c8947a 100644 --- a/terraform/environment/region/event_bus.tf +++ b/terraform/environment/region/event_bus.tf @@ -1,8 +1,10 @@ module "event_bus" { - source = "./modules/event_bus" - environment_name = var.environment_name - event_bus_enabled = var.event_bus_enabled - current_region = data.aws_region.current.name + source = "./modules/event_bus" + environment_name = var.environment_name + event_bus_enabled = var.event_bus_enabled + current_region = data.aws_region.current.name + receive_account_ids = var.receive_account_ids + event_receiver_lambda_name = var.event_receiver_lambda_name providers = { aws.region = aws.region } diff --git a/terraform/environment/region/modules/event_bus/bus.tf b/terraform/environment/region/modules/event_bus/bus.tf index 30f557ed14..626070fd05 100644 --- a/terraform/environment/region/modules/event_bus/bus.tf +++ b/terraform/environment/region/modules/event_bus/bus.tf @@ -28,7 +28,7 @@ resource "aws_cloudwatch_event_rule" "receive_events_from_mlpa" { resource "aws_cloudwatch_event_bus_policy" "cross_account_receive" { count = length(var.receive_account_ids) > 0 ? 1 : 0 - event_bus_name = aws_cloudwatch_event_bus.main.name + event_bus_name = aws_cloudwatch_event_bus.main[0].name policy = data.aws_iam_policy_document.cross_account_receive.json provider = aws.region } @@ -42,7 +42,7 @@ data "aws_iam_policy_document" "cross_account_receive" { "events:PutEvents", ] resources = [ - aws_cloudwatch_event_bus.main.arn + aws_cloudwatch_event_bus.main[0].arn ] principals { @@ -55,5 +55,5 @@ data "aws_iam_policy_document" "cross_account_receive" { resource "aws_cloudwatch_event_target" "receive_events" { count = var.event_bus_enabled ? 1 : 0 rule = aws_cloudwatch_event_rule.receive_events_from_mlpa[0].name - arn = aws_sqs_queue.receive_events_queue.arn + arn = aws_sqs_queue.receive_events_queue[0].arn } diff --git a/terraform/environment/region/modules/event_bus/sqs.tf b/terraform/environment/region/modules/event_bus/sqs.tf index 3fe5737194..56009ab6e8 100644 --- a/terraform/environment/region/modules/event_bus/sqs.tf +++ b/terraform/environment/region/modules/event_bus/sqs.tf @@ -66,8 +66,8 @@ data "aws_iam_policy_document" "receive_events_queue_policy" { resource "aws_lambda_event_source_mapping" "receive_events_mapping" { count = var.event_bus_enabled ? 1 : 0 - event_source_arn = aws_sqs_queue.receive_events_queue.arn - function_name = var.lambda_function_name + event_source_arn = aws_sqs_queue.receive_events_queue[0].arn + function_name = var.event_receiver_lambda_name enabled = true provider = aws.region } diff --git a/terraform/environment/region/modules/event_bus/variables.tf b/terraform/environment/region/modules/event_bus/variables.tf index 4ee3c7d48a..1ae7cad034 100644 --- a/terraform/environment/region/modules/event_bus/variables.tf +++ b/terraform/environment/region/modules/event_bus/variables.tf @@ -9,11 +9,12 @@ variable "event_bus_enabled" { default = false } -variable "lambda_function_name" { - description = "The name of the ingress lambda" +variable "event_receiver_lambda_name" { + description = "The name of the ingress from MLPA lambda" type = string } + variable "current_region" { description = "The current region" type = string diff --git a/terraform/environment/region/variables.tf b/terraform/environment/region/variables.tf index a1bf332c49..19ec453163 100644 --- a/terraform/environment/region/variables.tf +++ b/terraform/environment/region/variables.tf @@ -112,6 +112,12 @@ variable "event_bus_enabled" { default = false } +variable "event_receiver_lambda_name" { + description = "The name of the event receiver lambda." + type = string + default = "" +} + variable "feature_flags" { description = "The feature flags to use." type = map(string) @@ -183,6 +189,11 @@ variable "load_balancer_deletion_protection_enabled" { default = false } +variable "receive_account_ids" { + description = "The account ID of the MLPA account." + type = list(string) +} + variable "mock_onelogin_enabled" { description = "Whether or not to enable the mock One Login service." type = bool diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json index ddf43d2f64..c10a70f106 100644 --- a/terraform/environment/terraform.tfvars.json +++ b/terraform/environment/terraform.tfvars.json @@ -50,6 +50,9 @@ "session_expiry_warning": 5, "ship_metrics_queue_enabled": true, "sirius_account_id": "288342028542", + "receive_account_ids": [ + "653761790766" + ], "load_balancer_deletion_protection_enabled": false, "notify_key_secret_name": "notify-api-key", "associate_alb_with_waf_web_acl_enabled": false, @@ -149,6 +152,9 @@ "session_expiry_warning": 5, "ship_metrics_queue_enabled": true, "sirius_account_id": "288342028542", + "receive_account_ids": [ + "653761790766" + ], "load_balancer_deletion_protection_enabled": false, "notify_key_secret_name": "notify-api-key-demo", "associate_alb_with_waf_web_acl_enabled": true, @@ -248,6 +254,9 @@ "session_expiry_warning": 5, "ship_metrics_queue_enabled": true, "sirius_account_id": "288342028542", + "receive_account_ids": [ + "653761790766" + ], "load_balancer_deletion_protection_enabled": false, "notify_key_secret_name": "notify-api-key-demo", "associate_alb_with_waf_web_acl_enabled": false, @@ -347,6 +356,9 @@ "session_expiry_warning": 5, "ship_metrics_queue_enabled": false, "sirius_account_id": "288342028542", + "receive_account_ids": [ + "653761790766" + ], "load_balancer_deletion_protection_enabled": true, "notify_key_secret_name": "notify-api-key", "associate_alb_with_waf_web_acl_enabled": true, @@ -446,6 +458,9 @@ "session_expiry_warning": 5, "ship_metrics_queue_enabled": false, "sirius_account_id": "649098267436", + "receive_account_ids": [ + "653761790766" + ], "load_balancer_deletion_protection_enabled": true, "notify_key_secret_name": "notify-api-key", "associate_alb_with_waf_web_acl_enabled": true, diff --git a/terraform/environment/variables.tf b/terraform/environment/variables.tf index 14ea070f96..540569b63c 100644 --- a/terraform/environment/variables.tf +++ b/terraform/environment/variables.tf @@ -73,6 +73,7 @@ variable "environments" { session_expiry_warning = number ship_metrics_queue_enabled = bool sirius_account_id = string + receive_account_ids = list(string) load_balancer_deletion_protection_enabled = bool notify_key_secret_name = string associate_alb_with_waf_web_acl_enabled = bool From c7ed1f7d0de751e448712e3d7038414358e37697 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 18 Dec 2024 10:46:54 +0000 Subject: [PATCH 04/35] instance key and && operator --- terraform/environment/region/modules/event_bus/bus.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/environment/region/modules/event_bus/bus.tf b/terraform/environment/region/modules/event_bus/bus.tf index 626070fd05..512d5ac59e 100644 --- a/terraform/environment/region/modules/event_bus/bus.tf +++ b/terraform/environment/region/modules/event_bus/bus.tf @@ -29,12 +29,13 @@ resource "aws_cloudwatch_event_rule" "receive_events_from_mlpa" { resource "aws_cloudwatch_event_bus_policy" "cross_account_receive" { count = length(var.receive_account_ids) > 0 ? 1 : 0 event_bus_name = aws_cloudwatch_event_bus.main[0].name - policy = data.aws_iam_policy_document.cross_account_receive.json + policy = data.aws_iam_policy_document.cross_account_receive[0].json provider = aws.region } # Allow MLPA account to send messages data "aws_iam_policy_document" "cross_account_receive" { + count = var.event_bus_enabled ? 