Merge branch 'main' into PRMP-1475

Author: steph-torres-nhs

infrastructure/dns_email_auth.tf

@@ -1,9 +1,9 @@
-resource "aws_route53_record" "dmarc" {
-  count   = local.is_shared_workspace ? 1 : 0
-  zone_id = module.route53_fargate_ui.zone_id
-  name    = "_dmarc.${var.domain}"
-  type    = "TXT"
-  ttl     = 300
-
-  records = ["v=DMARC1; p=none; adkim=s; aspf=s"]
-}
+# resource "aws_route53_record" "dmarc" {
+#   count   = local.is_shared_workspace ? 1 : 0
+#   zone_id = module.route53_fargate_ui.zone_id
+#   name    = "_dmarc.${var.domain}"
+#   type    = "TXT"
+#   ttl     = 300
+#
+#   records = ["v=DMARC1; p=none; adkim=s; aspf=s"]
+# }

infrastructure/iam.tf

@@ -354,37 +354,37 @@ resource "aws_iam_policy" "s3_document_data_policy_post_document_review_lambda"
   })
 }
 
-data "aws_iam_policy_document" "reporting_ses" {
-  statement {
-    sid    = "SESAccess"
-    effect = "Allow"
-
-    actions = [
-      "ses:SendEmail",
-      "ses:SendRawEmail"
-    ]
-
-    resources = [
-      "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:identity/*",
-      "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:configuration-set/${aws_ses_configuration_set.reporting.name}"
-    ]
-
-    condition {
-      test     = "StringEquals"
-      variable = "ses:FromAddress"
-      values   = [local.reporting_ses_from_address_value]
-    }
-  }
-}
-
-data "aws_iam_policy_document" "ses_feedback_s3_put" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "s3:PutObject"
-    ]
-    resources = [
-      "${module.ses-feedback-store.bucket_arn}/ses-feedback/*"
-    ]
-  }
-}
+# data "aws_iam_policy_document" "reporting_ses" {
+#   statement {
+#     sid    = "SESAccess"
+#     effect = "Allow"
+#
+#     actions = [
+#       "ses:SendEmail",
+#       "ses:SendRawEmail"
+#     ]
+#
+#     resources = [
+#       "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:identity/*",
+#       "arn:aws:ses:${var.region}:${data.aws_caller_identity.current.account_id}:configuration-set/${aws_ses_configuration_set.reporting.name}"
+#     ]
+#
+#     condition {
+#       test     = "StringEquals"
+#       variable = "ses:FromAddress"
+#       values   = [local.reporting_ses_from_address_value]
+#     }
+#   }
+# }
+#
+# data "aws_iam_policy_document" "ses_feedback_s3_put" {
+#   statement {
+#     effect = "Allow"
+#     actions = [
+#       "s3:PutObject"
+#     ]
+#     resources = [
+#       "${module.ses-feedback-store.bucket_arn}/ses-feedback/*"
+#     ]
+#   }
+# }

infrastructure/kms_sns.tf

@@ -4,6 +4,7 @@ module "sns_encryption_key" {
   kms_key_description = "Custom KMS Key to enable server side encryption for sns subscriptions"
   environment         = var.environment
   owner               = var.owner
-  service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com", "ses.amazonaws.com"]
+  # service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com", "ses.amazonaws.com"]
+  service_identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com"]
   kms_deletion_window = var.kms_deletion_window
 }

