Skip to content

ELI-154 - firehose , s3 audit setup #192

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
robbailiff2 merged 28 commits into from
Jun 27, 2025
Merged

ELI-154 - firehose , s3 audit setup #192

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
7555020
firehose and audit bucket fixture
Karthikeyannhs Jun 25, 2025
73e9393
modified test to check if the data is written to audit
Karthikeyannhs Jun 25, 2025
6c7daab
firehose terraform code
Karthikeyannhs Jun 25, 2025
7a304e9
code clean up and fixes
Karthikeyannhs Jun 26, 2025
3678fae
Update Kinesis Firehose config
Karthikeyannhs Jun 26, 2025
658a581
added env for stream name
Karthikeyannhs Jun 26, 2025
4452c1c
fix
Karthikeyannhs Jun 26, 2025
b278c02
Add firehose to vpc endpoints
robbailiff2 Jun 26, 2025
3a49587
Merge branch 'feature/eli-154-firehose-integration' of github.com:NHS…
robbailiff2 Jun 26, 2025
01dee91
firehose endpoint
Karthikeyannhs Jun 26, 2025
e8592a6
firehose cloudwatch logs
Karthikeyannhs Jun 26, 2025
eee52b8
firehose kms key
Karthikeyannhs Jun 26, 2025
abaee26
audit kms s3 policy fix
Karthikeyannhs Jun 26, 2025
282d0df
kms encryption 🔐 for firehose & cleanup 🧹
Karthikeyannhs Jun 26, 2025
186ebfa
key name change
Karthikeyannhs Jun 27, 2025
718f98b
key name change
Karthikeyannhs Jun 27, 2025
ed48830
key name change
Karthikeyannhs Jun 27, 2025
42113fe
test
Karthikeyannhs Jun 27, 2025
eb40ab0
kms encryption
Karthikeyannhs Jun 27, 2025
7096d68
checkov
Karthikeyannhs Jun 27, 2025
5f84306
logs encruption
Karthikeyannhs Jun 27, 2025
58cd919
cleanup
Karthikeyannhs Jun 27, 2025
8bdd09f
checkov
Karthikeyannhs Jun 27, 2025
47299ca
checkov
Karthikeyannhs Jun 27, 2025
1a87edc
checkov
Karthikeyannhs Jun 27, 2025
d9ef9e7
checkov
Karthikeyannhs Jun 27, 2025
3f02a61
lint
Karthikeyannhs Jun 27, 2025
f0e49da
sonar fixed
Karthikeyannhs Jun 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions infrastructure/modules/kinesis_firehose/data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
data "aws_caller_identity" "current" {}
1 change: 1 addition & 0 deletions infrastructure/modules/kinesis_firehose/default_variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../_shared/default_variables.tf
29 changes: 29 additions & 0 deletions infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_delivery_stream" {
name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.audit_firehose_delivery_stream_name}"
destination = "extended_s3"

extended_s3_configuration {
role_arn = var.audit_firehose_role_arn
bucket_arn = var.s3_audit_bucket_arn

buffering_size = 1
buffering_interval = 60
compression_format = "UNCOMPRESSED"

kms_key_arn = aws_kms_key.firehose_cmk.arn

cloudwatch_logging_options {
enabled = true
log_group_name = var.kinesis_cloud_watch_log_group_name
log_stream_name = var.kinesis_cloud_watch_log_stream
}
}

server_side_encryption {
enabled = true
key_arn = aws_kms_key.firehose_cmk.arn
key_type = "CUSTOMER_MANAGED_CMK"
}

tags = var.tags
}
94 changes: 94 additions & 0 deletions infrastructure/modules/kinesis_firehose/kms.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
resource "aws_kms_key" "firehose_cmk" {
description = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.audit_firehose_delivery_stream_name} Master Key"
deletion_window_in_days = 14
is_enabled = true
enable_key_rotation = true
tags = var.tags
}


resource "aws_kms_alias" "firehose_cmk" {
name = "alias/${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.audit_firehose_delivery_stream_name}-cmk"
target_key_id = aws_kms_key.firehose_cmk.key_id
}

resource "aws_kms_key_policy" "firehose_key_policy" {
key_id = aws_kms_key.firehose_cmk.id
policy = data.aws_iam_policy_document.firehose_kms_key_policy.json
}


data "aws_iam_policy_document" "firehose_kms_key_policy" {
#checkov:skip=CKV_AWS_111: Root user needs full KMS key management
#checkov:skip=CKV_AWS_356: Root user needs full KMS key management
#checkov:skip=CKV_AWS_109: Root user needs full KMS key management
statement {
sid = "EnableIamUserPermissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
actions = ["kms:*"]
resources = ["*"]
}
statement {
sid = "EnableRootUserPermissions"
effect = "Allow"

principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}

actions = ["kms:*"]
resources = ["*"]
}

# Your existing statements below...
statement {
sid = "AllowFirehoseAccess"
effect = "Allow"
principals {
type = "Service"
identifiers = ["firehose.amazonaws.com"]
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = [aws_kms_key.firehose_cmk.arn]
}

statement {
sid = "AllowFirehoseRoleUsage"
effect = "Allow"
principals {
type = "AWS"
identifiers = [var.audit_firehose_role_arn]
}
actions = ["kms:*"]
resources = [aws_kms_key.firehose_cmk.arn]
}

statement {
sid = "AllowCloudWatchLogsUseOfTheKey"
effect = "Allow"
principals {
type = "Service"
identifiers = ["logs.${var.region}.amazonaws.com"]
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = [aws_kms_key.firehose_cmk.arn]
}
}


