NHSDigital · sidnhs · Aug 28, 2024 · Aug 22, 2024 · Aug 23, 2024 · Aug 23, 2024
@@ -1,6 +1,6 @@
 # This file is for you! Please, updated to the versions agreed by your team.
 
-terraform 1.9.1
+terraform 1.9.2
 pre-commit 3.6.0
 nodejs 18.18.2
 gitleaks 8.18.4

@@ -0,0 +1,12 @@
+resource "aws_amplify_branch" "main" {
+  app_id                      = var.amplify_app_id
+  description                 = var.description
+  branch_name                 = var.branch
+  display_name                = var.display_name
+  enable_pull_request_preview = var.enable_pull_request_preview
+  enable_auto_build           = var.enable_auto_build
+  stage                       = var.stage
+  framework                   = var.framework
+
+  environment_variables = var.environment_variables
+}
@@ -0,0 +1,33 @@
+locals {
+  csi = format(
+    "%s-%s-%s-%s-%s",
+    var.project,
+    var.environment,
+    var.component,
+    var.module,
+    var.name,
+  )
+
+  # CSI for use in resources with an account namespace, eg IAM roles
+  csi_account = replace(
+    format(
+      "%s-%s-%s-%s-%s-%s",
+      var.project,
+      var.region,
+      var.environment,
+      var.component,
+      var.module,
+      var.name,
+    ),
+    "_",
+    "",
+  )
+
+  default_tags = merge(
+    var.default_tags,
+    {
+      Module = var.module
+      Name   = local.csi
+    },
+  )
+}
@@ -0,0 +1,3 @@
+output "name" {
+  value = aws_amplify_branch.main.branch_name
+}
@@ -0,0 +1,112 @@
+##
+# Basic inherited variables for terraformscaffold modules
+##
+
+variable "project" {
+  type        = string
+  description = "The name of the terraformscaffold project calling the module"
+}
+
+variable "environment" {
+  type        = string
+  description = "The name of the terraformscaffold environment the module is called for"
+}
+
+variable "component" {
+  type        = string
+  description = "The name of the terraformscaffold component calling this module"
+}
+
+variable "aws_account_id" {
+  type        = string
+  description = "The AWS Account ID (numeric)"
+}
+
+variable "group" {
+  type        = string
+  description = "The group variables are being inherited from (often synonmous with account short-name)"
+}
+
+variable "description" {
+  type        = string
+  description = "Description for the branch"
+}
+
+##
+# Module self-identification
+##
+
+variable "module" {
+  type        = string
+  description = "The name of this module. This is a special variable, it should be set only here and never overridden."
+  default     = "kms"
+}
+
+##
+# Variable specific to the module
+##
+
+# We presume this will always be specified. The default of {} will cause an error if a valid map is not specified.
+# If we ever want to define this but allow it to not be specified, then we must provide a default tag keypair will be applied
+# as the true default. In any other case default_tags should be removed from the module.
+variable "default_tags" {
+  type        = map(string)
+  description = "Default tag map for application to all taggable resources in the module"
+  default     = {}
+}
+
+variable "region" {
+  type        = string
+  description = "The AWS Region"
+}
+
+variable "name" {
+  type        = string
+  description = "A unique name to distinguish this module invocation from others within the same CSI scope"
+}
+
+variable "amplify_app_id" {
+  type        = string
+  description = "Amplify application ID"
+}
+
+variable "branch" {
+  description = "The name of the branch being deployed"
+  type        = string
+}
+
+variable "display_name" {
+  description = "The display name of the branch app being deployed"
+  type        = string
+  default = null
+}
+
+variable "enable_auto_build" {
+  type        = bool
+  description = "Enable the auto build of the branch code as well as just the resources for it"
+  default     = false
+}
+
+variable "enable_pull_request_preview" {
+  type        = bool
+  description = "Enable the pull request preview"
+  default     = false
+}
+
+variable "stage" {
+  type        = string
+  default     = null
+  description = "Determine what stage is being deployed for"