1 : 0 statement { sid = "CrossAccountAccess" effect = "Allow" From fe64258688818bcfe57403b5a27663f680470c64 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 18 Dec 2024 11:15:19 +0000 Subject: [PATCH 05/35] add event target bus name --- .../environment/region/modules/event_bus/bus.tf | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/terraform/environment/region/modules/event_bus/bus.tf b/terraform/environment/region/modules/event_bus/bus.tf index 512d5ac59e..3ccac565f0 100644 --- a/terraform/environment/region/modules/event_bus/bus.tf +++ b/terraform/environment/region/modules/event_bus/bus.tf @@ -27,7 +27,7 @@ resource "aws_cloudwatch_event_rule" "receive_events_from_mlpa" { } resource "aws_cloudwatch_event_bus_policy" "cross_account_receive" { - count = length(var.receive_account_ids) > 0 ? 1 : 0 + count = length(var.receive_account_ids) > 0 && var.event_bus_enabled ? 1 : 0 event_bus_name = aws_cloudwatch_event_bus.main[0].name policy = data.aws_iam_policy_document.cross_account_receive[0].json provider = aws.region @@ -54,7 +54,13 @@ data "aws_iam_policy_document" "cross_account_receive" { } resource "aws_cloudwatch_event_target" "receive_events" { - count = var.event_bus_enabled ? 1 : 0 - rule = aws_cloudwatch_event_rule.receive_events_from_mlpa[0].name - arn = aws_sqs_queue.receive_events_queue[0].arn + count = var.event_bus_enabled ? 1 : 0 + rule = aws_cloudwatch_event_rule.receive_events_from_mlpa[0].name + arn = aws_sqs_queue.receive_events_queue[0].arn + event_bus_name = aws_cloudwatch_event_bus.main[0].name + dead_letter_config { + arn = aws_sqs_queue.receive_events_deadletter[0].arn + } + + provider = aws.region } From f751c425cd42a024d6b372b09db9aebb023bb8c4 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 18 Dec 2024 16:15:26 +0000 Subject: [PATCH 06/35] allow lambda messages from sqs --- terraform/environment/lambda.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index ea0f2c21fa..7916cc3935 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -102,3 +102,23 @@ module "event_receiver" { timeout = 900 memory = 128 } + +resource "aws_iam_role_policy" "lambda_event_receiver" { + name = "${local.environment_name}-lambda-event-receiver" + role = module.event_receiver.lambda_role.id + policy = data.aws_iam_policy_document.lambda_event_receiver.json +} + + +data "aws_iam_policy_document" "lambda_event_receiver" { + statement { + sid = "${local.environment_name}EventReceiverSQS" + effect = "Allow" + actions = [ + "sqs:ReceiveMessage", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes" + ] + resources = [module.eu_west_1[0].event_bus_sqs_queue_name[0]] + } +} From 28c9aa9e24e9ae46cf654f28fe1ec23018008e10 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 18 Dec 2024 16:18:47 +0000 Subject: [PATCH 07/35] add vars and outputs --- terraform/environment/region/modules/event_bus/outputs.tf | 4 ++++ terraform/environment/region/outputs.tf | 5 +++++ 2 files changed, 9 insertions(+) create mode 100644 terraform/environment/region/modules/event_bus/outputs.tf diff --git a/terraform/environment/region/modules/event_bus/outputs.tf b/terraform/environment/region/modules/event_bus/outputs.tf new file mode 100644 index 0000000000..02063bb0ff --- /dev/null +++ b/terraform/environment/region/modules/event_bus/outputs.tf @@ -0,0 +1,4 @@ +output "receive_events_sqs_queue_name" { + description = "The name of the SQS queue created by the event_bus module." + value = aws_sqs_queue.receive_events_queue[*].name +} diff --git a/terraform/environment/region/outputs.tf b/terraform/environment/region/outputs.tf index a413009a61..685bead097 100644 --- a/terraform/environment/region/outputs.tf +++ b/terraform/environment/region/outputs.tf @@ -45,3 +45,8 @@ output "route53_fqdns" { mock_onelogin = local.route53_fqdns.mock_onelogin } } + +output "event_bus_sqs_queue_name" { + description = "SQS queue name from the event_bus module" + value = module.event_bus.receive_events_sqs_queue_name +} From 8d51e771d865934324c37af9b5822594be61bdb1 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Thu, 19 Dec 2024 08:51:32 +0000 Subject: [PATCH 08/35] use arn instead of id --- terraform/environment/lambda.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index 7916cc3935..c38a926db6 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -105,7 +105,7 @@ module "event_receiver" { resource "aws_iam_role_policy" "lambda_event_receiver" { name = "${local.environment_name}-lambda-event-receiver" - role = module.event_receiver.lambda_role.id + role = module.event_receiver.lambda_role.arn policy = data.aws_iam_policy_document.lambda_event_receiver.json } From 96267a624b6198d76baa8167ced9ba1b2d38beac Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Thu, 19 Dec 2024 09:03:10 +0000 Subject: [PATCH 09/35] just use name --- terraform/environment/lambda.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index c38a926db6..8453ffb3ea 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -105,7 +105,7 @@ module "event_receiver" { resource "aws_iam_role_policy" "lambda_event_receiver" { name = "${local.environment_name}-lambda-event-receiver" - role = module.event_receiver.lambda_role.arn + role = module.event_receiver.lambda_role policy = data.aws_iam_policy_document.lambda_event_receiver.json } From afdcd8fda46789a1de09e717e497851611c8ff5f Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Thu, 19 Dec 2024 09:21:51 +0000 Subject: [PATCH 10/35] propagate outputs --- terraform/environment/lambda.tf | 10 ++++++++-- .../environment/region/modules/event_bus/outputs.tf | 10 ++++++++++ .../environment/region/modules/event_bus/sqs.tf | 8 -------- .../region/modules/event_bus/variables.tf | 6 ------ terraform/environment/region/outputs.tf | 12 +++++++++++- terraform/environment/region/variables.tf | 6 ------ 6 files changed, 29 insertions(+), 23 deletions(-) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index 8453ffb3ea..0b0e756719 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -105,7 +105,7 @@ module "event_receiver" { resource "aws_iam_role_policy" "lambda_event_receiver" { name = "${local.environment_name}-lambda-event-receiver" - role = module.event_receiver.lambda_role + role = module.event_receiver.lambda_role.name policy = data.aws_iam_policy_document.lambda_event_receiver.json } @@ -119,6 +119,12 @@ data "aws_iam_policy_document" "lambda_event_receiver" { "sqs:DeleteMessage", "sqs:GetQueueAttributes" ] - resources = [module.eu_west_1[0].event_bus_sqs_queue_name[0]] + resources = [module.eu_west_1[0].receive_events_sqs_queue_name[0]] } } + +resource "aws_lambda_event_source_mapping" "receive_events_mapping" { + event_source_arn = module.eu_west_1[0].receive_events_sqs_queue_arn[0] + function_name = module.event_receiver.lambda_name + enabled = true +} diff --git a/terraform/environment/region/modules/event_bus/outputs.tf b/terraform/environment/region/modules/event_bus/outputs.tf index 02063bb0ff..3c07ec78b6 100644 --- a/terraform/environment/region/modules/event_bus/outputs.tf +++ b/terraform/environment/region/modules/event_bus/outputs.tf @@ -2,3 +2,13 @@ output "receive_events_sqs_queue_name" { description = "The name of the SQS queue created by the event_bus module." value = aws_sqs_queue.receive_events_queue[*].name } + +output "receive_events_sqs_queue_arn" { + description = "The name of the SQS queue created by the event_bus module." + value = aws_sqs_queue.receive_events_queue[*].arn +} + +output "receive_events_bus_arn" { + description = "The ARN of the event bus created by the event_bus module." + value = aws_cloudwatch_event_bus.main[0].arn +} diff --git a/terraform/environment/region/modules/event_bus/sqs.tf b/terraform/environment/region/modules/event_bus/sqs.tf index 56009ab6e8..976e8eddef 100644 --- a/terraform/environment/region/modules/event_bus/sqs.tf +++ b/terraform/environment/region/modules/event_bus/sqs.tf @@ -63,11 +63,3 @@ data "aws_iam_policy_document" "receive_events_queue_policy" { } } } - -resource "aws_lambda_event_source_mapping" "receive_events_mapping" { - count = var.event_bus_enabled ? 