AUT-2162: Create IAC Terraform for Check Email Fraud Block handler

Signed-off-by: ayoshebby <ayo.sebiotimo@digital.cabinet-office.gov.uk>
govuk-one-login · May 17, 2024 · 9b967f9 · 9b967f9
1 parent 69f1d55
commit 9b967f9
Show file tree

Hide file tree

Showing 7 changed files with 110 additions and 5 deletions.
diff --git a/ci/terraform/oidc/api-gateway-frontend.tf b/ci/terraform/oidc/api-gateway-frontend.tf
@@ -83,6 +83,8 @@ resource "aws_api_gateway_deployment" "frontend_deployment" {
       local.deploy_account_interventions_count == 1 ? module.account_interventions[0].method_trigger_value : null,
       local.deploy_reauth_user_count == 1 ? module.check_reauth_user[0].integration_trigger_value : null,
       local.deploy_reauth_user_count == 1 ? module.check_reauth_user[0].method_trigger_value : null,
+      local.deploy_check_email_fraud_block_count == 1 ? module.check_email_fraud_block[0].integration_trigger_value : null,
+      local.deploy_check_email_fraud_block_count == 1 ? module.check_email_fraud_block[0].method_trigger_value : null,
       local.account_modifiers_encryption_policy_arn,
     ]))
   }
@@ -207,6 +209,7 @@ resource "aws_api_gateway_stage" "endpoint_frontend_stage" {
     module.doc-app-authorize,
     module.orch_auth_code,
     module.check_reauth_user,
+    module.check_email_fraud_block,
     aws_api_gateway_deployment.deployment,
   ]
 }

diff --git a/ci/terraform/oidc/authentication-auth-code.tf b/ci/terraform/oidc/authentication-auth-code.tf
@@ -13,10 +13,12 @@ module "frontend_api_orch_auth_code_role" {
     aws_iam_policy.dynamo_auth_code_store_read_access_policy.arn,
     aws_iam_policy.redis_parameter_policy.arn,
     aws_iam_policy.auth_code_dynamo_encryption_key_kms_policy.arn,
+    aws_iam_policy.check_email_fraud_block_read_dynamo_read_access_policy.arn,
     module.oidc_txma_audit.access_policy_arn,
     local.account_modifiers_encryption_policy_arn,
     local.client_registry_encryption_policy_arn,
-    local.user_credentials_encryption_policy_arn
+    local.user_credentials_encryption_policy_arn,
+    local.email_check_results_encryption_policy_arn,
   ]
 }
 

diff --git a/ci/terraform/oidc/check-email-fraud-block.tf b/ci/terraform/oidc/check-email-fraud-block.tf
@@ -0,0 +1,73 @@
+module "frontend_api_check_email_fraud_block_role" {
+  count       = local.deploy_check_email_fraud_block_count
+  source      = "../modules/lambda-role"
+  environment = var.environment
+  role_name   = "frontend-api-check-email-fraud-block-role"
+  vpc_arn     = local.authentication_vpc_arn
+
+  policies_to_attach = [
+    aws_iam_policy.audit_signing_key_lambda_kms_signing_policy.arn,
+    aws_iam_policy.dynamo_user_read_access_policy.arn,
+    aws_iam_policy.redis_parameter_policy.arn,
+    module.oidc_txma_audit.access_policy_arn
+  ]
+}
+
+module "check_email_fraud_block" {
+  count  = local.deploy_check_email_fraud_block_count
+  source = "../modules/endpoint-module"
+
+  endpoint_name   = "check-email-fraud-block"
+  path_part       = "check-email-fraud-block"
+  endpoint_method = ["POST"]
+  environment     = var.environment
+
+  handler_environment_variables = {
+    DYNAMO_ENDPOINT      = var.use_localstack ? var.lambda_dynamo_endpoint : null
+    LOCALSTACK_ENDPOINT  = var.use_localstack ? var.localstack_endpoint : null
+    ENVIRONMENT          = var.environment
+    TXMA_AUDIT_QUEUE_URL = module.oidc_txma_audit.queue_url
+    INTERNAl_SECTOR_URI  = var.internal_sector_uri
+    REDIS_KEY            = local.redis_key
+    LOCKOUT_DURATION     = var.lockout_duration
+    LOCKOUT_COUNT_TTL    = var.lockout_count_ttl
+  }
+
+  handler_function_name = "uk.gov.di.authentication.frontendapi.lambda.CheckEmailFraudBlockHandler::handleRequest"
+
+  rest_api_id      = aws_api_gateway_rest_api.di_authentication_frontend_api.id
+  root_resource_id = aws_api_gateway_rest_api.di_authentication_frontend_api.root_resource_id
+  execution_arn    = aws_api_gateway_rest_api.di_authentication_frontend_api.execution_arn
+
+  memory_size                 = lookup(var.performance_tuning, "check-email-fraud-block", local.default_performance_parameters).memory
+  provisioned_concurrency     = lookup(var.performance_tuning, "check-email-fraud-block", local.default_performance_parameters).concurrency
+  max_provisioned_concurrency = lookup(var.performance_tuning, "check-email-fraud-block", local.default_performance_parameters).max_concurrency
+  scaling_trigger             = lookup(var.performance_tuning, "check-email-fraud-block", local.default_performance_parameters).scaling_trigger
+
+  source_bucket           = aws_s3_bucket.source_bucket.bucket
+  lambda_zip_file         = aws_s3_object.frontend_api_release_zip.key
+  lambda_zip_file_version = aws_s3_object.frontend_api_release_zip.version_id
+  code_signing_config_arn = local.lambda_code_signing_configuration_arn
+
+  authentication_vpc_arn = local.authentication_vpc_arn
+  security_group_ids = [
+    local.authentication_security_group_id,
+    local.authentication_oidc_redis_security_group_id,
+  ]
+  subnet_id                              = local.authentication_private_subnet_ids
+  lambda_role_arn                        = module.frontend_api_orch_auth_code_role.arn
+  logging_endpoint_arns                  = var.logging_endpoint_arns
+  cloudwatch_key_arn                     = data.terraform_remote_state.shared.outputs.cloudwatch_encryption_key_arn
+  cloudwatch_log_retention               = var.cloudwatch_log_retention
+  lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn
+  default_tags                           = local.default_tags
+  api_key_required                       = true
+
+  use_localstack = var.use_localstack
+
+  depends_on = [
+    aws_api_gateway_rest_api.di_authentication_frontend_api,
+    aws_api_gateway_resource.connect_resource,
+    aws_api_gateway_resource.wellknown_resource,
+  ]
+}
diff --git a/ci/terraform/oidc/dynamo-policies.tf b/ci/terraform/oidc/dynamo-policies.tf
@@ -38,6 +38,9 @@ data "aws_dynamodb_table" "authentication_callback_userinfo_table" {
   name = "${var.environment}-authentication-callback-userinfo"
 }
 