infrastructure/lambda-report-distribution.tf

@@ -1,30 +1,30 @@
-module "report-distribution-lambda" {
-  source         = "./modules/lambda"
-  name           = "ReportDistribution"
-  handler        = "handlers.report_distribution_handler.lambda_handler"
-  lambda_timeout = 300
-
-  iam_role_policy_documents = [
-    module.ndr-report-store.s3_read_policy_document,
-    module.bulk_upload_contact_lookup_table.dynamodb_read_policy_document,
-    data.aws_iam_policy_document.reporting_ses.json,
-    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
-  ]
-
-  lambda_environment_variables = {
-    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
-    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
-    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
-    WORKSPACE               = terraform.workspace
-
-    REPORT_BUCKET_NAME = module.ndr-report-store.bucket_id
-    CONTACT_TABLE_NAME = module.bulk_upload_contact_lookup_table.table_name
-
-    PRM_MAILBOX_EMAIL     = data.aws_ssm_parameter.prm_mailbox_email.value
-    SES_FROM_ADDRESS      = local.reporting_ses_from_address_value
-    SES_CONFIGURATION_SET = aws_ses_configuration_set.reporting.name
-  }
-
-  is_gateway_integration_needed = false
-  is_invoked_from_gateway       = false
-}
+# module "report-distribution-lambda" {
+#   source         = "./modules/lambda"
+#   name           = "ReportDistribution"
+#   handler        = "handlers.report_distribution_handler.lambda_handler"
+#   lambda_timeout = 300
+#
+#   iam_role_policy_documents = [
+#     module.ndr-report-store.s3_read_policy_document,
+#     module.bulk_upload_contact_lookup_table.dynamodb_read_policy_document,
+#     data.aws_iam_policy_document.reporting_ses.json,
+#     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
+#   ]
+#
+#   lambda_environment_variables = {
+#     APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+#     APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+#     APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+#     WORKSPACE               = terraform.workspace
+#
+#     REPORT_BUCKET_NAME = module.ndr-report-store.bucket_id
+#     CONTACT_TABLE_NAME = module.bulk_upload_contact_lookup_table.table_name
+#
+#     PRM_MAILBOX_EMAIL     = data.aws_ssm_parameter.prm_mailbox_email.value
+#     SES_FROM_ADDRESS      = local.reporting_ses_from_address_value
+#     SES_CONFIGURATION_SET = aws_ses_configuration_set.reporting.name
+#   }
+#
+#   is_gateway_integration_needed = false
+#   is_invoked_from_gateway       = false
+# }

infrastructure/lambda-ses-feedback-monitor.tf

@@ -1,32 +1,32 @@
-module "ses-feedback-monitor-lambda" {
-  source         = "./modules/lambda"
-  name           = "SesFeedbackMonitor"
-  handler        = "handlers.ses_feedback_monitor_handler.lambda_handler"
-  lambda_timeout = 60
-
-  iam_role_policy_documents = [
-    data.aws_iam_policy_document.ses_feedback_s3_put.json,
-    data.aws_iam_policy_document.reporting_ses.json,
-    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
-  ]
-
-  lambda_environment_variables = {
-    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
-    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
-    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
-    WORKSPACE               = terraform.workspace
-
-    SES_FEEDBACK_BUCKET_NAME = module.ses-feedback-store.bucket_id
-    SES_FEEDBACK_PREFIX      = "ses-feedback/"
-    PRM_MAILBOX_EMAIL        = data.aws_ssm_parameter.prm_mailbox_email.value
-    SES_FROM_ADDRESS         = local.reporting_ses_from_address_value
-    ALERT_ON_EVENT_TYPES     = "BOUNCE,REJECT"
-  }
-
-  is_gateway_integration_needed = false
-  is_invoked_from_gateway       = false
-
-  depends_on = [
-    module.ses-feedback-store
-  ]
-}
+# module "ses-feedback-monitor-lambda" {
+#   source         = "./modules/lambda"
+#   name           = "SesFeedbackMonitor"
+#   handler        = "handlers.ses_feedback_monitor_handler.lambda_handler"
+#   lambda_timeout = 60
+#
+#   iam_role_policy_documents = [
+#     data.aws_iam_policy_document.ses_feedback_s3_put.json,
+#     data.aws_iam_policy_document.reporting_ses.json,
+#     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
+#   ]
+#
+#   lambda_environment_variables = {
+#     APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+#     APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+#     APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+#     WORKSPACE               = terraform.workspace
+#
+#     SES_FEEDBACK_BUCKET_NAME = module.ses-feedback-store.bucket_id
+#     SES_FEEDBACK_PREFIX      = "ses-feedback/"
+#     PRM_MAILBOX_EMAIL        = data.aws_ssm_parameter.prm_mailbox_email.value
+#     SES_FROM_ADDRESS         = local.reporting_ses_from_address_value
+#     ALERT_ON_EVENT_TYPES     = "BOUNCE,REJECT"
+#   }
+#
+#   is_gateway_integration_needed = false
+#   is_invoked_from_gateway       = false
+#
+#   depends_on = [
+#     module.ses-feedback-store
+#   ]
+# }

infrastructure/modules/app_config/configurations/dev.json

@@ -26,6 +26,9 @@
         },
         "documentCorrectEnabled": {
           "name": "documentCorrectEnabled"
+        },
+        "userRestrictionEnabled": {
+            "name": "userRestrictionEnabled"
         }
     },
     "values": {
@@ -55,6 +58,9 @@
         },
         "documentCorrectEnabled": {
           "enabled": "true"
+        },
+        "userRestrictionEnabled": {
+            "enabled": "true"
         }
     },
     "version": "1"

