Merge pull request #609 from NHSDigital/feature/ELI-688-kinesis-stream-buffer

[ELI-688] - Adding Kinesis Data Stream as a buffer for Firehose

Author: TOEL2

infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf

@@ -2,6 +2,11 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli
   name        = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.audit_firehose_delivery_stream_name}"
   destination = "extended_s3"
 
+  kinesis_source_configuration {
+    kinesis_stream_arn = var.kinesis_source_stream_arn
+    role_arn           = var.audit_firehose_role.arn
+  }
+
   extended_s3_configuration {
     role_arn   = var.audit_firehose_role.arn
     bucket_arn = var.s3_audit_bucket_arn
@@ -14,20 +19,13 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli
 
     cloudwatch_logging_options {
       enabled         = true
-      log_group_name  = var.kinesis_cloud_watch_log_group_name
-      log_stream_name = var.kinesis_cloud_watch_log_stream
+      log_group_name  = var.firehose_cloud_watch_log_group_name
+      log_stream_name = var.firehose_cloud_watch_log_stream
     }
   }
-
-  server_side_encryption {
-    enabled  = true
-    key_arn  = aws_kms_key.firehose_cmk.arn
-    key_type = "CUSTOMER_MANAGED_CMK"
-  }
-
+  # Removed server_side_encryption_configuration as it is not supported for kinesis as source
   depends_on = [
     aws_kms_key.firehose_cmk,
-    var.audit_firehose_role
   ]
 
   tags = var.tags

infrastructure/modules/kinesis_firehose/variables.tf

@@ -13,12 +13,12 @@ variable "s3_audit_bucket_arn" {
   type        = string
 }
 
-variable "kinesis_cloud_watch_log_group_name" {
+variable "firehose_cloud_watch_log_group_name" {
   description = "kinesis cloud watch log group name"
   type        = string
 }
 
-variable "kinesis_cloud_watch_log_stream" {
+variable "firehose_cloud_watch_log_stream" {
   description = "kinesis cloud watch log stream"
   type        = string
 }
@@ -28,6 +28,11 @@ variable "eligibility_lambda_role_arn" {
   type        = any
 }
 
+variable "kinesis_source_stream_arn" {
+  description = "the arn of the kinesis data stream the lambda puts records to"
+  type        = any
+}
+
 
 
 

infrastructure/modules/lambda/lambda.tf

@@ -20,12 +20,12 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
       PERSON_TABLE_NAME            = var.eligibility_status_table_name,
       RULES_BUCKET_NAME            = var.eligibility_rules_bucket_name,
       CONSUMER_MAPPING_BUCKET_NAME = var.eligibility_consumer_mappings_bucket_name,
-      KINESIS_AUDIT_STREAM_TO_S3   = var.kinesis_audit_stream_to_s3_name
-      ENV                          = var.environment
-      LOG_LEVEL                    = var.log_level
-      ENABLE_XRAY_PATCHING         = var.enable_xray_patching
-      API_DOMAIN_NAME              = var.api_domain_name
-      HASHING_SECRET_NAME          = var.hashing_secret_name
+      KINESIS_AUDIT_STREAM         = var.kinesis_audit_stream_name,
+      ENV                          = var.environment,
+      LOG_LEVEL                    = var.log_level,
+      ENABLE_XRAY_PATCHING         = var.enable_xray_patching,
+      API_DOMAIN_NAME              = var.api_domain_name,
+      HASHING_SECRET_NAME          = var.hashing_secret_name,
     }
   }
 

infrastructure/modules/lambda/variables.tf

@@ -54,7 +54,7 @@ variable "eligibility_status_table_name" {
   type        = string
 }
 
-variable "kinesis_audit_stream_to_s3_name" {
+variable "kinesis_audit_stream_name" {
   description = "kinesis audit stream to s3 name"
   type        = string
 }

infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf

@@ -53,6 +53,7 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" {
       # Kinesis Firehose - Lambda writing audit data
       "firehose:PutRecord",
       "firehose:PutRecordBatch",
+      "kinesis:*",
 
       # X-Ray - Lambda tracing
       "xray:PutTraceSegments",

infrastructure/stacks/api-layer/iam_policies.tf

@@ -224,15 +224,15 @@ resource "aws_iam_role_policy" "kinesis_firehose_logs_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ],
-        Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${module.eligibility_audit_firehose_delivery_stream.firehose_stream_name}:log-stream:*"
+        Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${local.firehose_stream_name}:log-stream:*"
       },
       {
         Effect = "Allow",
         Action = [
           "logs:DescribeLogGroups",
           "logs:DescribeLogStreams"
         ],
-        Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${module.eligibility_audit_firehose_delivery_stream.firehose_stream_name}"
+        Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${local.firehose_stream_name}"
       }
     ]
   })
@@ -256,6 +256,109 @@ resource "aws_iam_role_policy_attachment" "lambda_insights_policy" {
   policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
 }
 
