diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf index 0e88eec4335..b55b38d5f8f 100644 --- a/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf +++ b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf @@ -1,4 +1,6 @@ module "transfer_structured_logs" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/cloudwatch/aws//modules/log-group" version = "5.3.1" diff --git a/terraform/environments/analytical-platform-ingestion/data.tf b/terraform/environments/analytical-platform-ingestion/data.tf index 49bbbf30bd4..4ba5508c9e1 100644 --- a/terraform/environments/analytical-platform-ingestion/data.tf +++ b/terraform/environments/analytical-platform-ingestion/data.tf @@ -1,2 +1 @@ -#### This file can be used to store data specific to the member account #### data "aws_availability_zones" "available" {} diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index bf465400a1a..c129b6a6aaf 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -20,15 +20,14 @@ locals { target_buckets = ["dev-ingestion-testing"] /* Transfer Server */ - transfer_server_hostname = "sftp.development.ingestion.analytical-platform.service.justice.gov.uk" - transfer_server_sftp_users = { - "jacobwoffenden" = { - ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+3qaLVtn6Pd+DasWHhIOBoXEEhF9GZAG+DYfJBeySS Ministry of Justice" - cidr_blocks = ["90.246.52.170/32"] - }, - "garyhenderson" = { - ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID2lrI7AhZ9Sy/JAVDfPPEkCZawuuVJ7MHg6NNAwYImb" - cidr_blocks = ["154.47.111.68/32"] + transfer_server_hostname = "sftp.development.ingestion.analytical-platform.service.justice.gov.uk" + transfer_server_sftp_users = {} + transfer_server_sftp_users_with_egress = { + "jacobwoffenden-egress" = { + ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+3qaLVtn6Pd+DasWHhIOBoXEEhF9GZAG+DYfJBeySS Ministry of Justice" + cidr_blocks = ["90.246.52.170/32"] + egress_bucket = module.bold_egress_bucket.s3_bucket_id + egress_bucket_kms_key = module.s3_bold_egress_kms.key_arn } } } @@ -51,17 +50,9 @@ locals { target_buckets = ["dev-ingestion-testing"] /* Transfer Server */ - transfer_server_hostname = "sftp.ingestion.analytical-platform.service.justice.gov.uk" - transfer_server_sftp_users = { - "jacobwoffenden" = { - ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+3qaLVtn6Pd+DasWHhIOBoXEEhF9GZAG+DYfJBeySS Ministry of Justice" - cidr_blocks = ["90.246.52.170/32"] - }, - "garyhenderson" = { - ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID2lrI7AhZ9Sy/JAVDfPPEkCZawuuVJ7MHg6NNAwYImb" - cidr_blocks = ["154.47.111.68/32"] - } - } + transfer_server_hostname = "sftp.ingestion.analytical-platform.service.justice.gov.uk" + transfer_server_sftp_users = {} + transfer_server_sftp_users_with_egress = {} } } } diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index bc915c2d657..31affbda391 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -1,5 +1,6 @@ module "transfer_logs_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" version = "2.2.1" @@ -39,6 +40,7 @@ module "transfer_logs_kms" { module "s3_landing_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" version = "2.2.1" @@ -51,6 +53,7 @@ module "s3_landing_kms" { module "s3_processed_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" version = "2.2.1" @@ -63,6 +66,7 @@ module "s3_processed_kms" { module "s3_quarantine_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" version = "2.2.1" @@ -75,6 +79,7 @@ module "s3_quarantine_kms" { module "s3_definitions_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" version = "2.2.1" @@ -87,6 +92,7 @@ module "s3_definitions_kms" { module "s3_bold_egress_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" version = "2.2.1" @@ -115,6 +121,7 @@ module "s3_bold_egress_kms" { module "sns_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" version = "2.2.1" @@ -127,6 +134,7 @@ module "sns_kms" { module "govuk_notify_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" version = "2.2.1" @@ -139,6 +147,7 @@ module "govuk_notify_kms" { module "supplier_data_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/kms/aws" version = "2.2.1" diff --git a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf index 48642bcbd76..041525ab26e 100644 --- a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf +++ b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf @@ -1,5 +1,6 @@ module "definition_upload_lambda" { #checkov:skip=CKV_TF_1:Module is from Terraform registry + source = "terraform-aws-modules/lambda/aws" version = "7.2.1" @@ -53,6 +54,7 @@ module "definition_upload_lambda" { module "scan_lambda" { #checkov:skip=CKV_TF_1:Module is from Terraform registry + source = "terraform-aws-modules/lambda/aws" version = "7.2.1" @@ -123,6 +125,7 @@ module "scan_lambda" { module "transfer_lambda" { #checkov:skip=CKV_TF_1:Module is from Terraform registry + source = "terraform-aws-modules/lambda/aws" version = "7.2.1" diff --git a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/main.tf b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/main.tf new file mode 100644 index 00000000000..73d1b712bb2 --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/main.tf @@ -0,0 +1,108 @@ +data "aws_iam_policy_document" "this" { + statement { + sid = "AllowKMS" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt", + ] + resources = [ + var.landing_bucket_kms_key, + var.egress_bucket_kms_key + ] + } + statement { + sid = "AllowS3ListBucket" + effect = "Allow" + actions = ["s3:ListBucket"] + resources = [ + "arn:aws:s3:::${var.landing_bucket}", + "arn:aws:s3:::${var.egress_bucket}" + ] + } + statement { + sid = "AllowS3LandingBucketObjectActions" + effect = "Allow" + actions = ["s3:PutObject"] + resources = ["arn:aws:s3:::${var.landing_bucket}/${var.name}/*"] + } + statement { + sid = "AllowS3EgressBucketObjectActions" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:GetObjectAcl", + "s3:GetObjectVersion" + ] + resources = ["arn:aws:s3:::${var.egress_bucket}/${var.name}/*"] + } +} + +module "policy" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "5.37.1" + + name_prefix = "transfer-user-${var.name}" + + policy = data.aws_iam_policy_document.this.json +} + +module "role" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "5.37.1" + + create_role = true + + role_name = "transfer-user-${var.name}" + role_requires_mfa = false + + trusted_role_services = ["transfer.amazonaws.com"] + + custom_role_policy_arns = [module.policy.arn] +} + +resource "aws_transfer_user" "this" { + server_id = var.transfer_server + user_name = var.name + role = module.role.iam_role_arn + + home_directory_type = "LOGICAL" + home_directory_mappings { + entry = "/upload" + target = "/${var.landing_bucket}/${var.name}" + } + + home_directory_mappings { + entry = "/download" + target = "/${var.egress_bucket}/${var.name}" + } +} + +resource "aws_transfer_ssh_key" "this" { + server_id = var.transfer_server + user_name = aws_transfer_user.this.user_name + body = var.ssh_key +} + +resource "aws_security_group_rule" "this" { + type = "ingress" + from_port = 2222 + to_port = 2222 + protocol = "tcp" + cidr_blocks = var.cidr_blocks + security_group_id = var.transfer_server_security_group +} + +resource "aws_secretsmanager_secret" "this" { + for_each = toset(["technical-contact", "data-contact", "target-bucket"]) + + name = "ingestion/sftp/${var.name}/${each.key}" + kms_key_id = var.supplier_data_kms_key +} diff --git a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/variables.tf b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/variables.tf new file mode 100644 index 00000000000..ef90e07b762 --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/variables.tf @@ -0,0 +1,39 @@ +variable "name" { + type = string +} + +variable "ssh_key" { + type = string +} + +variable "cidr_blocks" { + type = list(string) +} + +variable "transfer_server" { + type = string +} + +variable "transfer_server_security_group" { + type = string +} + +variable "landing_bucket" { + type = string +} + +variable "landing_bucket_kms_key" { + type = string +} + +variable "egress_bucket" { + type = string +} + +variable "egress_bucket_kms_key" { + type = string +} + +variable "supplier_data_kms_key" { + type = string +} diff --git a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf index fc0e7f75edc..bb478606a16 100644 --- a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf +++ b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf @@ -11,7 +11,6 @@ data "aws_iam_policy_document" "this" { ] resources = [var.landing_bucket_kms_key] } - # TODO: review the permissions statement { sid = "AllowS3ListBucket" effect = "Allow" @@ -21,17 +20,17 @@ data "aws_iam_policy_document" "this" { "arn:aws:s3:::${var.landing_bucket}/${var.name}/*" ] } - # TODO: review the permissions statement { - sid = "AllowS3ObjectActions" + sid = "AllowS3LandingBucketObjectActions" effect = "Allow" - actions = ["s3:*"] + actions = ["s3:PutObject"] resources = ["arn:aws:s3:::${var.landing_bucket}/${var.name}/*"] } } module "policy" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/iam/aws//modules/iam-policy" version = "5.37.1" @@ -57,24 +56,10 @@ module "role" { } resource "aws_transfer_user" "this" { - server_id = var.transfer_server - user_name = var.name - role = module.role.iam_role_arn - - # This doesn't work unless optimised directory is disabled, and that isn't available in Terraform - # home_directory_type = "LOGICAL" - # home_directory_mappings { - # entry = "/upload" - # target = "/${var.landing_bucket}/${var.name}/upload" - # } - - # home_directory_mappings { - # entry = "/download" - # target = "/${var.landing_bucket}/${var.name}/download" - # } - - # This works - home_directory = "/${var.landing_bucket}/${var.name}" # TODO: do we need an SFTP specific landing bucket? + server_id = var.transfer_server + user_name = var.name + role = module.role.iam_role_arn + home_directory = "/${var.landing_bucket}/${var.name}" } resource "aws_transfer_ssh_key" "this" { diff --git a/terraform/environments/analytical-platform-ingestion/observability-platform.tf b/terraform/environments/analytical-platform-ingestion/observability-platform.tf index e74359a614c..f86498021d3 100644 --- a/terraform/environments/analytical-platform-ingestion/observability-platform.tf +++ b/terraform/environments/analytical-platform-ingestion/observability-platform.tf @@ -1,4 +1,6 @@ module "observability_platform_tenant" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "ministryofjustice/observability-platform-tenant/aws" version = "1.0.0" diff --git a/terraform/environments/analytical-platform-ingestion/s3-notifications.tf b/terraform/environments/analytical-platform-ingestion/s3-notifications.tf index 66271190cc1..634640a4059 100644 --- a/terraform/environments/analytical-platform-ingestion/s3-notifications.tf +++ b/terraform/environments/analytical-platform-ingestion/s3-notifications.tf @@ -1,4 +1,6 @@ module "ingestion_landing_bucket_notification" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/s3-bucket/aws//modules/notification" version = "4.1.0" @@ -14,6 +16,8 @@ module "ingestion_landing_bucket_notification" { } module "ingestion_transfer_bucket_notification" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/s3-bucket/aws//modules/notification" version = "4.1.0" diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index 699bc6a42ec..8bb2da48efc 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -1,4 +1,6 @@ module "landing_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" @@ -17,6 +19,8 @@ module "landing_bucket" { } module "quarantine_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" @@ -35,6 +39,8 @@ module "quarantine_bucket" { } module "definitions_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" @@ -53,6 +59,8 @@ module "definitions_bucket" { } module "processed_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" @@ -90,6 +98,8 @@ data "aws_iam_policy_document" "bold_egress_bucket_policy" { } module "bold_egress_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.0" diff --git a/terraform/environments/analytical-platform-ingestion/secrets.tf b/terraform/environments/analytical-platform-ingestion/secrets.tf index 3010c98f433..e378f4f3f36 100644 --- a/terraform/environments/analytical-platform-ingestion/secrets.tf +++ b/terraform/environments/analytical-platform-ingestion/secrets.tf @@ -1,8 +1,7 @@ -# TODO look at using https://registry.terraform.io/modules/terraform-aws-modules/secrets-manager/aws/latest +# TODO: look at using https://registry.terraform.io/modules/terraform-aws-modules/secrets-manager/aws/latest resource "aws_secretsmanager_secret" "govuk_notify_api_key" { - name = "ingestion/govuk-notify/api-key" - description = "This is Analytical Platform's GOV.UK Notify Team API key" - kms_key_id = module.govuk_notify_kms.key_arn + name = "ingestion/govuk-notify/api-key" + kms_key_id = module.govuk_notify_kms.key_arn } resource "aws_secretsmanager_secret" "govuk_notify_templates" { diff --git a/terraform/environments/analytical-platform-ingestion/transfer-servers.tf b/terraform/environments/analytical-platform-ingestion/transfer-servers.tf index 2b86b973d70..34787673408 100644 --- a/terraform/environments/analytical-platform-ingestion/transfer-servers.tf +++ b/terraform/environments/analytical-platform-ingestion/transfer-servers.tf @@ -1,9 +1,8 @@ resource "aws_transfer_server" "this" { - protocols = ["SFTP"] - identity_provider_type = "SERVICE_MANAGED" - domain = "S3" - post_authentication_login_banner = "Analytical Platform Ingestion - Development" # This doesn't work, at least on macOS SFTP client + protocols = ["SFTP"] + identity_provider_type = "SERVICE_MANAGED" + domain = "S3" endpoint_type = "VPC" endpoint_details { diff --git a/terraform/environments/analytical-platform-ingestion/transfer-user.tf b/terraform/environments/analytical-platform-ingestion/transfer-user.tf index 751d1f69264..74920ef6b2e 100644 --- a/terraform/environments/analytical-platform-ingestion/transfer-user.tf +++ b/terraform/environments/analytical-platform-ingestion/transfer-user.tf @@ -13,3 +13,21 @@ module "sftp_users" { landing_bucket_kms_key = module.s3_landing_kms.key_arn supplier_data_kms_key = module.supplier_data_kms.key_arn } + +module "sftp_users_with_egress" { + for_each = local.environment_configuration.transfer_server_sftp_users_with_egress + + source = "./modules/transfer-family/user-with-egress" + + name = each.key + ssh_key = each.value.ssh_key + cidr_blocks = each.value.cidr_blocks + + transfer_server = aws_transfer_server.this.id + transfer_server_security_group = aws_security_group.transfer_server.id + landing_bucket = module.landing_bucket.s3_bucket_id + landing_bucket_kms_key = module.s3_landing_kms.key_arn + egress_bucket = each.value.egress_bucket + egress_bucket_kms_key = each.value.egress_bucket_kms_key + supplier_data_kms_key = module.supplier_data_kms.key_arn +} diff --git a/terraform/environments/analytical-platform-ingestion/vpc.tf b/terraform/environments/analytical-platform-ingestion/vpc.tf index b1630531c99..3cb476a58f4 100644 --- a/terraform/environments/analytical-platform-ingestion/vpc.tf +++ b/terraform/environments/analytical-platform-ingestion/vpc.tf @@ -1,5 +1,6 @@ module "vpc" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/vpc/aws" version = "~> 5.0"