7 changes: 7 additions & 0 deletions infrastructure/modules/kinesis_firehose/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
output "firehose_stream_name" {
value = aws_kinesis_firehose_delivery_stream.eligibility_audit_firehose_delivery_stream.name
}

output "kinesis_firehose_cmk_arn" {
value = aws_kms_key.firehose_cmk.arn
}
27 changes: 27 additions & 0 deletions infrastructure/modules/kinesis_firehose/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
variable "audit_firehose_delivery_stream_name" {
description = "audit firehose delivery stream name"
type = string
}

variable "audit_firehose_role_arn" {
description = "audit firehose role arn"
type = string
}

variable "s3_audit_bucket_arn" {
description = "s3 audit bucket arn"
type = string
}

variable "kinesis_cloud_watch_log_group_name" {
description = "kinesis cloud watch log group name"
type = string
}

variable "kinesis_cloud_watch_log_stream" {
description = "kinesis cloud watch log stream"
type = string
}



13 changes: 13 additions & 0 deletions infrastructure/modules/lambda/kms.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,19 @@ resource "aws_kms_key_policy" "lambda_cmk" {
}

data "aws_iam_policy_document" "lambda_cmk" {
#checkov:skip=CKV_AWS_111: Root user needs full KMS key management
#checkov:skip=CKV_AWS_356: Root user needs full KMS key management
#checkov:skip=CKV_AWS_109: Root user needs full KMS key management
statement {
sid = "EnableIamUserPermissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
actions = ["kms:*"]
resources = ["*"]
}
statement {
sid = "Enable IAM User Permissions for Lambda CMK"
effect = "Allow"
Expand Down
9 changes: 5 additions & 4 deletions infrastructure/modules/lambda/lambda.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,11 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {

environment {
variables = {
PERSON_TABLE_NAME = var.eligibility_status_table_name,
RULES_BUCKET_NAME = var.eligibility_rules_bucket_name,
ENV = var.environment
LOG_LEVEL = var.log_level
PERSON_TABLE_NAME = var.eligibility_status_table_name,
RULES_BUCKET_NAME = var.eligibility_rules_bucket_name,
KINESIS_AUDIT_STREAM_TO_S3 = var.kinesis_audit_stream_to_s3_name
ENV = var.environment
LOG_LEVEL = var.log_level
}
}

Expand Down
5 changes: 5 additions & 0 deletions infrastructure/modules/lambda/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@ variable "eligibility_status_table_name" {
type = string
}

variable "kinesis_audit_stream_to_s3_name" {
description = "kinesis audit stream to s3 name"
type = string
}

variable "log_level" {
description = "log level"
type = string
Expand Down
6 changes: 3 additions & 3 deletions infrastructure/stacks/api-layer/api_gateway.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,9 @@ resource "aws_api_gateway_deployment" "eligibility_signposting_api" {
resource "aws_api_gateway_stage" "eligibility-signposting-api" {
#checkov:skip=CKV2_AWS_51: mTLS is enforced at the custom domain, not at the stage level
#checkov:skip=CKV_AWS_120: We're not enabling caching for this API Gateway, yet
deployment_id = aws_api_gateway_deployment.eligibility_signposting_api.id
rest_api_id = module.eligibility_signposting_api_gateway.rest_api_id
stage_name = "${local.workspace}-eligibility-signposting-api-live"
deployment_id = aws_api_gateway_deployment.eligibility_signposting_api.id
rest_api_id = module.eligibility_signposting_api_gateway.rest_api_id
stage_name = "${local.workspace}-eligibility-signposting-api-live"
xray_tracing_enabled = true

access_log_settings {
Expand Down
16 changes: 16 additions & 0 deletions infrastructure/stacks/api-layer/cloudwatch.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,19 @@ resource "aws_cloudwatch_log_group" "lambda_logs" {
Stack = local.stack_name
}
}

resource "aws_cloudwatch_log_group" "firehose_audit" {
name = "/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit"
retention_in_days = 365
kms_key_id = module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk_arn

tags = {
Name = "kinesis-firehose-logs"
Stack = local.stack_name
}
}

resource "aws_cloudwatch_log_stream" "firehose_audit_stream" {
name = "audit_stream_log"
log_group_name = aws_cloudwatch_log_group.firehose_audit.name
}
Loading