+# Policy document to read from Kinesis Source stream
+data "aws_iam_policy_document" "kinesis_source_access" {
+  statement {
+    sid    = "AllowReadFromKinesisSourceStream"
+    effect = "Allow"
+
+    actions = [
+      "kinesis:DescribeStream",
+      "kinesis:DescribeStreamSummary",
+      "kinesis:GetRecords",
+      "kinesis:GetShardIterator",
+      "kinesis:ListShards",
+      "kinesis:SubscribeToShard",
+    ]
+
+    resources = [
+      aws_kinesis_stream.kinesis_source_stream.arn,
+    ]
+  }
+}
+
+# Policy document to use KMS key for reading from Kinesis Source stream
+data "aws_iam_policy_document" "kinesis_source_kms_read_access" {
+  statement {
+    sid    = "AllowUseOfKinesisSourceKeyForReads"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey"
+    ]
+
+    resources = [
+      aws_kms_key.kinesis_data_stream_kms_key.arn
+    ]
+  }
+}
+
+# Attach kinesis read policy to firehose role
+resource "aws_iam_role_policy" "kinesis_firehose_read_policy" {
+  name   = "KinesisSourceReadAccess"
+  role   = aws_iam_role.eligibility_audit_firehose_role.id
+  policy = data.aws_iam_policy_document.kinesis_source_access.json
+}
+
+# Attach kinesis source stream KMS read policy to firehose role
+resource "aws_iam_role_policy" "firehose_kinesis_source_kms_policy" {
+  name   = "KinesisSourceKmsReadAccess"
+  role   = aws_iam_role.eligibility_audit_firehose_role.id
+  policy = data.aws_iam_policy_document.kinesis_source_kms_read_access.json
+}
+
+# Policy document for Lambda to write to Kinesis stream
+data "aws_iam_policy_document" "kinesis_write_access" {
+  statement {
+    sid    = "AllowWriteToKinesisStream"
+    effect = "Allow"
+
+    actions = [
+      "kinesis:PutRecord",
+      "kinesis:PutRecords"
+    ]
+
+    resources = [
+      aws_kinesis_stream.kinesis_source_stream.arn
+    ]
+  }
+}
+
+# Policy document to use the KMS key
+data "aws_iam_policy_document" "kinesis_kms_write_access" {
+  statement {
+    sid    = "AllowUseOfKinesisStreamKeyForWrites"
+    effect = "Allow"
+
+    actions = [
+      "kms:Encrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey"
+    ]
+
+    resources = [
+      aws_kms_key.kinesis_data_stream_kms_key.arn
+    ]
+  }
+}
+
+
+# Attach kinesis write policy to Lambda role
+resource "aws_iam_role_policy" "lambda_kinesis_write_policy" {
+  name   = "KinesisWriteAccess"
+  role   = aws_iam_role.eligibility_lambda_role.id
+  policy = data.aws_iam_policy_document.kinesis_write_access.json
+}
+
+# Attach kinesis KMS access policy to Lambda role
+resource "aws_iam_role_policy" "lambda_kinesis_kms_policy" {
+  name   = "KinesisStreamKmsWriteAccess"
+  role   = aws_iam_role.eligibility_lambda_role.id
+  policy = data.aws_iam_policy_document.kinesis_kms_write_access.json
+}
+
 # Policy doc for S3 Audit bucket
 data "aws_iam_policy_document" "s3_audit_bucket_policy" {
   statement {

