λ: Add JML Lambda to APDP (#6523)

* λ: Add JML Lambda to APDP

Co-authored-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

---------

Co-authored-by: Ministry of Justice Data Platform Robot <125977389+moj-data-platform-robot@users.noreply.github.com>
Co-authored-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

.github/dependabot.yml

@@ -58,6 +58,7 @@ updates:
       - "terraform/aws/analytical-platform-data-production/github-actions-roles"
       - "terraform/aws/analytical-platform-data-production/hmcts-sdp-direct-connect"
       - "terraform/aws/analytical-platform-data-production/ingestion-egress"
+      - "terraform/aws/analytical-platform-data-production/joiners-movers-leavers"
       - "terraform/aws/analytical-platform-data-production/lakeformation-external-data/digital-prisons-reporting-preproduction"
       - "terraform/aws/analytical-platform-data-production/openmetadata"
       - "terraform/aws/analytical-platform-data-production/powerbi-gateway"

terraform/aws/analytical-platform-data-production/joiners-movers-leavers/cloudwatch-event-rules.tf

@@ -0,0 +1,4 @@
+resource "aws_cloudwatch_event_rule" "jml_lambda_trigger" {
+  name                = "jml-lambda-trigger"
+  schedule_expression = "cron(0 2 1 * ? *)"
+}

terraform/aws/analytical-platform-data-production/joiners-movers-leavers/data.tf

@@ -0,0 +1,17 @@
+data "aws_caller_identity" "session" {
+  provider = aws.session
+}
+
+data "aws_iam_session_context" "session" {
+  provider = aws.session
+
+  arn = data.aws_caller_identity.session.arn
+}
+
+data "aws_secretsmanager_secret_version" "govuk_notify_api_key" {
+  secret_id = aws_secretsmanager_secret.govuk_notify_api_key.id
+}
+
+data "aws_secretsmanager_secret_version" "jml_email" {
+  secret_id = aws_secretsmanager_secret.jml_email.id
+}

terraform/aws/analytical-platform-data-production/joiners-movers-leavers/lambda-functions.tf

@@ -0,0 +1,68 @@
+#tfsec:ignore:avd-aws-0066:no need for tracing
+module "jml_extract_lambda" {
+  #checkov:skip=CKV_TF_1:Module is from Terraform registry
+  source  = "terraform-aws-modules/lambda/aws"
+  version = "7.20.0"
+
+  publish        = true
+  create_package = false
+
+  function_name = "data_platform_jml_extract"
+  description   = "Generates a JML report and sends it to JMLv4"
+  package_type  = "Image"
+  memory_size   = 512
+  timeout       = 120
+  image_uri     = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/data-platform-jml-extract-lambda-ecr-repo:1.0.3"
+
+  environment_variables = {
+    SECRET_ID       = data.aws_secretsmanager_secret_version.govuk_notify_api_key.id
+    LOG_GROUP_NAMES = "/aws/events/auth0/alpha-analytics-moj"
+    EMAIL_SECRET    = data.aws_secretsmanager_secret_version.jml_email.id
+    TEMPLATE_ID     = "de618989-db86-4d9a-aa55-4724d5485fa5"
+  }
+
+  attach_policy_statements = true
+  policy_statements = {
+    "cloudwatch" = {
+      sid    = "CloudWatch"
+      effect = "Allow"
+      actions = [
+        "cloudwatch:GenerateQuery",
+        "logs:DescribeLogStreams",
+        "logs:DescribeLogGroups",
+        "logs:GetLogEvents",
+        "logs:StartQuery",
+        "logs:StopQuery",
+        "logs:GetQueryExecution",
+        "logs:GetQueryResults"
+      ]
+      resources = [
+        "${local.cloudwatch_log_group_arn}:*"
+      ]
+    }
+    "secretsmanager" = {
+      sid    = "SecretsManager"
+      effect = "Allow"
+      actions = [
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:ListSecrets"
+      ]
+      resources = [
+        aws_secretsmanager_secret.govuk_notify_api_key.arn,
+        aws_secretsmanager_secret.jml_email.arn
+      ]
+    }
+  }
+
+  allowed_triggers = {
+    "eventbridge" = {
+      principal  = "events.amazonaws.com"
+      source_arn = aws_cloudwatch_event_rule.jml_lambda_trigger.arn
+    }
+  }
+}
+
+locals {
+  cloudwatch_log_group_arn = "arn:aws:logs:eu-west-2:593291632749:log-group:/aws/events/auth0/alpha-analytics-moj"
+}