1 : 0 - event_source_arn = aws_sqs_queue.receive_events_queue[0].arn - function_name = var.event_receiver_lambda_name - enabled = true - provider = aws.region -} diff --git a/terraform/environment/region/modules/event_bus/variables.tf b/terraform/environment/region/modules/event_bus/variables.tf index 1ae7cad034..1c22663c67 100644 --- a/terraform/environment/region/modules/event_bus/variables.tf +++ b/terraform/environment/region/modules/event_bus/variables.tf @@ -9,12 +9,6 @@ variable "event_bus_enabled" { default = false } -variable "event_receiver_lambda_name" { - description = "The name of the ingress from MLPA lambda" - type = string -} - - variable "current_region" { description = "The current region" type = string diff --git a/terraform/environment/region/outputs.tf b/terraform/environment/region/outputs.tf index 685bead097..7f7cf3357c 100644 --- a/terraform/environment/region/outputs.tf +++ b/terraform/environment/region/outputs.tf @@ -46,7 +46,17 @@ output "route53_fqdns" { } } -output "event_bus_sqs_queue_name" { + +output "receive_events_bus_arn" { + description = "The ARN of the event bus created by the event_bus module." + value = module.event_bus.receive_events_bus_arn +} + +output "receive_events_sqs_queue_arn" { + description = "The name of the SQS queue created by the event_bus module." + value = module.event_bus.receive_events_sqs_queue_arn +} +output "receive_events_sqs_queue_name" { description = "SQS queue name from the event_bus module" value = module.event_bus.receive_events_sqs_queue_name } diff --git a/terraform/environment/region/variables.tf b/terraform/environment/region/variables.tf index 19ec453163..d06e68b736 100644 --- a/terraform/environment/region/variables.tf +++ b/terraform/environment/region/variables.tf @@ -112,12 +112,6 @@ variable "event_bus_enabled" { default = false } -variable "event_receiver_lambda_name" { - description = "The name of the event receiver lambda." - type = string - default = "" -} - variable "feature_flags" { description = "The feature flags to use." type = map(string) From 3f94b96bed6051c364b6ea54ce4af327e0577aba Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Thu, 19 Dec 2024 09:29:14 +0000 Subject: [PATCH 11/35] rewmove lambda var --- terraform/environment/region.tf | 2 -- terraform/environment/region/event_bus.tf | 11 +++++------ 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/terraform/environment/region.tf b/terraform/environment/region.tf index 67dc8829a5..04693dcc82 100644 --- a/terraform/environment/region.tf +++ b/terraform/environment/region.tf @@ -20,7 +20,6 @@ module "eu_west_1" { ecs_task_roles = module.iam.ecs_task_roles environment_name = local.environment_name event_bus_enabled = local.environment.event_bus_enabled - event_receiver_lambda_name = module.event_receiver.lambda_name google_analytics_id_use = local.environment.google_analytics_id_use google_analytics_id_view = local.environment.google_analytics_id_view gov_uk_onelogin_client_id_secret_name = local.environment.gov_uk_onelogin_client_id_secret_name @@ -110,7 +109,6 @@ module "eu_west_2" { ecs_task_roles = module.iam.ecs_task_roles environment_name = local.environment_name event_bus_enabled = local.environment.event_bus_enabled - event_receiver_lambda_name = module.event_receiver.lambda_name google_analytics_id_use = local.environment.google_analytics_id_use google_analytics_id_view = local.environment.google_analytics_id_view gov_uk_onelogin_client_id_secret_name = local.environment.gov_uk_onelogin_client_id_secret_name diff --git a/terraform/environment/region/event_bus.tf b/terraform/environment/region/event_bus.tf index 5ef9c8947a..f5d863c5e1 100644 --- a/terraform/environment/region/event_bus.tf +++ b/terraform/environment/region/event_bus.tf @@ -1,10 +1,9 @@ module "event_bus" { - source = "./modules/event_bus" - environment_name = var.environment_name - event_bus_enabled = var.event_bus_enabled - current_region = data.aws_region.current.name - receive_account_ids = var.receive_account_ids - event_receiver_lambda_name = var.event_receiver_lambda_name + source = "./modules/event_bus" + environment_name = var.environment_name + event_bus_enabled = var.event_bus_enabled + current_region = data.aws_region.current.name + receive_account_ids = var.receive_account_ids providers = { aws.region = aws.region } From f1ecb9418231188bdc8f07b78595922bef567ef6 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Thu, 19 Dec 2024 15:58:35 +0000 Subject: [PATCH 12/35] add lambda permission and change to arn --- terraform/environment/lambda.tf | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index 0b0e756719..051afd1e7e 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -119,7 +119,7 @@ data "aws_iam_policy_document" "lambda_event_receiver" { "sqs:DeleteMessage", "sqs:GetQueueAttributes" ] - resources = [module.eu_west_1[0].receive_events_sqs_queue_name[0]] + resources = [module.eu_west_1[0].receive_events_sqs_queue_arn[0]] } } @@ -128,3 +128,11 @@ resource "aws_lambda_event_source_mapping" "receive_events_mapping" { function_name = module.event_receiver.lambda_name enabled = true } + +resource "aws_lambda_permission" "receive_events_permission" { + statement_id = "AllowExecutionFromSQS" + action = "lambda:InvokeFunction" + function_name = module.event_receiver.lambda_name + principal = "sqs.amazonaws.com" + source_arn = module.eu_west_1[0].receive_events_sqs_queue_arn[0] +} From 92e9da90bfc574c21a31c2cd08c6a61957250b83 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Thu, 19 Dec 2024 16:07:28 +0000 Subject: [PATCH 13/35] ensure queue visibility timeout aligns --- terraform/environment/region/event_bus.tf | 11 ++++++----- terraform/environment/region/locals.tf | 2 ++ terraform/environment/region/modules/event_bus/sqs.tf | 2 +- .../environment/region/modules/event_bus/variables.tf | 5 +++++ 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/terraform/environment/region/event_bus.tf b/terraform/environment/region/event_bus.tf index f5d863c5e1..701d4d1f28 100644 --- a/terraform/environment/region/event_bus.tf +++ b/terraform/environment/region/event_bus.tf @@ -1,9 +1,10 @@ module "event_bus" { - source = "./modules/event_bus" - environment_name = var.environment_name - event_bus_enabled = var.event_bus_enabled - current_region = data.aws_region.current.name - receive_account_ids = var.receive_account_ids + source = "./modules/event_bus" + environment_name = var.environment_name + event_bus_enabled = var.event_bus_enabled + current_region = data.aws_region.current.name + receive_account_ids = var.receive_account_ids + queue_visibility_timeout = local.queue_visibility_timeout providers = { aws.region = aws.region } diff --git a/terraform/environment/region/locals.tf b/terraform/environment/region/locals.tf index 6b5d6c5bdc..0dd9c5983c 100644 --- a/terraform/environment/region/locals.tf +++ b/terraform/environment/region/locals.tf @@ -14,6 +14,8 @@ locals { admin_desired_count = local.is_active_region ? 