VED-1029: Specify KMS key ARN instead of alias.

Author: mfjarvis

infrastructure/instance/file_name_processor.tf

@@ -315,18 +315,18 @@ resource "aws_lambda_function" "file_processor_lambda" {
 
   environment {
     variables = {
-      ACCOUNT_ID               = var.immunisation_account_id
-      DPS_ACCOUNT_ID           = var.dspp_core_account_id
-      SOURCE_BUCKET_NAME       = aws_s3_bucket.batch_data_source_bucket.bucket
-      ACK_BUCKET_NAME          = aws_s3_bucket.batch_data_destination_bucket.bucket
-      DPS_BUCKET_NAME          = var.dspp_submission_s3_bucket_name
-      DPS_BUCKET_KMS_KEY_ALIAS = var.dspp_submission_kms_key_alias
-      QUEUE_URL                = aws_sqs_queue.batch_file_created.url
-      REDIS_HOST               = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address
-      REDIS_PORT               = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port
-      SPLUNK_FIREHOSE_NAME     = module.splunk.firehose_stream_name
-      AUDIT_TABLE_NAME         = aws_dynamodb_table.audit-table.name
-      AUDIT_TABLE_TTL_DAYS     = 60
+      ACCOUNT_ID             = var.immunisation_account_id
+      DPS_ACCOUNT_ID         = var.dspp_core_account_id
+      SOURCE_BUCKET_NAME     = aws_s3_bucket.batch_data_source_bucket.bucket
+      ACK_BUCKET_NAME        = aws_s3_bucket.batch_data_destination_bucket.bucket
+      DPS_BUCKET_NAME        = var.dspp_submission_s3_bucket_name
+      DPS_BUCKET_KMS_KEY_ARN = "arn:aws:kms:${var.aws_region}:${var.dspp_core_account_id}:${var.dspp_submission_kms_key_alias}"
+      QUEUE_URL              = aws_sqs_queue.batch_file_created.url
+      REDIS_HOST             = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address
+      REDIS_PORT             = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port
+      SPLUNK_FIREHOSE_NAME   = module.splunk.firehose_stream_name
+      AUDIT_TABLE_NAME       = aws_dynamodb_table.audit-table.name
+      AUDIT_TABLE_TTL_DAYS   = 60
     }
   }
   kms_key_arn                    = data.aws_kms_key.existing_lambda_encryption_key.arn

lambdas/filenameprocessor/src/constants.py

@@ -14,7 +14,7 @@
 
 
 DPS_DESTINATION_BUCKET_NAME = os.getenv("DPS_BUCKET_NAME")
-DPS_DESTINATION_BUCKET_KMS_KEY_ALIAS = os.getenv("DPS_BUCKET_KMS_KEY_ALIAS")
+DPS_DESTINATION_BUCKET_KMS_KEY_ARN = os.getenv("DPS_BUCKET_KMS_KEY_ARN")
 EXPECTED_SOURCE_BUCKET_ACCOUNT = os.getenv("ACCOUNT_ID")
 EXPECTED_DPS_DESTINATION_ACCOUNT = os.getenv("DPS_ACCOUNT_ID")
 AUDIT_TABLE_NAME = os.getenv("AUDIT_TABLE_NAME")

lambdas/filenameprocessor/src/file_name_processor.py

@@ -17,7 +17,7 @@
 from common.log_decorator import logging_decorator
 from common.models.errors import UnhandledAuditTableError
 from constants import (
-    DPS_DESTINATION_BUCKET_KMS_KEY_ALIAS,
+    DPS_DESTINATION_BUCKET_KMS_KEY_ARN,
     DPS_DESTINATION_BUCKET_NAME,
     DPS_DESTINATION_PREFIX,
     ERROR_TYPE_TO_STATUS_CODE_MAP,
@@ -272,7 +272,7 @@ def handle_extended_attributes_file(
             dest_file_key,
             EXPECTED_DPS_DESTINATION_ACCOUNT,
             EXPECTED_SOURCE_BUCKET_ACCOUNT,
-            DPS_DESTINATION_BUCKET_KMS_KEY_ALIAS,
+            DPS_DESTINATION_BUCKET_KMS_KEY_ARN,
         )
 
         move_file(bucket_name, file_key, f"{EXTENDED_ATTRIBUTES_ARCHIVE_PREFIX}/{file_key}")

lambdas/filenameprocessor/tests/utils_for_tests/mock_environment_variables.py

@@ -38,7 +38,7 @@ class Sqs:
     "SOURCE_BUCKET_NAME": BucketNames.SOURCE,
     "ACK_BUCKET_NAME": BucketNames.DESTINATION,
     "DPS_BUCKET_NAME": BucketNames.DPS_DESTINATION,
-    "DPS_BUCKET_KMS_KEY_ALIAS": "alias/nhsd-dspp-core-ref-s3-submission-upload-key",
+    "DPS_BUCKET_KMS_KEY_ARN": "arn:aws:kms:eu-west-2:123456789012:alias/nhsd-dspp-core-ref-s3-submission-upload-key",
     "ACCOUNT_ID": MOCK_ACCOUNT_ID,
     "DPS_ACCOUNT_ID": MOCK_ACCOUNT_ID,
     "QUEUE_URL": "https://sqs.eu-west-2.amazonaws.com/123456789012/imms-batch-file-created-queue.fifo",