From 68c2de6f456520def711163c312c1b7878f4ba4c Mon Sep 17 00:00:00 2001 From: Gary <26419401+Gary-H9@users.noreply.github.com> Date: Thu, 9 Jan 2025 17:50:39 +0000 Subject: [PATCH] =?UTF-8?q?=CE=BB:=20Add=20JML=20Lambda=20to=20APDP=20(#65?= =?UTF-8?q?23)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * λ: Add JML Lambda to APDP Co-authored-by: Jacob Woffenden --------- Co-authored-by: Ministry of Justice Data Platform Robot <125977389+moj-data-platform-robot@users.noreply.github.com> Co-authored-by: Jacob Woffenden --- .github/dependabot.yml | 1 + .../.terraform.lock.hcl | 85 +++++++++++++++++++ .../cloudwatch-event-rules.tf | 4 + .../joiners-movers-leavers/data.tf | 17 ++++ .../lambda-functions.tf | 68 +++++++++++++++ .../joiners-movers-leavers/secrets.tf | 13 +++ .../joiners-movers-leavers/terraform.tf | 42 +++++++++ .../joiners-movers-leavers/terraform.tfvars | 15 ++++ .../joiners-movers-leavers/variables.tf | 9 ++ 9 files changed, 254 insertions(+) create mode 100644 terraform/aws/analytical-platform-data-production/joiners-movers-leavers/.terraform.lock.hcl create mode 100644 terraform/aws/analytical-platform-data-production/joiners-movers-leavers/cloudwatch-event-rules.tf create mode 100644 terraform/aws/analytical-platform-data-production/joiners-movers-leavers/data.tf create mode 100644 terraform/aws/analytical-platform-data-production/joiners-movers-leavers/lambda-functions.tf create mode 100644 terraform/aws/analytical-platform-data-production/joiners-movers-leavers/secrets.tf create mode 100644 terraform/aws/analytical-platform-data-production/joiners-movers-leavers/terraform.tf create mode 100644 terraform/aws/analytical-platform-data-production/joiners-movers-leavers/terraform.tfvars create mode 100644 terraform/aws/analytical-platform-data-production/joiners-movers-leavers/variables.tf diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0ce2cf9600..2103de88db 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -58,6 +58,7 @@ updates: - "terraform/aws/analytical-platform-data-production/github-actions-roles" - "terraform/aws/analytical-platform-data-production/hmcts-sdp-direct-connect" - "terraform/aws/analytical-platform-data-production/ingestion-egress" + - "terraform/aws/analytical-platform-data-production/joiners-movers-leavers" - "terraform/aws/analytical-platform-data-production/lakeformation-external-data/digital-prisons-reporting-preproduction" - "terraform/aws/analytical-platform-data-production/openmetadata" - "terraform/aws/analytical-platform-data-production/powerbi-gateway" diff --git a/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/.terraform.lock.hcl b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/.terraform.lock.hcl new file mode 100644 index 0000000000..240552b0eb --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/.terraform.lock.hcl @@ -0,0 +1,85 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.82.2" + constraints = "5.82.2" + hashes = [ + "h1:ERlzacp7dxBqlMqk1mVwsZvRE0kxpWOK3EeexukKEoY=", + "zh:0262fc96012fb7e173e1b7beadd46dfc25b1dc7eaef95b90e936fc454724f1c8", + "zh:397413613d27f4f54d16efcbf4f0a43c059bd8d827fe34287522ae182a992f9b", + "zh:436c0c5d56e1da4f0a4c13129e12a0b519d12ab116aed52029b183f9806866f3", + "zh:4d942d173a2553d8d532a333a0482a090f4e82a2238acf135578f163b6e68470", + "zh:624aebc549bfbce06cc2ecfd8631932eb874ac7c10eb8466ce5b9a2fbdfdc724", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9e632dee2dfdf01b371cca7854b1ec63ceefa75790e619b0642b34d5514c6733", + "zh:a07567acb115b60a3df8f6048d12735b9b3bcf85ec92a62f77852e13d5a3c096", + "zh:ab7002df1a1be6432ac0eb1b9f6f0dd3db90973cd5b1b0b33d2dae54553dfbd7", + "zh:bc1ff65e2016b018b3e84db7249b2cd0433cb5c81dc81f9f6158f2197d6b9fde", + "zh:bcad84b1d767f87af6e1ba3dc97fdb8f2ad5de9224f192f1412b09aba798c0a8", + "zh:cf917dceaa0f9d55d9ff181b5dcc4d1e10af21b6671811b315ae2a6eda866a2a", + "zh:d8e90ecfb3216f3cc13ccde5a16da64307abb6e22453aed2ac3067bbf689313b", + "zh:d9054e0e40705df729682ad34c20db8695d57f182c65963abd151c6aba1ab0d3", + "zh:ecf3a4f3c57eb7e89f71b8559e2a71e4cdf94eea0118ec4f2cb37e4f4d71a069", + ] +} + +provider "registry.terraform.io/hashicorp/external" { + version = "2.3.4" + constraints = ">= 1.0.0" + hashes = [ + "h1:8mByRL3zDm50yiEXMrKtWC2FaLwuvvyjKI+eWuD1dn0=", + "zh:037fd82cd86227359bc010672cd174235e2d337601d4686f526d0f53c87447cb", + "zh:0ea1db63d6173d01f2fa8eb8989f0809a55135a0d8d424b08ba5dabad73095fa", + "zh:17a4d0a306566f2e45778fbac48744b6fd9c958aaa359e79f144c6358cb93af0", + "zh:298e5408ab17fd2e90d2cd6d406c6d02344fe610de5b7dae943a58b958e76691", + "zh:38ecfd29ee0785fd93164812dcbe0664ebbe5417473f3b2658087ca5a0286ecb", + "zh:59f6a6f31acf66f4ea3667a555a70eba5d406c6e6d93c2c641b81d63261eeace", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:ad0279dfd09d713db0c18469f585e58d04748ca72d9ada83883492e0dd13bd58", + "zh:c69f66fd21f5e2c8ecf7ca68d9091c40f19ad913aef21e3ce23836e91b8cbb5f", + "zh:d4a56f8c48aa86fc8e0c233d56850f5783f322d6336f3bf1916e293246b6b5d4", + "zh:f2b394ebd4af33f343835517e80fc876f79361f4688220833bc3c77655dd2202", + "zh:f31982f29f12834e5d21e010856eddd19d59cd8f449adf470655bfd19354377e", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.5.2" + constraints = ">= 1.0.0" + hashes = [ + "h1:6XyefmvbkprppmYbGmMcQW5NB4w6C363SSShzuhF4R0=", + "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511", + "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea", + "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0", + "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b", + "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038", + "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4", + "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464", + "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b", + "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e", + "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + constraints = ">= 2.0.0" + hashes = [ + "h1:obXguGZUWtNAO09f1f9Cb7hsPCOGXuGdN8bn/ohKRBQ=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} diff --git a/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/cloudwatch-event-rules.tf b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/cloudwatch-event-rules.tf new file mode 100644 index 0000000000..6772efa8ba --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/cloudwatch-event-rules.tf @@ -0,0 +1,4 @@ +resource "aws_cloudwatch_event_rule" "jml_lambda_trigger" { + name = "jml-lambda-trigger" + schedule_expression = "cron(0 2 1 * ? *)" +} diff --git a/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/data.tf b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/data.tf new file mode 100644 index 0000000000..fc7d5f9923 --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/data.tf @@ -0,0 +1,17 @@ +data "aws_caller_identity" "session" { + provider = aws.session +} + +data "aws_iam_session_context" "session" { + provider = aws.session + + arn = data.aws_caller_identity.session.arn +} + +data "aws_secretsmanager_secret_version" "govuk_notify_api_key" { + secret_id = aws_secretsmanager_secret.govuk_notify_api_key.id +} + +data "aws_secretsmanager_secret_version" "jml_email" { + secret_id = aws_secretsmanager_secret.jml_email.id +} diff --git a/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/lambda-functions.tf b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/lambda-functions.tf new file mode 100644 index 0000000000..5f5c815c79 --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/lambda-functions.tf @@ -0,0 +1,68 @@ +#tfsec:ignore:avd-aws-0066:no need for tracing +module "jml_extract_lambda" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + source = "terraform-aws-modules/lambda/aws" + version = "7.20.0" + + publish = true + create_package = false + + function_name = "data_platform_jml_extract" + description = "Generates a JML report and sends it to JMLv4" + package_type = "Image" + memory_size = 512 + timeout = 120 + image_uri = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/data-platform-jml-extract-lambda-ecr-repo:1.0.3" + + environment_variables = { + SECRET_ID = data.aws_secretsmanager_secret_version.govuk_notify_api_key.id + LOG_GROUP_NAMES = "/aws/events/auth0/alpha-analytics-moj" + EMAIL_SECRET = data.aws_secretsmanager_secret_version.jml_email.id + TEMPLATE_ID = "de618989-db86-4d9a-aa55-4724d5485fa5" + } + + attach_policy_statements = true + policy_statements = { + "cloudwatch" = { + sid = "CloudWatch" + effect = "Allow" + actions = [ + "cloudwatch:GenerateQuery", + "logs:DescribeLogStreams", + "logs:DescribeLogGroups", + "logs:GetLogEvents", + "logs:StartQuery", + "logs:StopQuery", + "logs:GetQueryExecution", + "logs:GetQueryResults" + ] + resources = [ + "${local.cloudwatch_log_group_arn}:*" + ] + } + "secretsmanager" = { + sid = "SecretsManager" + effect = "Allow" + actions = [ + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue", + "secretsmanager:ListSecrets" + ] + resources = [ + aws_secretsmanager_secret.govuk_notify_api_key.arn, + aws_secretsmanager_secret.jml_email.arn + ] + } + } + + allowed_triggers = { + "eventbridge" = { + principal = "events.amazonaws.com" + source_arn = aws_cloudwatch_event_rule.jml_lambda_trigger.arn + } + } +} + +locals { + cloudwatch_log_group_arn = "arn:aws:logs:eu-west-2:593291632749:log-group:/aws/events/auth0/alpha-analytics-moj" +} diff --git a/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/secrets.tf b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/secrets.tf new file mode 100644 index 0000000000..282ffea670 --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/secrets.tf @@ -0,0 +1,13 @@ +#tfsec:ignore:avd-aws-0098 CMK not required currently +resource "aws_secretsmanager_secret" "govuk_notify_api_key" { + # checkov:skip=CKV2_AWS_57:These won't be rotated in the traditional manner + # checkov:skip=CKV_AWS_149:No KMS key needed as per above, these won't be rotated + name = "gov-uk-notify/production/api-key" +} + +#tfsec:ignore:avd-aws-0098 CMK not required currently +resource "aws_secretsmanager_secret" "jml_email" { + # checkov:skip=CKV2_AWS_57:These won't be rotated in the traditional manner + # checkov:skip=CKV_AWS_149:No KMS key needed as per above, these won't be rotated + name = "jml/email" +} diff --git a/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/terraform.tf b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/terraform.tf new file mode 100644 index 0000000000..bb2c4afb7a --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/terraform.tf @@ -0,0 +1,42 @@ +terraform { + backend "s3" { + acl = "private" + bucket = "global-tf-state-aqsvzyd5u9" + encrypt = true + key = "aws/analytical-platform-data-production/joiners-movers-leavers/terraform.tfstate" + region = "eu-west-2" + dynamodb_table = "global-tf-state-aqsvzyd5u9-locks" + } + required_providers { + aws = { + source = "hashicorp/aws" + version = "5.82.2" + } + } + required_version = "~> 1.5" +} + +provider "aws" { + alias = "session" +} + +provider "aws" { + region = "eu-west-1" + assume_role { + role_arn = "arn:aws:iam::${var.account_ids["analytical-platform-data-production"]}:role/GlobalGitHubActionAdmin" + } + default_tags { + tags = var.tags + } +} + +provider "aws" { + alias = "analytical-platform-management-production" + region = "eu-west-2" + assume_role { + role_arn = can(regex("AdministratorAccess", data.aws_iam_session_context.session.issuer_arn)) ? null : "arn:aws:iam::${var.account_ids["analytical-platform-management-production"]}:role/GlobalGitHubActionAdmin" + } + default_tags { + tags = var.tags + } +} diff --git a/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/terraform.tfvars b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/terraform.tfvars new file mode 100644 index 0000000000..c398e287ab --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/terraform.tfvars @@ -0,0 +1,15 @@ +account_ids = { + analytical-platform-data-production = "593291632749" + analytical-platform-management-production = "042130406152" +} + +tags = { + business-unit = "Platforms" + application = "Analytical Platform" + component = "Joiners Movers Leavers Lambda" + environment = "production" + is-production = "true" + owner = "analytical-platform:analytical-platform@digital.justice.gov.uk" + infrastructure-support = "analytical-platform:analytical-platform@digital.justice.gov.uk" + source-code = "github.com/ministryofjustice/data-platform/terraform/aws/analytical-platform-data-production/joiners-movers-leavers" +} diff --git a/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/variables.tf b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/variables.tf new file mode 100644 index 0000000000..05c621dfe1 --- /dev/null +++ b/terraform/aws/analytical-platform-data-production/joiners-movers-leavers/variables.tf @@ -0,0 +1,9 @@ +variable "account_ids" { + type = map(string) + description = "Map of account names to account IDs" +} + +variable "tags" { + type = map(string) + description = "Map of tags to apply to resources" +}