1 : 0 mock_onelogin_desired_count = var.environment_name != "production" && var.mock_onelogin_enabled && local.is_active_region ? 1 : 0 + queue_visibility_timeout = 900 + # Replace the region in the ARN of the DynamoDB tables with the region of the current stack as the tables are created in the primary region # and replicated to the secondary region. This allows use to grant access to the tables in the secondary region for applications running in the secondary region. dynamodb_tables_arns = { diff --git a/terraform/environment/region/modules/event_bus/sqs.tf b/terraform/environment/region/modules/event_bus/sqs.tf index 976e8eddef..8c0cb5ef68 100644 --- a/terraform/environment/region/modules/event_bus/sqs.tf +++ b/terraform/environment/region/modules/event_bus/sqs.tf @@ -9,7 +9,7 @@ resource "aws_sqs_queue" "receive_events_queue" { kms_master_key_id = data.aws_kms_alias.sqs.target_key_id kms_data_key_reuse_period_seconds = 300 - visibility_timeout_seconds = 300 + visibility_timeout_seconds = var.queue_visibility_timeout redrive_policy = jsonencode({ deadLetterTargetArn = aws_sqs_queue.receive_events_deadletter[0].arn diff --git a/terraform/environment/region/modules/event_bus/variables.tf b/terraform/environment/region/modules/event_bus/variables.tf index 1c22663c67..ca929547be 100644 --- a/terraform/environment/region/modules/event_bus/variables.tf +++ b/terraform/environment/region/modules/event_bus/variables.tf @@ -18,3 +18,8 @@ variable "receive_account_ids" { description = "The account ids that can send events to the event bus" type = list(string) } + +variable "queue_visibility_timeout" { + description = "The visibility timeout for the SQS queue" + type = number +} From f20e2591e7b3405f2b523671c94761a4161c9d19 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Fri, 20 Dec 2024 09:17:16 +0000 Subject: [PATCH 14/35] correct ecr --- terraform/environment/lambda.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index 051afd1e7e..30d7484b94 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -14,6 +14,7 @@ module "lambda_update_statistics" { memory = 1024 } + # Additional IAM permissions resource "aws_iam_role_policy" "lambda_update_statistics" { name = "lambda-update-statistics-${local.environment_name}" @@ -96,7 +97,7 @@ module "event_receiver" { REGION = data.aws_region.current.name } image_uri = "${data.aws_ecr_repository.use_an_lpa_event_receiver.repository_url}:${var.container_version}" - ecr_arn = data.aws_ecr_repository.use_an_lpa_upload_statistics.arn + ecr_arn = data.aws_ecr_repository.use_an_lpa_event_receiver.arn environment = local.environment_name kms_key = data.aws_kms_alias.cloudwatch_encryption.target_key_arn timeout = 900 From 3ee5bf8ddbd09bb0fab78d8e4451da39d6dd7374 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Fri, 20 Dec 2024 14:11:23 +0000 Subject: [PATCH 15/35] stop pipeline pass on failed preprod plan --- .github/workflows/pull-request-path.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-path.yml b/.github/workflows/pull-request-path.yml index 63081fe986..330ec8f851 100644 --- a/.github/workflows/pull-request-path.yml +++ b/.github/workflows/pull-request-path.yml @@ -298,6 +298,7 @@ jobs: - update_documentation - docker_build_scan_push - run_behat_suite + - terraform_preproduction_plan_environment steps: - uses: actions/checkout@v4 @@ -332,7 +333,7 @@ jobs: - name: workflow has ended without issue run: | - if ${{ contains(needs.run_behat_suite.result, 'success') && contains(needs.ecr_scan_results.result, 'success') }}; then + if ${{ contains(needs.run_behat_suite.result, 'success') && contains(needs.ecr_scan_results.result, 'success') && contains(needs.terraform_preproduction_plan_environment.result, 'success') }}; then echo "${{ needs.workflow_variables.outputs.safe_branch_name }} PR environment tested, built and deployed" echo "Tag Used: ${{ needs.workflow_variables.outputs.safe_branch_name }}-${{ needs.workflow_variables.outputs.short_sha }}" echo "URL: https://${{ needs.workflow_variables.outputs.workspace_name }}.use-lasting-power-of-attorney.service.gov.uk" From cb4f4a17b4dda0d2d7049f86760f1e9f84a42590 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Fri, 20 Dec 2024 15:30:39 +0000 Subject: [PATCH 16/35] update lambda to allow execute from sqs --- lambda-functions/event-receiver/app/main.go | 23 ++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/lambda-functions/event-receiver/app/main.go b/lambda-functions/event-receiver/app/main.go index 7a74dacd67..8967bfcd49 100755 --- a/lambda-functions/event-receiver/app/main.go +++ b/lambda-functions/event-receiver/app/main.go @@ -1,17 +1,30 @@ package main import ( - "context" "fmt" + "github.com/aws/aws-lambda-go/events" "github.com/aws/aws-lambda-go/lambda" ) -func Handler(ctx context.Context) (string, error) { - fmt.Println("Hello World") - return "Hello World!", nil +func handler(event events.SQSEvent) error { + for _, record := range event.Records { + err := processMessage(record) + if err != nil { + return err + } + } + fmt.Println("done") + return nil +} + +func processMessage(record events.SQSMessage) error { + fmt.Printf("Processed message %s\n", record.Body) + fmt.Printf("Hello, world!\n") + return nil } func main() { - lambda.Start(Handler) + lambda.Start(handler) + fmt.Printf("Hello, world!\n") } From 38429e7daf2ee353d58ad190da25ff383b360441 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Fri, 20 Dec 2024 15:57:51 +0000 Subject: [PATCH 17/35] explicitly declare resource --- terraform/environment/region/modules/event_bus/sqs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environment/region/modules/event_bus/sqs.tf b/terraform/environment/region/modules/event_bus/sqs.tf index 8c0cb5ef68..79e2113079 100644 --- a/terraform/environment/region/modules/event_bus/sqs.tf +++ b/terraform/environment/region/modules/event_bus/sqs.tf @@ -52,7 +52,7 @@ data "aws_iam_policy_document" "receive_events_queue_policy" { } actions = ["sqs:SendMessage"] - resources = ["*"] + resources = [aws_sqs_queue.receive_events_queue[0].arn] condition { test = "ArnEquals" From 9a707d235efcae4a4454933ea851002589da9b22 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Fri, 20 Dec 2024 16:15:43 +0000 Subject: [PATCH 18/35] add sqs queue policy resource --- terraform/environment/region/modules/event_bus/sqs.tf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/terraform/environment/region/modules/event_bus/sqs.tf b/terraform/environment/region/modules/event_bus/sqs.tf index 79e2113079..25efd3e0c5 100644 --- a/terraform/environment/region/modules/event_bus/sqs.tf +++ b/terraform/environment/region/modules/event_bus/sqs.tf @@ -16,7 +16,13 @@ resource "aws_sqs_queue" "receive_events_queue" { maxReceiveCount = 3 }) - policy = data.aws_iam_policy_document.receive_events_queue_policy[0].json + provider = aws.region +} + +resource "aws_sqs_queue_policy" "receive_events_queue_policy" { + count = var.event_bus_enabled ? 