Merge pull request #347 from mdr-engineering/feature/bp_MSOCI-1965_TQ-lambda

Adds S3 Bucket for Portal lambda

base/customer_portal_lambda/README.md

@@ -1 +1,7 @@
 # Customer Portal Lambda
+
+NOTE: There is a dependence in 005-iam (submodules/iam/standard_iam_policies/policy-mdr_terraformer.tf) for the PassRole action for the role. There is also a dependency on the Vault containing the correct values.
+
+The customer portal lambda is made up of two lambda functions. One is the scheduler and one actually runs the code. 
+
+Please note this lambda function has been updated to include the ThreatQ lambda. The threatq lambda does not add an additional AWS lambda, instead it is just added in the python code and piggy backs off the lambdas in this module. 

base/customer_portal_lambda/s3.tf

@@ -1,89 +1,89 @@
-# # TO BE IMPLEMENTED AT A LATER DATE!
-# resource "aws_s3_bucket" "bucket" {
-#   bucket        = "xdr-portal-lambda-${var.environment}"
-#   force_destroy = true
-#   acl           = "private"
+resource "aws_s3_bucket" "bucket" {
+  bucket        = "xdr-portal-lambda-${var.environment}"
+  force_destroy = true
+  acl           = "private"
 
-#   server_side_encryption_configuration {
-#     rule {
-#       apply_server_side_encryption_by_default {
-#         kms_master_key_id = aws_kms_key.key.arn
-#         sse_algorithm     = "aws:kms"
-#       }
-#     }
-#   }
-# }
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.key.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
 
-# resource "aws_s3_bucket_public_access_block" "public_access_block" {
-#   bucket                  = aws_s3_bucket.bucket.id
-#   block_public_acls       = true
-#   block_public_policy     = true
-#   ignore_public_acls      = true
-#   restrict_public_buckets = true
+resource "aws_s3_bucket_public_access_block" "public_access_block" {
+  bucket                  = aws_s3_bucket.bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
 
-#   # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
-#   # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
-#   depends_on = [aws_s3_bucket_policy.policy]
-# }
+  # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
+  # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
+  depends_on = [aws_s3_bucket_policy.policy]
+}
 
-# resource "aws_s3_bucket_policy" "policy" {
-#   bucket = aws_s3_bucket.bucket.id
-#   policy = data.aws_iam_policy_document.policy_document.json
-# }
+data "aws_iam_policy_document" "s3_policy_document" {
+  statement {
+    sid = "AllowS3Access"
+    actions = [ "s3:GetObject", "s3:GetObjectVersion" ]
+    effect = "Allow"
+    resources = [
+        "${aws_s3_bucket.bucket.arn}",
+        "${aws_s3_bucket.bucket.arn}/*"
+      ]
+    principals {
+      type = "AWS"
+      identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:root" ]
+    }
+  }
+}
 
-# data "aws_iam_policy_document" "policy_document" {
-#   statement {
-#     sid = "AllowS3Access"
-#     actions = [ "s3:GetObject", "s3:GetObjectVersion" ]
-#     effect = "Allow"
-#     resources = [
-#         "${aws_s3_bucket.bucket.arn}",
-#         "${aws_s3_bucket.bucket.arn}/*"
-#       ]
-#     principals {
-#       type = "AWS"
-#       identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:root" ]
-#     }
-#   }
-# }
+resource "aws_s3_bucket_policy" "policy" {
+  bucket = aws_s3_bucket.bucket.id
+  policy = data.aws_iam_policy_document.s3_policy_document.json
+}
 
-# resource "aws_kms_key" "key" {
-#   description             = "Encryption of S3 code for portal-scheduler"
-#   policy                  = data.aws_iam_policy_document.kms_policy_document.json
-#   enable_key_rotation     = true
-#   tags                    = merge(var.standard_tags, var.tags)
-# }
 
-# data "aws_iam_policy_document" "kms_policy_document" {
-#   statement {
-#     sid = "AllowServices"
-#     effect = "Allow"
-#     principals {
-#       type = "AWS"
-#       identifiers = [ 
-#         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
-#         "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
-#         ]
-#     }
-#     actions   = [ "kms:*" ]
-#     resources = [ "*" ]
-#   }
-#   # allow account to modify/manage key
-#   statement {
-#     sid = "AllowThisAccount"
-#     effect = "Allow"
-#     principals {
-#       identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
-#       type = "AWS"
-#     }
-#     actions = [
-#       "kms:*"
-#     ]
-#     resources = ["*"]
-#   }
-# }
+resource "aws_kms_key" "key" {
+  description             = "Encryption of S3 code for portal-scheduler"
+  policy                  = data.aws_iam_policy_document.kms_policy_document.json
+  enable_key_rotation     = true
+  tags                    = merge(var.standard_tags, var.tags)
+}
 
-# resource "aws_kms_alias" "key_alias" {
-#   name          = "alias/portal-s3-key"
-#   target_key_id = aws_kms_key.key.key_id
-# }
+data "aws_iam_policy_document" "kms_policy_document" {
+  statement {
+    sid = "AllowServices"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [ 
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
+        ]
+    }
+    actions   = [ "kms:*" ]
+    resources = [ "*" ]
+  }
+  # allow account to modify/manage key
+  statement {
+    sid = "AllowThisAccount"
+    effect = "Allow"
+    principals {
+      identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
+      type = "AWS"
+    }
+    actions = [
+      "kms:*"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_kms_alias" "key_alias" {
+  name          = "alias/portal-s3-key"
+  target_key_id = aws_kms_key.key.key_id
+}