terraform/aws/analytical-platform-data-production/joiners-movers-leavers/secrets.tf

@@ -0,0 +1,13 @@
+#tfsec:ignore:avd-aws-0098 CMK not required currently
+resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
+  # checkov:skip=CKV2_AWS_57:These won't be rotated in the traditional manner
+  # checkov:skip=CKV_AWS_149:No KMS key needed as per above, these won't be rotated
+  name = "gov-uk-notify/production/api-key"
+}
+
+#tfsec:ignore:avd-aws-0098 CMK not required currently
+resource "aws_secretsmanager_secret" "jml_email" {
+  # checkov:skip=CKV2_AWS_57:These won't be rotated in the traditional manner
+  # checkov:skip=CKV_AWS_149:No KMS key needed as per above, these won't be rotated
+  name = "jml/email"
+}

terraform/aws/analytical-platform-data-production/joiners-movers-leavers/terraform.tf

@@ -0,0 +1,42 @@
+terraform {
+  backend "s3" {
+    acl            = "private"
+    bucket         = "global-tf-state-aqsvzyd5u9"
+    encrypt        = true
+    key            = "aws/analytical-platform-data-production/joiners-movers-leavers/terraform.tfstate"
+    region         = "eu-west-2"
+    dynamodb_table = "global-tf-state-aqsvzyd5u9-locks"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.82.2"
+    }
+  }
+  required_version = "~> 1.5"
+}
+
+provider "aws" {
+  alias = "session"
+}
+
+provider "aws" {
+  region = "eu-west-1"
+  assume_role {
+    role_arn = "arn:aws:iam::${var.account_ids["analytical-platform-data-production"]}:role/GlobalGitHubActionAdmin"
+  }
+  default_tags {
+    tags = var.tags
+  }
+}
+
+provider "aws" {
+  alias  = "analytical-platform-management-production"
+  region = "eu-west-2"
+  assume_role {
+    role_arn = can(regex("AdministratorAccess", data.aws_iam_session_context.session.issuer_arn)) ? null : "arn:aws:iam::${var.account_ids["analytical-platform-management-production"]}:role/GlobalGitHubActionAdmin"
+  }
+  default_tags {
+    tags = var.tags
+  }
+}

terraform/aws/analytical-platform-data-production/joiners-movers-leavers/terraform.tfvars

@@ -0,0 +1,15 @@
+account_ids = {
+  analytical-platform-data-production       = "593291632749"
+  analytical-platform-management-production = "042130406152"
+}
+
+tags = {
+  business-unit          = "Platforms"
+  application            = "Analytical Platform"
+  component              = "Joiners Movers Leavers Lambda"
+  environment            = "production"
+  is-production          = "true"
+  owner                  = "analytical-platform:analytical-platform@digital.justice.gov.uk"
+  infrastructure-support = "analytical-platform:analytical-platform@digital.justice.gov.uk"
+  source-code            = "github.com/ministryofjustice/data-platform/terraform/aws/analytical-platform-data-production/joiners-movers-leavers"
+}

terraform/aws/analytical-platform-data-production/joiners-movers-leavers/variables.tf

@@ -0,0 +1,9 @@
+variable "account_ids" {
+  type        = map(string)
+  description = "Map of account names to account IDs"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Map of tags to apply to resources"
+}