CCM-7938 adding base module for Messaging Infrastructure

Author: aidenvaines-cgi

.gitignore

@@ -10,4 +10,4 @@ version.json
 *.code-workspace
 !project.code-workspace
 
-# Please, add your custom content below!
+infrastructure/modules/eventpub/lambda/*.zip

infrastructure/modules/eventpub/cloudwatch_log_group_kinesis_data_firehose.tf

@@ -0,0 +1,14 @@
+resource "aws_cloudwatch_log_group" "kinesis_data_firehose" {
+  count = var.enable_event_cache ? 1 : 0
+
+  name              = "/aws/firehose/${local.csi}"
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.log_retention_in_days
+}
+
+resource "aws_cloudwatch_log_stream" "kinesis_data_firehose_extended_s3" {
+  count = var.enable_event_cache ? 1 : 0
+
+  name           = "extended_s3"
+  log_group_name = aws_cloudwatch_log_group.kinesis_data_firehose[0].name
+}

infrastructure/modules/eventpub/cloudwatch_log_group_lambda.tf

@@ -0,0 +1,5 @@
+resource "aws_cloudwatch_log_group" "lambda" {
+  name              = "/aws/lambda/${local.csi}"
+  retention_in_days = var.log_retention_in_days
+  kms_key_id        = var.kms_key_arn
+}

infrastructure/modules/eventpub/cloudwatch_log_group_sns_delivery_logging_failure.tf

@@ -0,0 +1,9 @@
+resource "aws_cloudwatch_log_group" "sns_delivery_logging_failure" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  # SNS doesn't allow specifying a log group and is derived as: sns/${region}/${account_id}/${name_of_sns_topic}/Failure
+  # (for failure logs)
+  name              = "sns/${var.region}/${var.aws_account_id}/${local.csi}/Failure"
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.log_retention_in_days
+}

infrastructure/modules/eventpub/cloudwatch_log_group_sns_delivery_logging_success.tf

@@ -0,0 +1,9 @@
+resource "aws_cloudwatch_log_group" "sns_delivery_logging_success" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  # SNS doesn't allow specifying a log group and is derived as: sns/${region}/${account_id}/${name_of_sns_topic}/Failure
+  # (for failure logs)
+  name              = "sns/${var.region}/${var.aws_account_id}/${local.csi}"
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.log_retention_in_days
+}

infrastructure/modules/eventpub/data_archive_file_lambda.tf

@@ -0,0 +1,12 @@
+data "archive_file" "lambda" {
+  type        = "zip"
+  source_dir  = "${path.module}/lambda/eventpub/src"
+  output_path = "${path.module}/lambda/eventpub.zip"
+  excludes = [
+    # NodeJS Exclusions
+    "**/__tests__",
+    "**/node_modules",
+    "**/package.json",
+    "**/package-lock.json",
+  ]
+}

infrastructure/modules/eventpub/iam_policy_sns_delivery_logging_cloudwatch.tf

@@ -0,0 +1,44 @@
+resource "aws_iam_policy" "sns_delivery_logging_cloudwatch" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  name        = "${local.csi}-${var.name}-sns-delivery"
+  description = "Policy for ${local.csi}-${var.name} SNS Delivery Logging"
+  policy      = data.aws_iam_policy_document.sns_delivery_logging_cloudwatch[0].json
+}
+
+data "aws_iam_policy_document" "sns_delivery_logging_cloudwatch" {
+  count = var.enable_sns_delivery_logging ? 1 : 0
+
+  statement {
+    sid    = "KMSCloudwatchKeyAccess"
+    effect = "Allow"
+
+    actions = [
+      "kms:GenerateDataKey",
+      "kms:Decrypt",
+    ]
+
+    resources = [
+      var.kms_key_arn
+    ]
+  }
+
+  statement {
+    sid    = "AllowSNSDeliveryNotifications"
+    effect = "Allow"
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:PutMetricFilter",
+      "logs:PutRetentionPolicy",
+    ]
+
+    resources = [
+      aws_cloudwatch_log_group.sns_delivery_logging_success[0].arn,
+      "${aws_cloudwatch_log_group.sns_delivery_logging_success[0].arn}:log-stream:*",
+      aws_cloudwatch_log_group.sns_delivery_logging_failure[0].arn,
+      "${aws_cloudwatch_log_group.sns_delivery_logging_failure[0].arn}:log-stream:*",
+    ]
+  }
+}