infrastructure/stacks/api-layer/kinesis_data_stream.tf

@@ -0,0 +1,99 @@
+resource "aws_kms_key" "kinesis_data_stream_kms_key" {
+  description             = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"} kinesis_data_stream_kms Master Key"
+  deletion_window_in_days = 14
+  is_enabled              = true
+  enable_key_rotation     = true
+  tags                    = local.tags
+}
+
+resource "aws_kms_alias" "kinesis_data_stream_kms_key" {
+  name          = "alias/${var.project_name}-${var.environment}-kinesis-audit-stream"
+  target_key_id = aws_kms_key.kinesis_data_stream_kms_key.key_id
+}
+
+
+data "aws_iam_policy_document" "kinesis_stream_kms_key_policy" {
+  #checkov:skip=CKV_AWS_111 Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_109 Root user needs full KMS key management
+  #checkov:skip=CKV_AWS_356 Root user needs full KMS key management
+  statement {
+    sid    = "EnableRootPermissions"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "AllowLambdaUseOfKey"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.eligibility_lambda_role.arn]
+    }
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+
+    resources = ["*"]
+
+    condition {
+    test     = "StringEquals"
+    variable = "kms:ViaService"
+    values   = ["kinesis.${var.default_aws_region}.amazonaws.com"]
+    }
+  }
+
+  statement {
+    sid    = "AllowFirehoseRoleUseOfKey"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.eligibility_audit_firehose_role.arn]
+    }
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms:ViaService"
+      values   = ["firehose.${var.default_aws_region}.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_kms_key_policy" "kinesis_stream_kms_key_policy" {
+  key_id = aws_kms_key.kinesis_data_stream_kms_key.id
+  policy = data.aws_iam_policy_document.kinesis_stream_kms_key_policy.json
+}
+
+resource "aws_kinesis_stream" "kinesis_source_stream" {
+  name             = "${var.project_name}-${var.environment}-kinesis-audit-stream"
+  retention_period = 24
+
+  stream_mode_details {
+    stream_mode = "ON_DEMAND" # can discuss later
+  }
+
+  encryption_type = "KMS"
+  kms_key_id      = aws_kms_key.kinesis_data_stream_kms_key.arn
+  tags            = local.tags
+}

infrastructure/stacks/api-layer/kinesis_firehose.tf

@@ -1,13 +1,21 @@
 module "eligibility_audit_firehose_delivery_stream" {
-  source                              = "../../modules/kinesis_firehose"
-  audit_firehose_delivery_stream_name = "audit_stream_to_s3"
-  audit_firehose_role                 = aws_iam_role.eligibility_audit_firehose_role
-  s3_audit_bucket_arn                 = module.s3_audit_bucket.storage_bucket_arn
-  environment                         = local.environment
-  stack_name                          = local.stack_name
-  workspace                           = local.workspace
-  tags                                = local.tags
-  kinesis_cloud_watch_log_group_name  = aws_cloudwatch_log_group.firehose_audit.name
-  kinesis_cloud_watch_log_stream      = aws_cloudwatch_log_stream.firehose_audit_stream.name
-  eligibility_lambda_role_arn            = aws_iam_role.eligibility_lambda_role.arn
+  source                                = "../../modules/kinesis_firehose"
+  audit_firehose_delivery_stream_name   = "audit_stream_to_s3"
+  audit_firehose_role                   = aws_iam_role.eligibility_audit_firehose_role
+  s3_audit_bucket_arn                   = module.s3_audit_bucket.storage_bucket_arn
+  environment                           = local.environment
+  stack_name                            = local.stack_name
+  workspace                             = local.workspace
+  tags                                  = local.tags
+  firehose_cloud_watch_log_group_name   = aws_cloudwatch_log_group.firehose_audit.name
+  firehose_cloud_watch_log_stream       = aws_cloudwatch_log_stream.firehose_audit_stream.name
+  eligibility_lambda_role_arn           = aws_iam_role.eligibility_lambda_role.arn
+  kinesis_source_stream_arn             = aws_kinesis_stream.kinesis_source_stream.arn
+
+  depends_on = [
+    aws_iam_role_policy.kinesis_firehose_read_policy,
+    aws_iam_role_policy.firehose_kinesis_source_kms_policy,
+    aws_iam_role_policy.kinesis_firehose_s3_write_policy,
+    aws_iam_role_policy.kinesis_firehose_logs_policy,
+  ]
 }

infrastructure/stacks/api-layer/lambda.tf

@@ -25,7 +25,7 @@ module "eligibility_signposting_lambda_function" {
   eligibility_rules_bucket_name             = module.s3_rules_bucket.storage_bucket_name
   eligibility_consumer_mappings_bucket_name = module.s3_consumer_mappings_bucket.storage_bucket_name
   eligibility_status_table_name             = module.eligibility_status_table.table_name
-  kinesis_audit_stream_to_s3_name           = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name
+  kinesis_audit_stream_name                 = aws_kinesis_stream.kinesis_source_stream.name
   hashing_secret_name                       = module.secrets_manager.aws_hashing_secret_name
   lambda_insights_extension_version         = 38
   log_level                                 = "INFO"

infrastructure/stacks/api-layer/locals.tf

@@ -10,6 +10,8 @@ locals {
     data.aws_ssm_parameter.mtls_api_ca_cert.value
   ])
 
+  firehose_stream_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-audit_stream_to_s3"
+
   # Toggle for deploying WAF resources in the current environment
   # True when var.environment is contained in var.waf_enabled_environments
   waf_enabled = contains(var.waf_enabled_environments, var.environment)