Chore: [AEA-0000] - Set permissions for bare environment and make audit data extract conditional (#2265)

## Summary

- Routine Change

### Details

- allow deployment from new environments
- make adding data extract to audit bucket conditional

Author: anthony-nhs

cloudformation/account_resources.yml

@@ -29,6 +29,15 @@ Parameters:
         3288,
         3653,
       ]
+  AddDataExtractToAuditBucket:
+    Type: String
+    Description: Whether to add the data extract bucket as a source to the audit logging bucket policy
+    AllowedValues:
+      - "true"
+      - "false"
+
+Conditions:
+  AddDataExtractToAuditBucketCondition: !Equals [!Ref AddDataExtractToAuditBucket, "true"]
 
 Resources:
   #region API Gateway
@@ -624,21 +633,24 @@ Resources:
                 aws:SourceAccount: !Ref "AWS::AccountId"
               ArnLike:
                 aws:SourceArn: !ImportValue "epsam:kbDocsBucket:Arn"
-          - Effect: Allow
-            Principal:
-              Service: logging.s3.amazonaws.com
-            Action:
-              - s3:PutObject*
-            Resource:
-              - !Join [
-                  "",
-                  [!GetAtt AuditLoggingBucket.Arn, "/data-extract/*"],
-                ]
-            Condition:
-              StringEquals:
-                aws:SourceAccount: !Ref "AWS::AccountId"
-              ArnLike:
-                aws:SourceArn: !ImportValue "data-extract:DestinationBucket:Arn"
+          - !If
+            - AddDataExtractToAuditBucketCondition
+            - Effect: Allow
+              Principal:
+                Service: logging.s3.amazonaws.com
+              Action:
+                - s3:PutObject*
+              Resource:
+                - !Join [
+                    "",
+                    [!GetAtt AuditLoggingBucket.Arn, "/data-extract/*"],
+                  ]
+              Condition:
+                StringEquals:
+                  aws:SourceAccount: !Ref "AWS::AccountId"
+                ArnLike:
+                  aws:SourceArn: !ImportValue "data-extract:DestinationBucket:Arn"
+            - !Ref AWS::NoValue
 
   #endregion
 

environmentSettings/dev.json

@@ -114,7 +114,8 @@
       ]
     },
     "account-resources": {
-      "LogRetentionDays": "90"
+      "LogRetentionDays": "90",
+      "AddDataExtractToAuditBucket": "true"
     },
     "lambda-resources": {
       "SplunkHECEndpoint": "https://firehose.inputs.splunk.aws.digital.nhs.uk/services/collector/event",

environmentSettings/int.json

@@ -7,6 +7,7 @@
         "repo:NHSDigital/electronic-prescription-service-account-resources:environment:int-account",
         "repo:NHSDigital/electronic-prescription-service-account-resources:environment:int-ci",
         "repo:NHSDigital/electronic-prescription-service-account-resources:environment:int-lambda",
+        "repo:NHSDigital/electronic-prescription-service-account-resources:environment:int",
         "repo:NHSDigital/electronic-prescription-service-clinical-prescription-tracker:environment:int",
         "repo:NHSDigital/eps-FHIR-validator-lambda:environment:int",
         "repo:NHSDigital/eps-prescription-status-update-api:environment:int",
@@ -73,7 +74,8 @@
       ]
     },
     "account-resources": {
-      "LogRetentionDays": "90"
+      "LogRetentionDays": "90",
+      "AddDataExtractToAuditBucket": "false"
     },
     "lambda-resources": {
       "SplunkHECEndpoint": "https://firehose.inputs.splunk.aws.digital.nhs.uk/services/collector/event",

environmentSettings/prod.json

@@ -7,6 +7,7 @@
         "repo:NHSDigital/electronic-prescription-service-account-resources:environment:prod-account",
         "repo:NHSDigital/electronic-prescription-service-account-resources:environment:prod-ci",
         "repo:NHSDigital/electronic-prescription-service-account-resources:environment:prod-lambda",
+        "repo:NHSDigital/electronic-prescription-service-account-resources:environment:prod",
         "repo:NHSDigital/electronic-prescription-service-clinical-prescription-tracker:environment:prod",
         "repo:NHSDigital/eps-FHIR-validator-lambda:environment:prod",
         "repo:NHSDigital/eps-prescription-status-update-api:environment:prod",
@@ -83,7 +84,8 @@
       ]
     },
     "account-resources": {
-      "LogRetentionDays": "90"
+      "LogRetentionDays": "90",
+      "AddDataExtractToAuditBucket": "false"
     },
     "lambda-resources": {
       "SplunkHECEndpoint": "https://firehose.inputs.splunk.aws.digital.nhs.uk/services/collector/event",

environmentSettings/qa.json

@@ -72,7 +72,8 @@
       ]
     },
     "account-resources": {
-      "LogRetentionDays": "90"
+      "LogRetentionDays": "90",
+      "AddDataExtractToAuditBucket": "true"
     },
     "lambda-resources": {
       "SplunkHECEndpoint": "https://firehose.inputs.splunk.aws.digital.nhs.uk/services/collector/event",

environmentSettings/ref.json

@@ -75,7 +75,8 @@
       ]
     },
     "account-resources": {
-      "LogRetentionDays": "90"
+      "LogRetentionDays": "90",
+      "AddDataExtractToAuditBucket": "false"
     },
     "lambda-resources": {
       "SplunkHECEndpoint": "https://firehose.inputs.splunk.aws.digital.nhs.uk/services/collector/event",