VED-981 (Part 2) Add DLQ, redrive policy, and encryption to queues (#1203)

Author: dlzhry2nhs

infrastructure/instance/dynamodb.tf

@@ -56,8 +56,8 @@ resource "aws_dynamodb_table" "delta-dynamodb-table" {
   name                        = "imms-${local.resource_scope}-delta"
   billing_mode                = "PAY_PER_REQUEST"
   hash_key                    = "PK"
-  stream_enabled              = true
-  stream_view_type            = "NEW_IMAGE"
+  stream_enabled              = var.mns_publisher_feature_enabled
+  stream_view_type            = var.mns_publisher_feature_enabled ? "NEW_IMAGE" : null
   deletion_protection_enabled = !local.is_temp
 
   attribute {

infrastructure/instance/environments/dev/internal-qa/variables.tfvars

@@ -3,5 +3,6 @@ immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
 pds_environment                   = "int"
 error_alarm_notifications_enabled = false
+mns_publisher_feature_enabled     = true
 create_mesh_processor             = false
 has_sub_environment_scope         = true

infrastructure/instance/environments/dev/pr/variables.tfvars

@@ -3,5 +3,6 @@ immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
 pds_environment                   = "int"
 error_alarm_notifications_enabled = false
+mns_publisher_feature_enabled     = true # Switch this off once tested fully e2e in Lambda branch
 create_mesh_processor             = false
 has_sub_environment_scope         = true

infrastructure/instance/environments/preprod/int-blue/variables.tfvars

@@ -3,6 +3,7 @@ immunisation_account_id           = "084828561157"
 dspp_core_account_id              = "603871901111"
 pds_environment                   = "int"
 error_alarm_notifications_enabled = true
+mns_publisher_feature_enabled     = true
 
 # mesh no invocation period metric set to 3 days (in seconds) for preprod environment i.e 3 * 24 * 60 * 60
 mesh_no_invocation_period_seconds = 259200

infrastructure/instance/environments/preprod/int-green/variables.tfvars

@@ -3,6 +3,7 @@ immunisation_account_id           = "084828561157"
 dspp_core_account_id              = "603871901111"
 pds_environment                   = "int"
 error_alarm_notifications_enabled = true
+mns_publisher_feature_enabled     = true
 
 # mesh no invocation period metric set to 3 days (in seconds) for preprod environment i.e 3 * 24 * 60 * 60
 mesh_no_invocation_period_seconds = 259200

infrastructure/instance/environments/prod/blue/variables.tfvars

@@ -4,6 +4,7 @@ dspp_core_account_id              = "232116723729"
 mns_account_id                    = "758334270304"
 pds_environment                   = "prod"
 error_alarm_notifications_enabled = true
+mns_publisher_feature_enabled     = true
 
 # mesh no invocation period metric set to 1 day (in seconds) for prod environment i.e 1 * 24 * 60 * 60
 mesh_no_invocation_period_seconds = 86400

infrastructure/instance/environments/prod/green/variables.tfvars

@@ -4,6 +4,7 @@ dspp_core_account_id              = "232116723729"
 mns_account_id                    = "758334270304"
 pds_environment                   = "prod"
 error_alarm_notifications_enabled = true
+mns_publisher_feature_enabled     = true
 
 # mesh no invocation period metric set to 1 day (in seconds) for prod environment i.e 1 * 24 * 60 * 60
 mesh_no_invocation_period_seconds = 86400

infrastructure/instance/mns_publisher.tf

@@ -0,0 +1,22 @@
+module "mns_publisher" {
+  source = "./modules/mns_publisher"
+  count  = var.mns_publisher_feature_enabled ? 1 : 0
+
+  ddb_delta_stream_arn               = aws_dynamodb_table.delta-dynamodb-table.stream_arn
+  dynamo_kms_encryption_key_arn      = data.aws_kms_key.existing_dynamo_encryption_key.arn
+  enable_lambda_alarm                = var.error_alarm_notifications_enabled # consider just INT and PROD
+  immunisation_account_id            = var.immunisation_account_id
+  is_temp                            = local.is_temp
+  lambda_kms_encryption_key_arn      = data.aws_kms_key.existing_lambda_encryption_key.arn
+  mns_publisher_resource_name_prefix = "${local.resource_scope}-mns-outbound-events"
+
+  private_subnet_ids = local.private_subnet_ids
+  security_group_id  = data.aws_security_group.existing_securitygroup.id
+
+  shared_dir_sha              = local.shared_dir_sha
+  splunk_firehose_stream_name = module.splunk.firehose_stream_name
+
+  short_prefix = local.short_prefix
+
+  system_alarm_sns_topic_arn = data.aws_sns_topic.imms_system_alert_errors.arn
+}

…/instance/mns_outbound_events_eb_pipe.tf …publisher/mns_outbound_events_eb_pipe.tfinfrastructure/instance/mns_outbound_events_eb_pipe.tf renamed to infrastructure/instance/modules/mns_publisher/mns_outbound_events_eb_pipe.tf infrastructure/instance/mns_outbound_events_eb_pipe.tf renamed to infrastructure/instance/modules/mns_publisher/mns_outbound_events_eb_pipe.tf