1 : 0 + queue_url = aws_sqs_queue.receive_events_queue[0].id + policy = data.aws_iam_policy_document.receive_events_queue_policy[0].json provider = aws.region } From bbe42ccf6f2982e682be174117386bb08ad75b59 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Fri, 20 Dec 2024 16:38:30 +0000 Subject: [PATCH 19/35] allow lambda decrypt permissions --- terraform/environment/lambda.tf | 9 +++++++++ terraform/environment/shared_data_sources.tf | 4 ++++ 2 files changed, 13 insertions(+) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index 30d7484b94..5e3534fbb5 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -122,6 +122,15 @@ data "aws_iam_policy_document" "lambda_event_receiver" { ] resources = [module.eu_west_1[0].receive_events_sqs_queue_arn[0]] } + + statement { + sid = "${local.environment_name}SQSKMSDecrypt" + effect = "Allow" + actions = [ + "kms:Decrypt" + ] + resources = [data.aws_kms_alias.sqs.arn] + } } resource "aws_lambda_event_source_mapping" "receive_events_mapping" { diff --git a/terraform/environment/shared_data_sources.tf b/terraform/environment/shared_data_sources.tf index c55ab490df..35d2f567f6 100644 --- a/terraform/environment/shared_data_sources.tf +++ b/terraform/environment/shared_data_sources.tf @@ -20,6 +20,10 @@ data "aws_ecr_repository" "mock_onelogin" { name = "mock-onelogin" } +data "aws_kms_alias" "sqs" { + name = "alias/sqs-mrk" +} + module "allow_list" { source = "git@github.com:ministryofjustice/terraform-aws-moj-ip-allow-list.git?ref=v2.3.0" } From 34029af2cc70e028cd00ade3aa915a44f862d8c9 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Tue, 7 Jan 2025 10:22:10 +0000 Subject: [PATCH 20/35] remove condition --- terraform/environment/region/modules/event_bus/sqs.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/terraform/environment/region/modules/event_bus/sqs.tf b/terraform/environment/region/modules/event_bus/sqs.tf index 25efd3e0c5..35de5a20ac 100644 --- a/terraform/environment/region/modules/event_bus/sqs.tf +++ b/terraform/environment/region/modules/event_bus/sqs.tf @@ -59,13 +59,5 @@ data "aws_iam_policy_document" "receive_events_queue_policy" { actions = ["sqs:SendMessage"] resources = [aws_sqs_queue.receive_events_queue[0].arn] - - condition { - test = "ArnEquals" - variable = "aws:SourceArn" - values = [ - aws_cloudwatch_event_rule.receive_events_from_mlpa[0].arn - ] - } } } From 22c424ac5e0eebeb43fdb5fe1cfa99ded952a2fb Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Tue, 7 Jan 2025 13:43:44 +0000 Subject: [PATCH 21/35] rename kms --- terraform/account/kms.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/account/kms.tf b/terraform/account/kms.tf index 1688494aca..25bbfcb1e3 100644 --- a/terraform/account/kms.tf +++ b/terraform/account/kms.tf @@ -24,11 +24,11 @@ module "sessions_actor_mrk" { } } -module "sqs_mrk" { +module "event_receiver_mrk" { source = "./modules/multi_region_kms" - key_description = "KMS key for sqs" - key_alias = "sqs-mrk" + key_description = "KMS key for received events" + key_alias = "${local.environment}-event-receiver-mrk" deletion_window_in_days = 7 providers = { From 47a288e0cdfae6e8665aa0a7048ea703ec7a5d27 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Tue, 7 Jan 2025 13:54:22 +0000 Subject: [PATCH 22/35] allow permissions on kms key --- terraform/account/kms.tf | 29 +------------------ .../region/modules/event_bus/kms.tf | 4 +++ .../region/modules/event_bus/sqs.tf | 9 ++---- 3 files changed, 7 insertions(+), 35 deletions(-) create mode 100644 terraform/environment/region/modules/event_bus/kms.tf diff --git a/terraform/account/kms.tf b/terraform/account/kms.tf index 25bbfcb1e3..226ce68df3 100644 --- a/terraform/account/kms.tf +++ b/terraform/account/kms.tf @@ -29,6 +29,7 @@ module "event_receiver_mrk" { key_description = "KMS key for received events" key_alias = "${local.environment}-event-receiver-mrk" + key_policy = data.aws_iam_policy_document.event_receiver_kms.json deletion_window_in_days = 7 providers = { @@ -147,20 +148,6 @@ data "aws_iam_policy_document" "cloudwatch_kms" { } } -module "event_receiver_mrk" { - source = "./modules/multi_region_kms" - - key_description = "KMS key for received events" - key_alias = "${local.environment}-event-receiver-mrk" - key_policy = data.aws_iam_policy_document.event_receiver_kms.json - deletion_window_in_days = 7 - - providers = { - aws.primary = aws.eu_west_1 - aws.secondary = aws.eu_west_2 - } -} - data "aws_iam_policy_document" "event_receiver_kms" { statement { sid = "Allow Encryption by Service" @@ -204,18 +191,4 @@ data "aws_iam_policy_document" "event_receiver_kms" { ] } } - - statement { - sid = "Enable Root account permissions on Key" - effect = "Allow" - actions = ["kms:*"] - resources = ["*"] - - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root", - ] - } - } } diff --git a/terraform/environment/region/modules/event_bus/kms.tf b/terraform/environment/region/modules/event_bus/kms.tf new file mode 100644 index 0000000000..34868e5e0d --- /dev/null +++ b/terraform/environment/region/modules/event_bus/kms.tf @@ -0,0 +1,4 @@ +data "aws_kms_alias" "event_receiver_mrk" { + name = "alias/${var.environment_name}-event-receiver-mrk" + provider = aws.region +} diff --git a/terraform/environment/region/modules/event_bus/sqs.tf b/terraform/environment/region/modules/event_bus/sqs.tf index 35de5a20ac..f29638fb00 100644 --- a/terraform/environment/region/modules/event_bus/sqs.tf +++ b/terraform/environment/region/modules/event_bus/sqs.tf @@ -1,12 +1,7 @@ -data "aws_kms_alias" "sqs" { - name = "alias/sqs-mrk" - provider = aws.region -} - resource "aws_sqs_queue" "receive_events_queue" { count = var.event_bus_enabled ? 1 : 0 name = "${var.environment_name}-receive-events-queue" - kms_master_key_id = data.aws_kms_alias.sqs.target_key_id + kms_master_key_id = data.aws_kms_alias.event_receiver_mrk.target_key_id kms_data_key_reuse_period_seconds = 300 visibility_timeout_seconds = var.queue_visibility_timeout @@ -30,7 +25,7 @@ resource "aws_sqs_queue_policy" "receive_events_queue_policy" { resource "aws_sqs_queue" "receive_events_deadletter" { count = var.event_bus_enabled ? 1 : 0 name = "${var.environment_name}-receive-events-deadletter" - kms_master_key_id = data.aws_kms_alias.sqs.target_key_id + kms_master_key_id = data.aws_kms_alias.event_receiver_mrk.target_key_id kms_data_key_reuse_period_seconds = 300 provider = aws.region } From 99830a9d1ea31c4b239109b9e62fc3d81d134bd0 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 8 Jan 2025 10:03:26 +0000 Subject: [PATCH 23/35] temporarily comment kms --- .../region/modules/event_bus/kms.tf | 4 ++-- .../region/modules/event_bus/sqs.tf | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/terraform/environment/region/modules/event_bus/kms.tf b/terraform/environment/region/modules/event_bus/kms.tf index 34868e5e0d..4ff283b887 100644 --- a/terraform/environment/region/modules/event_bus/kms.tf +++ b/terraform/environment/region/modules/event_bus/kms.tf @@ -1,4 +1,4 @@ -data "aws_kms_alias" "event_receiver_mrk" { +/*data "aws_kms_alias" "event_receiver_mrk" { name = "alias/${var.environment_name}-event-receiver-mrk" provider = aws.region -} +}*/ diff --git a/terraform/environment/region/modules/event_bus/sqs.tf b/terraform/environment/region/modules/event_bus/sqs.tf index f29638fb00..e3d69c3d5e 100644 --- a/terraform/environment/region/modules/event_bus/sqs.tf +++ b/terraform/environment/region/modules/event_bus/sqs.tf @@ -1,8 +1,8 @@ resource "aws_sqs_queue" "receive_events_queue" { - count = var.event_bus_enabled ? 