Make id-sync SQS policy more restrictive. (#1186)

* Make id-sync SQS policy more restrictive.

* Format tfvars files.

Author: mfjarvis

infrastructure/instance/environments/prod/blue/variables.tfvars

@@ -1,6 +1,7 @@
 environment                       = "prod"
 immunisation_account_id           = "664418956997"
 dspp_core_account_id              = "232116723729"
+mns_account_id                    = "758334270304"
 pds_environment                   = "prod"
 error_alarm_notifications_enabled = true
 

infrastructure/instance/environments/prod/green/variables.tfvars

@@ -1,11 +1,12 @@
 environment                       = "prod"
 immunisation_account_id           = "664418956997"
 dspp_core_account_id              = "232116723729"
+mns_account_id                    = "758334270304"
 pds_environment                   = "prod"
 error_alarm_notifications_enabled = true
 
 # mesh no invocation period metric set to 1 day (in seconds) for prod environment i.e 1 * 24 * 60 * 60
 mesh_no_invocation_period_seconds = 86400
 create_mesh_processor             = true
 has_sub_environment_scope         = false
-dspp_kms_key_alias                = "nhsd-dspp-core-prod-extended-attributes-gdp-key"
+dspp_kms_key_alias                = "nhsd-dspp-core-prod-extended-attributes-gdp-key"

infrastructure/instance/sqs_id_sync.tf

@@ -23,18 +23,36 @@ resource "aws_sqs_queue_redrive_allow_policy" "id_sync_queue_redrive_allow_polic
 
 data "aws_iam_policy_document" "id_sync_sqs_policy" {
   statement {
-    sid    = "id-sync-queue SQS statement"
+    sid    = "mns-allow-send"
     effect = "Allow"
 
     principals {
       type        = "AWS"
-      identifiers = ["*"]
+      identifiers = ["arn:aws:iam::${var.mns_account_id}:role/nhs-mns-events-lambda-delivery"]
     }
 
     actions = [
       "sqs:SendMessage",
-      "sqs:ReceiveMessage"
     ]
+
+    resources = [
+      aws_sqs_queue.id_sync_queue.arn
+    ]
+  }
+
+  statement {
+    sid    = "id-sync-allow-receive"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.id_sync_lambda_exec_role.arn]
+    }
+
+    actions = [
+      "sqs:ReceiveMessage",
+    ]
+
     resources = [
       aws_sqs_queue.id_sync_queue.arn
     ]

infrastructure/instance/variables.tf

@@ -1,13 +1,30 @@
-variable "environment" {}
+variable "environment" {
+  type        = string
+  description = "Environment (AWS Account) name - dev, preprod or prod"
+}
 
 variable "sub_environment" {
-  description = "The value is set in the makefile"
+  type        = string
+  description = "Sub-environment name, e.g. internal-dev, internal-qa. The value is set in the Makefile"
 }
 
-variable "immunisation_account_id" {}
-variable "dspp_core_account_id" {}
+variable "immunisation_account_id" {
+  type        = string
+  description = "Immunisation AWS Account ID"
+}
+variable "dspp_core_account_id" {
+  type        = string
+  description = "DSPP Core AWS Account ID"
+}
 variable "csoc_account_id" {
-  default = "693466633220"
+  type        = string
+  description = "CSOC AWS Account ID - destination for forwarded logs"
+  default     = "693466633220"
+}
+variable "mns_account_id" {
+  type        = string
+  description = "MNS AWS account ID - trusted source for MNS notifications"
+  default     = "631615744739"
 }
 
 variable "dspp_kms_key_alias" {
@@ -17,18 +34,22 @@ variable "dspp_kms_key_alias" {
 }
 
 variable "create_mesh_processor" {
+  type    = bool
   default = false
 }
 
 variable "project_name" {
+  type    = string
   default = "immunisation"
 }
 
 variable "project_short_name" {
+  type    = string
   default = "imms"
 }
 
 variable "service" {
+  type    = string
   default = "fhir-api"
 }
 
@@ -43,6 +64,7 @@ variable "aws_region" {
 }
 
 variable "pds_environment" {
+  type    = string
   default = "int"
 }
 
@@ -60,7 +82,9 @@ variable "error_alarm_notifications_enabled" {
 }
 
 variable "has_sub_environment_scope" {
-  default = false
+  description = "True if the sub-environment is a standalone environment, e.g. internal-dev. False if it is part of a blue-green split, e.g. int-green."
+  type        = bool
+  default     = false
 }
 
 locals {

package.json

@@ -26,7 +26,7 @@
       "poetry -P quality_checks run ruff check --fix",
       "poetry -P quality_checks run ruff format"
     ],
-    "*.tf": "terraform fmt",
+    "*.{tf,tfvars}": "terraform fmt",
     "immunisation-fhir-api.{yaml,json}": "redocly lint --skip-rule=security-defined"
   }
 }