VED-1029: Specify KMS key when copying extended attributes files to DPS.

Author: mfjarvis

infrastructure/instance/environments/prod/blue/variables.tfvars

@@ -7,4 +7,4 @@ batch_error_notifications_enabled = true
 create_mesh_processor             = true
 has_sub_environment_scope         = false
 dspp_submission_s3_bucket_name    = "nhsd-dspp-core-prod-s3-submission-upload"
-dspp_submission_kms_key_alias     = "nhsd-dspp-core-prod-s3-submission-upload-key"
+dspp_submission_kms_key_alias     = "alias/nhsd-dspp-core-prod-s3-submission-upload-key"

infrastructure/instance/environments/prod/green/variables.tfvars

@@ -7,4 +7,4 @@ batch_error_notifications_enabled = true
 create_mesh_processor             = true
 has_sub_environment_scope         = false
 dspp_submission_s3_bucket_name    = "nhsd-dspp-core-prod-s3-submission-upload"
-dspp_submission_kms_key_alias     = "nhsd-dspp-core-prod-s3-submission-upload-key"
+dspp_submission_kms_key_alias     = "alias/nhsd-dspp-core-prod-s3-submission-upload-key"

infrastructure/instance/file_name_processor.tf

@@ -261,7 +261,7 @@ resource "aws_iam_policy" "filenameprocessor_dps_extended_attribute_kms_policy"
         Resource = "arn:aws:kms:eu-west-2:${var.dspp_core_account_id}:key/*",
         "Condition" = {
           "ForAnyValue:StringEquals" = {
-            "kms:ResourceAliases" = "alias/${var.dspp_submission_kms_key_alias}"
+            "kms:ResourceAliases" = var.dspp_submission_kms_key_alias
           }
         }
       }
@@ -315,17 +315,18 @@ resource "aws_lambda_function" "file_processor_lambda" {
 
   environment {
     variables = {
-      ACCOUNT_ID           = var.immunisation_account_id
-      DPS_ACCOUNT_ID       = var.dspp_core_account_id
-      SOURCE_BUCKET_NAME   = aws_s3_bucket.batch_data_source_bucket.bucket
-      ACK_BUCKET_NAME      = aws_s3_bucket.batch_data_destination_bucket.bucket
-      DPS_BUCKET_NAME      = var.dspp_submission_s3_bucket_name
-      QUEUE_URL            = aws_sqs_queue.batch_file_created.url
-      REDIS_HOST           = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address
-      REDIS_PORT           = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port
-      SPLUNK_FIREHOSE_NAME = module.splunk.firehose_stream_name
-      AUDIT_TABLE_NAME     = aws_dynamodb_table.audit-table.name
-      AUDIT_TABLE_TTL_DAYS = 60
+      ACCOUNT_ID               = var.immunisation_account_id
+      DPS_ACCOUNT_ID           = var.dspp_core_account_id
+      SOURCE_BUCKET_NAME       = aws_s3_bucket.batch_data_source_bucket.bucket
+      ACK_BUCKET_NAME          = aws_s3_bucket.batch_data_destination_bucket.bucket
+      DPS_BUCKET_NAME          = var.dspp_submission_s3_bucket_name
+      DPS_BUCKET_KMS_KEY_ALIAS = var.dspp_submission_kms_key_alias
+      QUEUE_URL                = aws_sqs_queue.batch_file_created.url
+      REDIS_HOST               = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].address
+      REDIS_PORT               = data.aws_elasticache_cluster.existing_redis.cache_nodes[0].port
+      SPLUNK_FIREHOSE_NAME     = module.splunk.firehose_stream_name
+      AUDIT_TABLE_NAME         = aws_dynamodb_table.audit-table.name
+      AUDIT_TABLE_TTL_DAYS     = 60
     }
   }
   kms_key_arn                    = data.aws_kms_key.existing_lambda_encryption_key.arn

infrastructure/instance/variables.tf

@@ -36,7 +36,7 @@ variable "dspp_submission_s3_bucket_name" {
 variable "dspp_submission_kms_key_alias" {
   description = "Alias of the DSPP (DPS) KMS key required to encrypt extended attributes files"
   type        = string
-  default     = "nhsd-dspp-core-ref-s3-submission-upload-key"
+  default     = "alias/nhsd-dspp-core-ref-s3-submission-upload-key"
 }
 
