From 038d8a151825c7b805df57b48165ba2890394631 Mon Sep 17 00:00:00 2001
From: Matthew Price <matthew.price2@justice.gov.uk>
Date: Mon, 25 Nov 2024 15:50:05 +0000
Subject: [PATCH] Add kms key generation for use with landing bucket (#8755)

* Add kms key generation for use with landing bucket

* Change kms permission to use lambda role not lambda

* Add cross account encyption grant

* Add lambda decrypt

* alternate lambda policy

* Final tidy

* Remove context as lamdba would need to use context also.
---
 .../modules/landing_bucket/main.tf            | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf
index 1438a386f02..3560af40d81 100644
--- a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf
+++ b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf
@@ -77,6 +77,46 @@ module "this-bucket" {
   )
 }
 
+#-----------------------------------------------------------------------------------
+# KMS - customer managed key for use with cross account data
+#-----------------------------------------------------------------------------------
+
+module "kms_key" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
+
+  source  = "terraform-aws-modules/kms/aws"
+  version = "3.1.1"
+
+  aliases               = ["s3/landing_bucket_${var.data_feed}_${var.order_type}"]
+  description           = "${var.data_feed} ${var.order_type} landing bucket KMS key"
+
+  # Give full access to key for root account, and lambda role ability to use.
+  enable_default_policy = true
+  key_users             = [aws_iam_role.process_landing_bucket_files.arn]
+
+  deletion_window_in_days = 7
+
+  # Grant external account role specific operations.
+  # To view grants, need to use cli:
+  # aws kms list-grants --region=eu-west-2 --key-id <key id>
+  grants = var.cross_account_access_role != null ? {
+    cross_account_access_role = {
+      grantee_principal = "arn:aws:iam::${var.cross_account_access_role.account_number}:role/${var.cross_account_access_role.role_name}"
+      operations = [
+        "Encrypt",
+        "GenerateDataKey",
+      ]
+    }
+  } : {}
+
+  tags = merge(
+    var.local_tags,
+    { order_type = var.order_type },
+    { data_feed = var.data_feed }
+  )
+}
+
 #-----------------------------------------------------------------------------------
 # Process landing bucket files - lambda triggers
 #-----------------------------------------------------------------------------------
@@ -155,6 +195,17 @@ data "aws_iam_policy_document" "process_landing_bucket_files_s3_policy_document"
       "arn:aws:s3:::${var.received_files_bucket_id}/*",
     ]
   }
+
+  statement {
+    sid    = "KMSDecryptObjects"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+    ]
+    resources = [
+      module.kms_key.key_arn,
+    ]
+  }
 }
 
 resource "aws_iam_policy" "process_landing_bucket_files_s3" {