1 : 0 - name = "${var.environment_name}-receive-events-queue" - kms_master_key_id = data.aws_kms_alias.event_receiver_mrk.target_key_id - kms_data_key_reuse_period_seconds = 300 + count = var.event_bus_enabled ? 1 : 0 + name = "${var.environment_name}-receive-events-queue" + // kms_master_key_id = data.aws_kms_alias.event_receiver_mrk.target_key_id + // kms_data_key_reuse_period_seconds = 300 visibility_timeout_seconds = var.queue_visibility_timeout @@ -23,11 +23,11 @@ resource "aws_sqs_queue_policy" "receive_events_queue_policy" { } resource "aws_sqs_queue" "receive_events_deadletter" { - count = var.event_bus_enabled ? 1 : 0 - name = "${var.environment_name}-receive-events-deadletter" - kms_master_key_id = data.aws_kms_alias.event_receiver_mrk.target_key_id - kms_data_key_reuse_period_seconds = 300 - provider = aws.region + count = var.event_bus_enabled ? 1 : 0 + name = "${var.environment_name}-receive-events-deadletter" + // kms_master_key_id = data.aws_kms_alias.event_receiver_mrk.target_key_id + // kms_data_key_reuse_period_seconds = 300 + provider = aws.region } resource "aws_sqs_queue_redrive_allow_policy" "receive_events_redrive_allow_policy" { From 16726ce9a8e3ab7772006ad88e257140d454f259 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 8 Jan 2025 11:58:28 +0000 Subject: [PATCH 24/35] enable kms cmk --- terraform/environment/region/data_sources.tf | 6 ++++++ terraform/environment/region/event_bus.tf | 13 +++++++------ .../environment/region/modules/event_bus/bus.tf | 7 ++++--- .../environment/region/modules/event_bus/kms.tf | 4 ---- .../environment/region/modules/event_bus/sqs.tf | 4 ++-- .../region/modules/event_bus/variables.tf | 5 +++++ 6 files changed, 24 insertions(+), 15 deletions(-) delete mode 100644 terraform/environment/region/modules/event_bus/kms.tf diff --git a/terraform/environment/region/data_sources.tf b/terraform/environment/region/data_sources.tf index 4f8d3535f4..8a4e64e8fc 100644 --- a/terraform/environment/region/data_sources.tf +++ b/terraform/environment/region/data_sources.tf @@ -56,6 +56,12 @@ data "aws_kms_alias" "sessions_actor" { provider = aws.region } +data "aws_kms_alias" "event_receiver" { + name = "alias/${var.environment_name}-event-receiver-mrk" + + provider = aws.region +} + data "aws_kms_alias" "secrets_manager" { name = "alias/secrets_manager_encryption-mrk" diff --git a/terraform/environment/region/event_bus.tf b/terraform/environment/region/event_bus.tf index 701d4d1f28..5eae57cd8b 100644 --- a/terraform/environment/region/event_bus.tf +++ b/terraform/environment/region/event_bus.tf @@ -1,10 +1,11 @@ module "event_bus" { - source = "./modules/event_bus" - environment_name = var.environment_name - event_bus_enabled = var.event_bus_enabled - current_region = data.aws_region.current.name - receive_account_ids = var.receive_account_ids - queue_visibility_timeout = local.queue_visibility_timeout + source = "./modules/event_bus" + environment_name = var.environment_name + event_bus_enabled = var.event_bus_enabled + current_region = data.aws_region.current.name + receive_account_ids = var.receive_account_ids + queue_visibility_timeout = local.queue_visibility_timeout + event_reciever_kms_key_arn = data.aws_kms_alias.event_receiver.target_key_arn providers = { aws.region = aws.region } diff --git a/terraform/environment/region/modules/event_bus/bus.tf b/terraform/environment/region/modules/event_bus/bus.tf index 3ccac565f0..bd2fae44f8 100644 --- a/terraform/environment/region/modules/event_bus/bus.tf +++ b/terraform/environment/region/modules/event_bus/bus.tf @@ -1,7 +1,8 @@ resource "aws_cloudwatch_event_bus" "main" { - count = var.event_bus_enabled ? 1 : 0 - name = var.environment_name - provider = aws.region + count = var.event_bus_enabled ? 1 : 0 + name = var.environment_name + kms_key_identifier = var.event_reciever_kms_key_arn + provider = aws.region } resource "aws_cloudwatch_event_archive" "main" { diff --git a/terraform/environment/region/modules/event_bus/kms.tf b/terraform/environment/region/modules/event_bus/kms.tf deleted file mode 100644 index 4ff283b887..0000000000 --- a/terraform/environment/region/modules/event_bus/kms.tf +++ /dev/null @@ -1,4 +0,0 @@ -/*data "aws_kms_alias" "event_receiver_mrk" { - name = "alias/${var.environment_name}-event-receiver-mrk" - provider = aws.region -}*/ diff --git a/terraform/environment/region/modules/event_bus/sqs.tf b/terraform/environment/region/modules/event_bus/sqs.tf index e3d69c3d5e..ee627ef6aa 100644 --- a/terraform/environment/region/modules/event_bus/sqs.tf +++ b/terraform/environment/region/modules/event_bus/sqs.tf @@ -1,7 +1,7 @@ resource "aws_sqs_queue" "receive_events_queue" { count = var.event_bus_enabled ? 1 : 0 name = "${var.environment_name}-receive-events-queue" - // kms_master_key_id = data.aws_kms_alias.event_receiver_mrk.target_key_id + // kms_master_key_id = var.event_reciever_kms_key_arn // kms_data_key_reuse_period_seconds = 300 visibility_timeout_seconds = var.queue_visibility_timeout @@ -25,7 +25,7 @@ resource "aws_sqs_queue_policy" "receive_events_queue_policy" { resource "aws_sqs_queue" "receive_events_deadletter" { count = var.event_bus_enabled ? 1 : 0 name = "${var.environment_name}-receive-events-deadletter" - // kms_master_key_id = data.aws_kms_alias.event_receiver_mrk.target_key_id + // kms_master_key_id = var.event_reciever_kms_key_arn // kms_data_key_reuse_period_seconds = 300 provider = aws.region } diff --git a/terraform/environment/region/modules/event_bus/variables.tf b/terraform/environment/region/modules/event_bus/variables.tf index ca929547be..ffb898be4f 100644 --- a/terraform/environment/region/modules/event_bus/variables.tf +++ b/terraform/environment/region/modules/event_bus/variables.tf @@ -23,3 +23,8 @@ variable "queue_visibility_timeout" { description = "The visibility timeout for the SQS queue" type = number } + +variable "event_reciever_kms_key_arn" { + description = "The KMS key to use for the event bus" + type = string +} From 1fcee829c1091a14397b3acb70b2cec1cecb807e Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 8 Jan 2025 12:24:36 +0000 Subject: [PATCH 25/35] update kms vars --- terraform/environment/region.tf | 2 ++ terraform/environment/region/data_sources.tf | 6 ------ terraform/environment/region/event_bus.tf | 2 +- terraform/environment/region/variables.tf | 5 +++++ terraform/environment/shared_data_sources.tf | 4 ++++ 5 files changed, 12 insertions(+), 7 deletions(-) diff --git a/terraform/environment/region.tf b/terraform/environment/region.tf index 04693dcc82..d994858969 100644 --- a/terraform/environment/region.tf +++ b/terraform/environment/region.tf @@ -20,6 +20,7 @@ module "eu_west_1" { ecs_task_roles = module.iam.ecs_task_roles environment_name = local.environment_name event_bus_enabled = local.environment.event_bus_enabled + event_reciever_kms_key_arn = data.aws_kms_alias.event_receiver.target_key_arn google_analytics_id_use = local.environment.google_analytics_id_use google_analytics_id_view = local.environment.google_analytics_id_view gov_uk_onelogin_client_id_secret_name = local.environment.gov_uk_onelogin_client_id_secret_name @@ -109,6 +110,7 @@ module "eu_west_2" { ecs_task_roles = module.iam.ecs_task_roles environment_name = local.environment_name event_bus_enabled = local.environment.event_bus_enabled + event_reciever_kms_key_arn = data.aws_kms_alias.event_receiver.target_key_arn google_analytics_id_use = local.environment.google_analytics_id_use google_analytics_id_view = local.environment.google_analytics_id_view gov_uk_onelogin_client_id_secret_name = local.environment.gov_uk_onelogin_client_id_secret_name diff --git a/terraform/environment/region/data_sources.tf b/terraform/environment/region/data_sources.tf index 8a4e64e8fc..4f8d3535f4 100644 --- a/terraform/environment/region/data_sources.tf +++ b/terraform/environment/region/data_sources.tf @@ -56,12 +56,6 @@ data "aws_kms_alias" "sessions_actor" { provider = aws.region } -data "aws_kms_alias" "event_receiver" { - name = "alias/${var.environment_name}-event-receiver-mrk" - - provider = aws.region -} - data "aws_kms_alias" "secrets_manager" { name = "alias/secrets_manager_encryption-mrk" diff --git a/terraform/environment/region/event_bus.tf b/terraform/environment/region/event_bus.tf index 5eae57cd8b..598abbc55b 100644 --- a/terraform/environment/region/event_bus.tf +++ b/terraform/environment/region/event_bus.tf @@ -5,7 +5,7 @@ module "event_bus" { current_region = data.aws_region.current.name receive_account_ids = var.receive_account_ids queue_visibility_timeout = local.queue_visibility_timeout - event_reciever_kms_key_arn = data.aws_kms_alias.event_receiver.target_key_arn + event_reciever_kms_key_arn = var.event_reciever_kms_key_arn providers = { aws.region = aws.region } diff --git a/terraform/environment/region/variables.tf b/terraform/environment/region/variables.tf index d06e68b736..e7de829ffa 100644 --- a/terraform/environment/region/variables.tf +++ b/terraform/environment/region/variables.tf @@ -112,6 +112,11 @@ variable "event_bus_enabled" { default = false } +variable "event_reciever_kms_key_arn" { + description = "The KMS key to use for the event bus" + type = string +} + variable "feature_flags" { description = "The feature flags to use." type = map(string) diff --git a/terraform/environment/shared_data_sources.tf b/terraform/environment/shared_data_sources.tf index 35d2f567f6..6186ad7c2e 100644 --- a/terraform/environment/shared_data_sources.tf +++ b/terraform/environment/shared_data_sources.tf @@ -2,6 +2,10 @@ data "aws_kms_alias" "cloudwatch_encryption" { name = "alias/cloudwatch-encryption-mrk" } +data "aws_kms_alias" "event_receiver" { + name = "alias/event-receiver-mrk" +} + //-------------------- // ECR Repos From 3b0193b7d1643abe88f22b3df21c08386c67ac31 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 8 Jan 2025 13:49:21 +0000 Subject: [PATCH 26/35] remove duplicated key --- terraform/account/kms.tf | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/terraform/account/kms.tf b/terraform/account/kms.tf index cf4abeb115..226ce68df3 100644 --- a/terraform/account/kms.tf +++ b/terraform/account/kms.tf @@ -148,20 +148,6 @@ data "aws_iam_policy_document" "cloudwatch_kms" { } } -module "event_receiver_mrk" { - source = "./modules/multi_region_kms" - - key_description = "KMS key for received events" - key_alias = "event-receiver-mrk" - key_policy = data.aws_iam_policy_document.event_receiver_kms.json - deletion_window_in_days = 7 - - providers = { - aws.primary = aws.eu_west_1 - aws.secondary = aws.eu_west_2 - } -} - data "aws_iam_policy_document" "event_receiver_kms" { statement { sid = "Allow Encryption by Service" From fef52f0b07fce651409e09e2d80fe97c9c286e95 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 8 Jan 2025 15:04:39 +0000 Subject: [PATCH 27/35] add cmk --- .../region/modules/event_bus/bus.tf | 7 +++---- .../region/modules/event_bus/sqs.tf | 18 +++++++++--------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/terraform/environment/region/modules/event_bus/bus.tf b/terraform/environment/region/modules/event_bus/bus.tf index bd2fae44f8..3ccac565f0 100644 --- a/terraform/environment/region/modules/event_bus/bus.tf +++ b/terraform/environment/region/modules/event_bus/bus.tf @@ -1,8 +1,7 @@ resource "aws_cloudwatch_event_bus" "main" { - count = var.event_bus_enabled ? 1 : 0 - name = var.environment_name - kms_key_identifier = var.event_reciever_kms_key_arn - provider = aws.region + count = var.event_bus_enabled ? 1 : 0 + name = var.environment_name + provider = aws.region } resource "aws_cloudwatch_event_archive" "main" { diff --git a/terraform/environment/region/modules/event_bus/sqs.tf b/terraform/environment/region/modules/event_bus/sqs.tf index ee627ef6aa..b384114fc0 100644 --- a/terraform/environment/region/modules/event_bus/sqs.tf +++ b/terraform/environment/region/modules/event_bus/sqs.tf @@ -1,8 +1,8 @@ resource "aws_sqs_queue" "receive_events_queue" { - count = var.event_bus_enabled ? 1 : 0 - name = "${var.environment_name}-receive-events-queue" - // kms_master_key_id = var.event_reciever_kms_key_arn - // kms_data_key_reuse_period_seconds = 300 + count = var.event_bus_enabled ? 1 : 0 + name = "${var.environment_name}-receive-events-queue" + kms_master_key_id = var.event_reciever_kms_key_arn + kms_data_key_reuse_period_seconds = 300 visibility_timeout_seconds = var.queue_visibility_timeout @@ -23,11 +23,11 @@ resource "aws_sqs_queue_policy" "receive_events_queue_policy" { } resource "aws_sqs_queue" "receive_events_deadletter" { - count = var.event_bus_enabled ? 1 : 0 - name = "${var.environment_name}-receive-events-deadletter" - // kms_master_key_id = var.event_reciever_kms_key_arn - // kms_data_key_reuse_period_seconds = 300 - provider = aws.region + count = var.event_bus_enabled ? 1 : 0 + name = "${var.environment_name}-receive-events-deadletter" + kms_master_key_id = var.event_reciever_kms_key_arn + kms_data_key_reuse_period_seconds = 300 + provider = aws.region } resource "aws_sqs_queue_redrive_allow_policy" "receive_events_redrive_allow_policy" { From 275bd2095f21fcd6df786a81ede22c14a0928f21 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 8 Jan 2025 15:27:20 +0000 Subject: [PATCH 28/35] conditionally create resources in upper environments --- terraform/environment/lambda.tf | 5 +++++ terraform/environment/region/modules/event_bus/outputs.tf | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index 5e3534fbb5..da28eb5fcf 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -140,9 +140,14 @@ resource "aws_lambda_event_source_mapping" "receive_events_mapping" { } resource "aws_lambda_permission" "receive_events_permission" { + count = length(local.receive_events_sqs_queue_arn) > 0 ? 1 : 0 statement_id = "AllowExecutionFromSQS" action = "lambda:InvokeFunction" function_name = module.event_receiver.lambda_name principal = "sqs.amazonaws.com" source_arn = module.eu_west_1[0].receive_events_sqs_queue_arn[0] } + +locals { + receive_events_sqs_queue_arn = try(module.eu_west_1[0].receive_events_sqs_queue_arn, []) +} diff --git a/terraform/environment/region/modules/event_bus/outputs.tf b/terraform/environment/region/modules/event_bus/outputs.tf index 3c07ec78b6..6336594a4d 100644 --- a/terraform/environment/region/modules/event_bus/outputs.tf +++ b/terraform/environment/region/modules/event_bus/outputs.tf @@ -10,5 +10,5 @@ output "receive_events_sqs_queue_arn" { output "receive_events_bus_arn" { description = "The ARN of the event bus created by the event_bus module." - value = aws_cloudwatch_event_bus.main[0].arn + value = aws_cloudwatch_event_bus.main[*].arn } From c67b8d69c3b2601cd4def444d0f5b4a896e4515f Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 8 Jan 2025 16:26:28 +0000 Subject: [PATCH 29/35] conditionally create resources --- terraform/environment/lambda.tf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index da28eb5fcf..f234a2b23f 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -90,6 +90,7 @@ resource "aws_lambda_permission" "cloudwatch_to_update_statistics_lambda" { } module "event_receiver" { + count = local.environment.event_bus_enabled ? 