+data "aws_dynamodb_table" "email_check_results_table" {
+  name = "${var.environment}-email-check-result"
+}
 
 data "aws_iam_policy_document" "dynamo_user_write_policy_document" {
   statement {
@@ -539,6 +542,21 @@ data "aws_iam_policy_document" "dynamo_auth_code_store_read_access_policy_docume
   }
 }
 
+data "aws_iam_policy_document" "check_email_fraud_block_read_dynamo_read_access_policy" {
+  statement {
+    sid    = "AllowAccessToDynamoTables"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:DescribeTable",
+      "dynamodb:Get*",
+    ]
+    resources = [
+      data.aws_dynamodb_table.email_check_results_table.arn,
+      "${data.aws_dynamodb_table.email_check_results_table.arn}/index/*",
+    ]
+  }
+}
 
 resource "aws_iam_policy" "dynamo_client_registry_write_access_policy" {
   name_prefix = "dynamo-client-registry-write-policy"
@@ -699,3 +717,11 @@ resource "aws_iam_policy" "dynamo_auth_code_store_read_access_policy" {
 
   policy = data.aws_iam_policy_document.dynamo_auth_code_store_read_access_policy_document.json
 }
+
+resource "aws_iam_policy" "check_email_fraud_block_read_dynamo_read_access_policy" {
+  name_prefix = "dynamo-email-check-results-read-policy"
+  path        = "/${var.environment}/oidc-shared/"
+  description = "IAM policy for managing read permissions to the Dynamo Email Check Results table"
+
+  policy = data.aws_iam_policy_document.check_email_fraud_block_read_dynamo_read_access_policy.json
+}
diff --git a/ci/terraform/oidc/shared.tf b/ci/terraform/oidc/shared.tf
@@ -74,4 +74,5 @@ locals {
   pending_email_check_queue_id                        = data.terraform_remote_state.shared.outputs.pending_email_check_queue_id
   pending_email_check_queue_access_policy_arn         = data.terraform_remote_state.shared.outputs.pending_email_check_queue_access_policy_arn
   user_profile_kms_key_arn                            = data.terraform_remote_state.shared.outputs.user_profile_kms_key_arn
+  email_check_results_encryption_policy_arn           = data.terraform_remote_state.shared.outputs.email_check_results_encryption_policy_arn
 }
diff --git a/ci/terraform/oidc/site.tf b/ci/terraform/oidc/site.tf
@@ -40,9 +40,10 @@ locals {
     application = "oidc-api"
   }
 
-  request_tracing_allowed            = contains(["build", "sandpit"], var.environment)
-  deploy_account_interventions_count = 1
-  deploy_reauth_user_count           = contains(["build", "sandpit", "authdev1", "authdev2", "staging"], var.environment) ? 1 : 0
+  request_tracing_allowed              = contains(["build", "sandpit"], var.environment)
+  deploy_account_interventions_count   = 1
+  deploy_reauth_user_count             = contains(["build", "sandpit", "authdev1", "authdev2", "staging"], var.environment) ? 1 : 0
+  deploy_check_email_fraud_block_count = contains(["build", "sandpit", "authdev1", "authdev2", "staging"], var.environment) ? 1 : 0
 
   access_logging_template = jsonencode({
     requestId            = "$context.requestId"

diff --git a/...rc/main/java/uk/gov/di/authentication/frontendapi/lambda/CheckEmailFraudBlockHandler.java b/...rc/main/java/uk/gov/di/authentication/frontendapi/lambda/CheckEmailFraudBlockHandler.java
@@ -81,7 +81,6 @@ public APIGatewayProxyResponseEvent handleRequestWithUserContext(
                 var checkEmailFraudBlockResponse =
                         new CheckEmailFraudBlockResponse(
                                 request.getEmail(), emailCheckResult.get().getStatus().getValue());
-
                 return generateApiGatewayProxyResponse(200, checkEmailFraudBlockResponse);
             }
             return generateApiGatewayProxyResponse(