+}
+
+variable "framework" {
+  type        = string
+  default     = null
+  description = "Set what framework to use"
+}
+
+variable "environment_variables" {
+  type        = map(string)
+  default     = {}
+  description = "Environment variables to be used for amplify branch"
+}
@@ -0,0 +1,9 @@
+
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+  required_version = ">= 1.9.0"
+}
@@ -0,0 +1,31 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
+data "aws_iam_policy_document" "admin" {
+  policy_id = "${local.csi}-admin"
+
+  statement {
+    sid    = "AllowKeyAdmin"
+    effect = "Allow"
+
+    actions = [
+      "kms:Create*",
+      "kms:Describe*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:TagResource",
+      "kms:UntagResource",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion",
+    ]
+
+    resources = [
+      aws_kms_key.main.arn,
+      aws_kms_alias.main.arn,
+    ]
+  }
+}
@@ -0,0 +1,43 @@
+#tfsec:ignore:aws-iam-no-policy-wildcards
+data "aws_iam_policy_document" "user" {
+  policy_id = "${local.csi}-user"
+
+  statement {
+    sid    = "AllowUseOfTheKmskey"
+    effect = "Allow"
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+    ]
+
+    resources = [
+      aws_kms_key.main.arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowDelegationToAwsServiceViaGrant"
+    effect = "Allow"
+
+    actions = [
+      "kms:CreateGrant",
+    ]
+
+    resources = [
+      aws_kms_key.main.arn,
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "kms:GrantIsForAWSResource"
+
+      values = [
+        "true",
+      ]
+    }
+  }
+}
@@ -0,0 +1,27 @@
+data "aws_iam_policy_document" "key" {
+  source_policy_documents = var.key_policy_documents
+
+  dynamic "statement" {
+    for_each = var.iam_delegation ? [1] : []
+    content {
+      sid    = "AllowFullLocalAdministration"
+      effect = "Allow"
+
+      principals {
+        type = "AWS"
+
+        identifiers = [
+          "arn:aws:iam::${var.aws_account_id}:root",
+        ]
+      }
+
+      actions = [
+        "kms:*",
+      ]
+
+      resources = [
+        "*",
+      ]
+    }
+  }
+}
@@ -0,0 +1,13 @@
+# Create the Key Policy for the AWS KMS Key
+resource "aws_iam_policy" "admin" {
+  name   = "${local.csi_account}-admin"
+  path   = "/"
+  policy = data.aws_iam_policy_document.admin.json
+
+  tags = merge(
+    local.default_tags,
+    {
+      Name = "${local.csi_account}-admin",
+    },
+  )
+}
@@ -0,0 +1,13 @@
+# Create the Key Policy for the AWS KMS Key
+resource "aws_iam_policy" "user" {
+  name   = "${local.csi_account}-user"
+  path   = "/"
+  policy = data.aws_iam_policy_document.user.json
+
+  tags = merge(
+    local.default_tags,
+    {
+      Name = "${local.csi_account}-user",
+    },
+  )
+}
@@ -0,0 +1,8 @@
+resource "aws_kms_key" "main" {
+  bypass_policy_lockout_safety_check = false
+  deletion_window_in_days            = var.deletion_window
+  description                        = local.csi
+  enable_key_rotation                = true
+  policy                             = data.aws_iam_policy_document.key.json
+  tags                               = local.default_tags
+}
@@ -0,0 +1,4 @@
+resource "aws_kms_alias" "main" {
+  name          = var.alias
+  target_key_id = aws_kms_key.main.key_id
+}
@@ -0,0 +1,33 @@
+locals {
+  csi = format(
+    "%s-%s-%s-%s-%s",
+    var.project,
+    var.environment,
+    var.component,
+    var.module,
+    var.name,
+  )
+
+  # CSI for use in resources with an account namespace, eg IAM roles
+  csi_account = replace(
+    format(
+      "%s-%s-%s-%s-%s-%s",
+      var.project,
+      var.region,
+      var.environment,
+      var.component,
+      var.module,
+      var.name,
+    ),
+    "_",
+    "",
+  )
+
+  default_tags = merge(
+    var.default_tags,
+    {
+      Module = var.module
+      Name   = local.csi
+    },
+  )
+}
@@ -0,0 +1,15 @@
+output "key_arn" {
+  value = aws_kms_key.main.arn
+}
+
+output "key_id" {
+  value = aws_kms_key.main.key_id
+}
+
+output "admin_policy_arn" {
+  value = aws_iam_policy.admin.arn
+}
+
+output "user_policy_arn" {
+  value = aws_iam_policy.user.arn
+}