CCM-10048: e2e test reliability (#536)

Author: alexnuttall

infrastructure/terraform/components/acct/module_sandbox_kms.tf

@@ -85,4 +85,33 @@ data "aws_iam_policy_document" "kms" {
       ]
     }
   }
+
+  statement {
+    sid    = "AllowEventBridgeAccessToLetterValidationQueue"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt",
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:sqs:arn"
+      values   = ["arn:aws:sqs:${var.region}:${var.aws_account_id}:*-validate-letter-template-files-queue"]
+    }
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:events:${var.region}:${var.aws_account_id}:rule/*-quarantine-scan-passed-for-upload"]
+    }
+  }
 }

infrastructure/terraform/components/app/module_kms.tf

@@ -106,4 +106,37 @@ data "aws_iam_policy_document" "kms" {
       ]
     }
   }
+
+  statement {
+    sid    = "AllowEventBridgeAccessToLetterValidationQueue"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+
+    actions = [
+      "kms:GenerateDataKey*",
+      "kms:Decrypt",
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "ArnEquals"
+      variable = "kms:EncryptionContext:aws:sqs:arn"
+      values = [
+        "arn:aws:sqs:${var.region}:${var.aws_account_id}:${local.csi}-validate-letter-template-files-queue"
+      ]
+    }
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values = [
+        "arn:aws:events:${var.region}:${var.aws_account_id}:rule/${local.csi}-api-quarantine-scan-passed-for-upload"
+      ]
+    }
+  }
 }

infrastructure/terraform/modules/backend-api/README.md

@@ -16,7 +16,6 @@ No requirements.
 | <a name="input_csi"></a> [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes |
 | <a name="input_enable_backup"></a> [enable\_backup](#input\_enable\_backup) | Enable Backups for the DynamoDB table? | `bool` | `true` | no |
 | <a name="input_enable_event_stream"></a> [enable\_event\_stream](#input\_enable\_event\_stream) | Enable DynamoDB streaming to SQS? | `bool` | `false` | no |
-| <a name="input_enable_guardduty"></a> [enable\_guardduty](#input\_enable\_guardduty) | Enable GuardDuty | `bool` | `true` | no |
 | <a name="input_enable_proofing"></a> [enable\_proofing](#input\_enable\_proofing) | Enable proofing feature flag | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_function_s3_bucket"></a> [function\_s3\_bucket](#input\_function\_s3\_bucket) | Name of S3 bucket to upload lambda artefacts to | `string` | n/a | yes |

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_for_proof.tf

@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_proof
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = [local.guardduty_source]
+    source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [local.guardduty_resource]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
@@ -21,11 +21,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_proof
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_process_proof" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_proof.name
   arn      = module.lambda_process_proof.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_for_proof.arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_delete_object_for_proof" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_proof.name
   arn      = module.lambda_delete_failed_scanned_object.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_for_proof.arn
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_for_upload.tf

@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_uploa
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = [local.guardduty_source]
+    source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [local.guardduty_resource]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
@@ -21,11 +21,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_uploa
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_set_file_status_for_upload" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_upload.name
   arn      = module.lambda_set_file_virus_scan_status_for_upload.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_for_upload.arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_failed_delete_object_for_upload" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed_for_upload.name
   arn      = module.lambda_delete_failed_scanned_object.function_arn
-  role_arn = aws_iam_role.quarantine_scan_failed_for_upload.arn
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_for_proof.tf

@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_proof
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = [local.guardduty_source]
+    source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [local.guardduty_resource]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
@@ -21,5 +21,4 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_proof
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_process_proof" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_proof.name
   arn      = module.lambda_process_proof.function_arn
-  role_arn = aws_iam_role.quarantine_scan_passed_for_proof.arn
 }

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_for_upload.tf

@@ -3,9 +3,9 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_uploa
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = [local.guardduty_source]
+    source      = ["aws.guardduty"]
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
-    resources   = [local.guardduty_resource]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
       s3ObjectDetails = {
         bucketName = [module.s3bucket_quarantine.id]
@@ -19,19 +19,16 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_uploa
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_set_file_status_for_upload" {
-  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
-  arn      = module.lambda_set_file_virus_scan_status_for_upload.function_arn
-  role_arn = aws_iam_role.quarantine_scan_passed_for_upload.arn
+  rule = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
+  arn  = module.lambda_set_file_virus_scan_status_for_upload.function_arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_copy_object_for_upload" {
-  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
-  arn      = module.lambda_copy_scanned_object_to_internal.function_arn
-  role_arn = aws_iam_role.quarantine_scan_passed_for_upload.arn
+  rule = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
+  arn  = module.lambda_copy_scanned_object_to_internal.function_arn
 }
 
 resource "aws_cloudwatch_event_target" "quarantine_scan_passed_validate_files" {
   rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed_for_upload.name
   arn      = module.sqs_validate_letter_template_files.sqs_queue_arn
-  role_arn = aws_iam_role.quarantine_scan_passed_for_upload.arn
 }

infrastructure/terraform/modules/backend-api/data_iam_policy_document_events_assume_role.tf

@@ -1,5 +1,7 @@
 resource "aws_guardduty_malware_protection_plan" "quarantine" {
-  count = var.enable_guardduty ? 1 : 0
+  depends_on = [
+    aws_iam_role_policy_attachment.guardduty_quarantine
+  ]
 
   role = aws_iam_role.guardduty_quarantine.arn