infrastructure/modules/eventpub/iam_role_firehose_role.tf

@@ -0,0 +1,59 @@
+resource "aws_iam_role" "firehose_role" {
+  count = var.enable_event_cache ? 1 : 0
+
+  name               = "${local.csi}-firehose-role"
+  assume_role_policy = data.aws_iam_policy_document.firehose_assume_role[0].json
+}
+
+data "aws_iam_policy_document" "firehose_assume_role" {
+  count = var.enable_event_cache ? 1 : 0
+
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["firehose.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "s3_write_object" {
+  count = var.enable_event_cache ? 1 : 0
+
+  role       = aws_iam_role.firehose_role[0].name
+  policy_arn = aws_iam_policy.s3_write_object[0].arn
+}
+
+resource "aws_iam_policy" "s3_write_object" {
+  count = var.enable_event_cache ? 1 : 0
+
+  name        = "${local.csi}-${var.name}-s3-write-object"
+  description = "S3 Put Object policy for ${local.csi}-${var.name} Firehose"
+  policy      = data.aws_iam_policy_document.s3_write_object[0].json
+}
+
+data "aws_iam_policy_document" "s3_write_object" {
+  count = var.enable_event_cache ? 1 : 0
+
+  statement {
+    sid    = "AllowWriteObject"
+    effect = "Allow"
+
+    actions = [
+      "s3:AbortMultipartUpload",
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads",
+      "s3:PutObject",
+      "s3:PutObject",
+    ]
+
+    resources = [
+      "${module.s3bucket_event_cache[0].arn}/*",
+    ]
+  }
+}

infrastructure/modules/eventpub/iam_role_lambda.tf

@@ -0,0 +1,83 @@
+resource "aws_iam_role" "lambda" {
+  name               = local.csi
+  assume_role_policy = data.aws_iam_policy_document.lambda_assumerole.json
+}
+
+resource "aws_iam_policy" "lambda" {
+  name   = local.csi
+  policy = data.aws_iam_policy_document.lambda.json
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_lambda" {
+  role       = aws_iam_role.lambda.name
+  policy_arn = aws_iam_policy.lambda.arn
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_insights" {
+  role       = aws_iam_role.lambda.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
+}
+
+data "aws_iam_policy_document" "lambda_assumerole" {
+  statement {
+    sid    = "LambdaAssumeRole"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "lambda.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "sts:AssumeRole",
+    ]
+  }
+}
+
+# tfsec:ignore:aws-iam-no-policy-wildcards
+data "aws_iam_policy_document" "lambda" {
+  statement {
+    sid    = "AllowLogging"
+    effect = "Allow"
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = [
+      "${aws_cloudwatch_log_group.lambda.arn}:*",
+    ]
+  }
+
+  statement {
+    sid    = "PutEvents"
+    effect = "Allow"
+
+    actions = [
+      "events:PutEvents",
+    ]
+
+    resources = [
+      var.control_plane_bus_arn,
+      var.data_plane_bus_arn,
+    ]
+  }
+
+  statement {
+    sid    = "KMSCloudwatchKeyAccess"
+    effect = "Allow"
+
+    actions = [
+      "kms:GenerateDataKey",
+      "kms:Decrypt",
+    ]
+
+    resources = [
+      var.kms_key_arn
+    ]
+  }
+}

infrastructure/modules/eventpub/iam_role_sns.tf

@@ -0,0 +1,51 @@
+resource "aws_iam_role" "sns_role" {
+  name               = "${local.csi}-sns-role"
+  assume_role_policy = data.aws_iam_policy_document.sns_assume_role.json
+}
+
+resource "aws_iam_policy" "firehose_delivery" {
+  count = var.enable_event_cache ? 1 : 0
+
+  name        = "${local.csi}-${var.name}-firehose-delivery"
+  description = "Delivery Policy for ${local.csi}-${var.name} Firehose"
+  policy      = data.aws_iam_policy_document.firehose_delivery[0].json
+}
+
+resource "aws_iam_role_policy_attachment" "firehose_delivery" {
+  count = var.enable_event_cache ? 1 : 0
+
+  role       = aws_iam_role.sns_role.name
+  policy_arn = aws_iam_policy.firehose_delivery[0].arn
+}
+
+
+data "aws_iam_policy_document" "sns_assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+data "aws_iam_policy_document" "firehose_delivery" {
+  count = var.enable_event_cache ? 1 : 0
+
+  statement {
+    sid    = "AllowFirehoseDelivery"
+    effect = "Allow"
+
+    actions = [
+      "firehose:PutRecord",
+      "firehose:PutRecordBatch"
+    ]
+
+    resources = [
+      "${aws_kinesis_firehose_delivery_stream.main[0].arn}",
+    ]
+  }
+}