1 : 0 source = "./modules/lambda" lambda_name = "event-receiver" environment_variables = { @@ -105,13 +106,15 @@ module "event_receiver" { } resource "aws_iam_role_policy" "lambda_event_receiver" { + count = local.environment.event_bus_enabled ? 1 : 0 name = "${local.environment_name}-lambda-event-receiver" - role = module.event_receiver.lambda_role.name - policy = data.aws_iam_policy_document.lambda_event_receiver.json + role = module.event_receiver[0].lambda_role.name + policy = data.aws_iam_policy_document.lambda_event_receiver[0].json } data "aws_iam_policy_document" "lambda_event_receiver" { + count = local.environment.event_bus_enabled ? 1 : 0 statement { sid = "${local.environment_name}EventReceiverSQS" effect = "Allow" @@ -134,20 +137,17 @@ data "aws_iam_policy_document" "lambda_event_receiver" { } resource "aws_lambda_event_source_mapping" "receive_events_mapping" { + count = local.environment.event_bus_enabled ? 1 : 0 event_source_arn = module.eu_west_1[0].receive_events_sqs_queue_arn[0] - function_name = module.event_receiver.lambda_name + function_name = module.event_receiver[0].lambda_name enabled = true } resource "aws_lambda_permission" "receive_events_permission" { - count = length(local.receive_events_sqs_queue_arn) > 0 ? 1 : 0 + count = local.environment.event_bus_enabled ? 1 : 0 statement_id = "AllowExecutionFromSQS" action = "lambda:InvokeFunction" - function_name = module.event_receiver.lambda_name + function_name = module.event_receiver[0].lambda_name principal = "sqs.amazonaws.com" source_arn = module.eu_west_1[0].receive_events_sqs_queue_arn[0] } - -locals { - receive_events_sqs_queue_arn = try(module.eu_west_1[0].receive_events_sqs_queue_arn, []) -} From 51b9234eb49acf9ff99230cc0467f7d4efd4409e Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Wed, 8 Jan 2025 16:28:31 +0000 Subject: [PATCH 30/35] remove old kms --- terraform/environment/shared_data_sources.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/terraform/environment/shared_data_sources.tf b/terraform/environment/shared_data_sources.tf index 6186ad7c2e..72bba979a9 100644 --- a/terraform/environment/shared_data_sources.tf +++ b/terraform/environment/shared_data_sources.tf @@ -24,10 +24,6 @@ data "aws_ecr_repository" "mock_onelogin" { name = "mock-onelogin" } -data "aws_kms_alias" "sqs" { - name = "alias/sqs-mrk" -} - module "allow_list" { source = "git@github.com:ministryofjustice/terraform-aws-moj-ip-allow-list.git?ref=v2.3.0" } From 6db8e0ad6e88adb07d706895ceb4f3fec17f0d1f Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Thu, 9 Jan 2025 10:03:39 +0000 Subject: [PATCH 31/35] use correct kms key --- terraform/environment/lambda.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index f234a2b23f..dfb7f4033b 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -132,7 +132,7 @@ data "aws_iam_policy_document" "lambda_event_receiver" { actions = [ "kms:Decrypt" ] - resources = [data.aws_kms_alias.sqs.arn] + resources = [data.aws_kms_alias.event_receiver.arn] } } From d44a3b619bf04665233642fcd3f46435c67df954 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Thu, 9 Jan 2025 15:34:45 +0000 Subject: [PATCH 32/35] allow describe key on lambda role --- terraform/environment/lambda.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index dfb7f4033b..444355a240 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -127,10 +127,11 @@ data "aws_iam_policy_document" "lambda_event_receiver" { } statement { - sid = "${local.environment_name}SQSKMSDecrypt" + sid = "${local.environment_name}KMSDecrypt" effect = "Allow" actions = [ - "kms:Decrypt" + "kms:Decrypt", + "kms:DescribeKey" ] resources = [data.aws_kms_alias.event_receiver.arn] } From 2320b4d5f99fdfaf9788a24e6e01b8cf561ba08d Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Fri, 10 Jan 2025 09:57:28 +0000 Subject: [PATCH 33/35] allow decrypt on * --- terraform/environment/lambda.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index 444355a240..58892f5251 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -121,7 +121,7 @@ data "aws_iam_policy_document" "lambda_event_receiver" { actions = [ "sqs:ReceiveMessage", "sqs:DeleteMessage", - "sqs:GetQueueAttributes" + "sqs:GetQueueAttributes", ] resources = [module.eu_west_1[0].receive_events_sqs_queue_arn[0]] } @@ -133,7 +133,7 @@ data "aws_iam_policy_document" "lambda_event_receiver" { "kms:Decrypt", "kms:DescribeKey" ] - resources = [data.aws_kms_alias.event_receiver.arn] + resources = ["*"] } } From dfca208fcda4ae26d4bce86a8f0eff3e297e1c3f Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Fri, 10 Jan 2025 10:16:36 +0000 Subject: [PATCH 34/35] try specific target key arn --- terraform/environment/lambda.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environment/lambda.tf b/terraform/environment/lambda.tf index 58892f5251..3bf53a7d06 100644 --- a/terraform/environment/lambda.tf +++ b/terraform/environment/lambda.tf @@ -133,7 +133,7 @@ data "aws_iam_policy_document" "lambda_event_receiver" { "kms:Decrypt", "kms:DescribeKey" ] - resources = ["*"] + resources = [data.aws_kms_alias.event_receiver.target_key_arn] } } From 9b05d9fa37dd9fa713aad69169770a36194b1c26 Mon Sep 17 00:00:00 2001 From: Jay Whitwell Date: Fri, 10 Jan 2025 10:37:43 +0000 Subject: [PATCH 35/35] update account ids --- terraform/environment/region/modules/event_bus/bus.tf | 1 - terraform/environment/terraform.tfvars.json | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/terraform/environment/region/modules/event_bus/bus.tf b/terraform/environment/region/modules/event_bus/bus.tf index 3ccac565f0..565b323606 100644 --- a/terraform/environment/region/modules/event_bus/bus.tf +++ b/terraform/environment/region/modules/event_bus/bus.tf @@ -11,7 +11,6 @@ resource "aws_cloudwatch_event_archive" "main" { provider = aws.region } - resource "aws_cloudwatch_event_rule" "receive_events_from_mlpa" { count = var.event_bus_enabled ? 1 : 0 name = "${var.environment_name}-mlpa-events-to-use" diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json index c10a70f106..bdc47d8778 100644 --- a/terraform/environment/terraform.tfvars.json +++ b/terraform/environment/terraform.tfvars.json @@ -357,7 +357,7 @@ "ship_metrics_queue_enabled": false, "sirius_account_id": "288342028542", "receive_account_ids": [ - "653761790766" + "792093328875" ], "load_balancer_deletion_protection_enabled": true, "notify_key_secret_name": "notify-api-key", @@ -459,7 +459,7 @@ "ship_metrics_queue_enabled": false, "sirius_account_id": "649098267436", "receive_account_ids": [ - "653761790766" + "313879017102" ], "load_balancer_deletion_protection_enabled": true, "notify_key_secret_name": "notify-api-key",