 variable "create_mesh_processor" {

lambdas/filenameprocessor/src/constants.py

@@ -14,6 +14,7 @@
 
 
 DPS_DESTINATION_BUCKET_NAME = os.getenv("DPS_BUCKET_NAME")
+DPS_DESTINATION_BUCKET_KMS_KEY_ALIAS = os.getenv("DPS_BUCKET_KMS_KEY_ALIAS")
 EXPECTED_SOURCE_BUCKET_ACCOUNT = os.getenv("ACCOUNT_ID")
 EXPECTED_DPS_DESTINATION_ACCOUNT = os.getenv("DPS_ACCOUNT_ID")
 AUDIT_TABLE_NAME = os.getenv("AUDIT_TABLE_NAME")

lambdas/filenameprocessor/src/file_name_processor.py

@@ -17,6 +17,7 @@
 from common.log_decorator import logging_decorator
 from common.models.errors import UnhandledAuditTableError
 from constants import (
+    DPS_DESTINATION_BUCKET_KMS_KEY_ALIAS,
     DPS_DESTINATION_BUCKET_NAME,
     DPS_DESTINATION_PREFIX,
     ERROR_TYPE_TO_STATUS_CODE_MAP,
@@ -271,6 +272,7 @@ def handle_extended_attributes_file(
             dest_file_key,
             EXPECTED_DPS_DESTINATION_ACCOUNT,
             EXPECTED_SOURCE_BUCKET_ACCOUNT,
+            DPS_DESTINATION_BUCKET_KMS_KEY_ALIAS,
         )
 
         move_file(bucket_name, file_key, f"{EXTENDED_ATTRIBUTES_ARCHIVE_PREFIX}/{file_key}")

lambdas/filenameprocessor/tests/utils_for_tests/mock_environment_variables.py

@@ -12,7 +12,7 @@ class BucketNames:
     CONFIG = "immunisation-batch-internal-dev-data-configs"
     SOURCE = "immunisation-batch-internal-dev-data-sources"
     DESTINATION = "immunisation-batch-internal-dev-data-destinations"
-    DPS_DESTINATION = "nhsd-dspp-core-ref-extended-attributes-gdp"
+    DPS_DESTINATION = "nhsd-dspp-core-ref-s3-submission-upload"
     # Mock firehose bucket used for testing only (due to limitations of the moto testing package)
     MOCK_FIREHOSE = "mock-firehose-bucket"
 
@@ -38,6 +38,7 @@ class Sqs:
     "SOURCE_BUCKET_NAME": BucketNames.SOURCE,
     "ACK_BUCKET_NAME": BucketNames.DESTINATION,
     "DPS_BUCKET_NAME": BucketNames.DPS_DESTINATION,
+    "DPS_BUCKET_KMS_KEY_ALIAS": "alias/nhsd-dspp-core-ref-s3-submission-upload-key",
     "ACCOUNT_ID": MOCK_ACCOUNT_ID,
     "DPS_ACCOUNT_ID": MOCK_ACCOUNT_ID,
     "QUEUE_URL": "https://sqs.eu-west-2.amazonaws.com/123456789012/imms-batch-file-created-queue.fifo",

lambdas/shared/src/common/aws_s3_utils.py

@@ -22,15 +22,21 @@ def copy_file_to_external_bucket(
     destination_key: str,
     expected_bucket_owner: str,
     expected_source_bucket_owner: str,
+    sse_kms_key_id: str | None = None,
 ) -> None:
+    copy_params = {
+        "CopySource": {"Bucket": source_bucket, "Key": source_key},
+        "Bucket": destination_bucket,
+        "Key": destination_key,
+        "ExpectedBucketOwner": expected_bucket_owner,
+        "ExpectedSourceBucketOwner": expected_source_bucket_owner,
+    }
+
+    if sse_kms_key_id:
+        copy_params["SSEKMSKeyId"] = sse_kms_key_id
+
     s3_client = get_s3_client()
-    s3_client.copy_object(
-        CopySource={"Bucket": source_bucket, "Key": source_key},
-        Bucket=destination_bucket,
-        Key=destination_key,
-        ExpectedBucketOwner=expected_bucket_owner,
-        ExpectedSourceBucketOwner=expected_source_bucket_owner,
-    )
+    s3_client.copy_object(**copy_params)
 
 
 def delete_file(