@@ -1,6 +1,6 @@
 # IAM Role for EventBridge Pipe
 resource "aws_iam_role" "mns_outbound_events_eb_pipe" {
-  name = "${local.resource_scope}-mns-outbound-eventbridge-pipe-role"
+  name = "${var.mns_publisher_resource_name_prefix}-eventbridge-pipe-role"
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -33,15 +33,15 @@ resource "aws_iam_role_policy" "mns_outbound_events_eb_pipe_source_policy" {
           "dynamodb:GetShardIterator",
           "dynamodb:ListStreams"
         ],
-        "Resource" : aws_dynamodb_table.delta-dynamodb-table.stream_arn
+        "Resource" : var.ddb_delta_stream_arn
       },
       {
         "Effect" : "Allow",
         "Action" : [
           "kms:Decrypt",
           "kms:GenerateDataKey"
         ],
-        "Resource" : data.aws_kms_key.existing_dynamo_encryption_key.arn
+        "Resource" : var.dynamo_kms_encryption_key_arn
       },
     ]
   })
@@ -79,15 +79,15 @@ resource "aws_iam_role_policy" "mns_outbound_events_eb_pipe_cw_log_policy" {
           "logs:PutLogEvents"
         ],
         Resource = [
-          "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/vendedlogs/pipes/${local.resource_scope}-mns-outbound-event-pipe-logs:*",
+          "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/vendedlogs/pipes/${var.mns_publisher_resource_name_prefix}-pipe-logs:*",
         ]
       },
     ]
   })
 }
 
 resource "aws_cloudwatch_log_group" "mns_outbound_events_eb_pipe" {
-  name              = "/aws/vendedlogs/pipes/${local.resource_scope}-mns-outbound-event-pipe-logs"
+  name              = "/aws/vendedlogs/pipes/${var.mns_publisher_resource_name_prefix}-pipe-logs"
   retention_in_days = 30
 }
 
@@ -97,9 +97,9 @@ resource "aws_pipes_pipe" "mns_outbound_events" {
     aws_iam_role_policy.mns_outbound_events_eb_pipe_target_policy,
     aws_iam_role_policy.mns_outbound_events_eb_pipe_cw_log_policy,
   ]
-  name     = "${local.resource_scope}-mns-outbound-events"
+  name     = "${var.mns_publisher_resource_name_prefix}-pipe"
   role_arn = aws_iam_role.mns_outbound_events_eb_pipe.arn
-  source   = aws_dynamodb_table.delta-dynamodb-table.stream_arn
+  source   = var.ddb_delta_stream_arn
   target   = aws_sqs_queue.mns_outbound_events.arn
 
   source_parameters {
@@ -112,7 +112,7 @@ resource "aws_pipes_pipe" "mns_outbound_events" {
     include_execution_data = ["ALL"]
     level                  = "ERROR"
     cloudwatch_logs_log_destination {
-      log_group_arn = aws_cloudwatch_log_group.pipe_log_group.arn
+      log_group_arn = aws_cloudwatch_log_group.mns_outbound_events_eb_pipe.arn
     }
   }
 }

infrastructure/instance/modules/mns_publisher/mns_outbound_events_kms_key.tf

@@ -0,0 +1,87 @@
+resource "aws_kms_key" "mns_outbound_events" {
+  description         = "KMS key for encrypting MNS outbound immunisation events in SQS"
+  key_usage           = "ENCRYPT_DECRYPT"
+  enable_key_rotation = true
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "EnableRootPermissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${var.immunisation_account_id}:root"
+        },
+        Action = [
+          "kms:Create*",
+          "kms:Describe*",
+          "kms:Enable*",
+          "kms:List*",
+          "kms:Put*",
+          "kms:Update*",
+          "kms:Revoke*",
+          "kms:Disable*",
+          "kms:Get*",
+          "kms:Delete*",
+          "kms:ScheduleKeyDeletion",
+          "kms:CancelKeyDeletion",
+          "kms:GenerateDataKey*",
+          "kms:Decrypt",
+          "kms:Tag*"
+        ],
+        Resource = "*"
+      },
+      {
+        Sid    = "AllowSQSUseOfKey"
+        Effect = "Allow"
+        Principal = {
+          Service = "sqs.amazonaws.com"
+        }
+        Action = [
+          "kms:GenerateDataKey",
+          "kms:Decrypt"
+        ]
+        Resource = "*"
+        Condition = {
+          StringEquals = {
+            "kms:EncryptionContext:aws:sqs:queue_arn" = [
+              "arn:aws:sqs:${var.aws_region}:${var.immunisation_account_id}:${var.mns_publisher_resource_name_prefix}-queue",
+              "arn:aws:sqs:${var.aws_region}:${var.immunisation_account_id}:${var.mns_publisher_resource_name_prefix}-dead-letter-queue"
+            ]
+          }
+        }
+      },
+      {
+        Sid    = "AllowLambdaToDecrypt"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${var.immunisation_account_id}:role/${var.short_prefix}-mns-publisher-lambda-exec-role"
+        }
+        Action = [
+          "kms:Decrypt",
+          "kms:GenerateDataKey"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid    = "AllowEventBridgePipesUseOfKey"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${var.immunisation_account_id}:role/${var.mns_publisher_resource_name_prefix}-eventbridge-pipe-role"
+        }
+        Action = [
+          "kms:GenerateDataKey",
+          "kms:Encrypt",
+          "kms:DescribeKey"
+
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_kms_alias" "mns_outbound_events_key" {
+  name          = "alias/${var.mns_publisher_resource_name_prefix}-key"
+  target_key_id = aws_kms_key.mns_outbound_events.id
+}