infrastructure/modules/app_config/configurations/pre-prod.json

@@ -26,6 +26,9 @@
         },
         "documentCorrectEnabled": {
           "name": "documentCorrectEnabled"
+        },
+        "userRestrictionEnabled": {
+            "name": "userRestrictionEnabled"
         }
     },
     "values": {
@@ -55,6 +58,9 @@
         },
         "documentCorrectEnabled": {
           "enabled": "false"
+        },
+        "userRestrictionEnabled": {
+            "enabled": "false"
         }
     },
     "version": "1"

infrastructure/modules/app_config/configurations/prod.json

@@ -26,6 +26,9 @@
         },
         "documentCorrectEnabled": {
           "name": "documentCorrectEnabled"
+        },
+        "userRestrictionEnabled": {
+            "name": "userRestrictionEnabled"
         }
     },
     "values": {
@@ -55,6 +58,9 @@
         },
         "documentCorrectEnabled": {
           "enabled": "false"
+        },
+        "userRestrictionEnabled": {
+            "enabled": "false"
         }
     },
     "version": "1"

infrastructure/modules/app_config/configurations/sandbox.json

@@ -26,6 +26,9 @@
         },
         "documentCorrectEnabled": {
           "name": "documentCorrectEnabled"
+        },
+        "userRestrictionEnabled": {
+            "name": "userRestrictionEnabled"
         }
     },
     "values": {
@@ -55,6 +58,9 @@
         },
         "documentCorrectEnabled": {
           "enabled": "true"
+        },
+        "userRestrictionEnabled": {
+            "enabled": "true"
         }
     },
     "version": "1"

infrastructure/modules/sns/README.md

@@ -79,7 +79,6 @@ module "sns_topic" {
 | Name | Type |
 |------|------|
 | [aws_sns_topic.sns_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
-| [aws_sns_topic_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_sns_topic_subscription.sns_subscription_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 | [aws_sns_topic_subscription.sns_subscription_single](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 
@@ -90,16 +89,13 @@ module "sns_topic" {
 | <a name="input_delivery_policy"></a> [delivery\_policy](#input\_delivery\_policy) | Attach delivery or IAM policy. (Legacy name; used as topic policy JSON in this module.) | `string` | n/a | yes |
 | <a name="input_enable_deduplication"></a> [enable\_deduplication](#input\_enable\_deduplication) | Prevent content based duplication in notification queue. | `bool` | `false` | no |
 | <a name="input_enable_fifo"></a> [enable\_fifo](#input\_enable\_fifo) | Attach first in first out policy to notification queue. | `bool` | `false` | no |
-| <a name="input_enable_ses_publish"></a> [enable\_ses\_publish](#input\_enable\_ses\_publish) | If true, module appends a statement allowing ses.amazonaws.com to SNS:Publish to this topic. | `bool` | `false` | no |
 | <a name="input_is_topic_endpoint_list"></a> [is\_topic\_endpoint\_list](#input\_is\_topic\_endpoint\_list) | Whether to use the topic\_endpoint\_list instead of a single topic\_endpoint. | `bool` | `false` | no |
 | <a name="input_raw_message_delivery"></a> [raw\_message\_delivery](#input\_raw\_message\_delivery) | Whether to enable raw message delivery for the SNS subscription. | `bool` | `false` | no |
-| <a name="input_ses_source_account_id"></a> [ses\_source\_account\_id](#input\_ses\_source\_account\_id) | AWS account ID used in the AWS:SourceAccount condition for SES publishing. | `string` | `""` | no |
 | <a name="input_sns_encryption_key_id"></a> [sns\_encryption\_key\_id](#input\_sns\_encryption\_key\_id) | The ARN (or ID) of the KMS key used for encrypting the SNS topic. | `string` | n/a | yes |
 | <a name="input_sqs_feedback"></a> [sqs\_feedback](#input\_sqs\_feedback) | Map of IAM role ARNs and sample rate for success and failure feedback. | `map(string)` | `{}` | no |
 | <a name="input_topic_endpoint"></a> [topic\_endpoint](#input\_topic\_endpoint) | A single endpoint (e.g., SQS queue or Lambda function ARN) to subscribe to the topic. | `any` | `null` | no |
 | <a name="input_topic_endpoint_list"></a> [topic\_endpoint\_list](#input\_topic\_endpoint\_list) | A list of endpoints (e.g., SQS ARNs) to subscribe to the topic. | `any` | `[]` | no |
 | <a name="input_topic_name"></a> [topic\_name](#input\_topic\_name) | Name of the SNS topic. | `string` | n/a | yes |
-| <a name="input_topic_policy_json"></a> [topic\_policy\_json](#input\_topic\_policy\_json) | Optional SNS topic access policy JSON. If set, it overrides delivery\_policy. | `string` | `null` | no |
 | <a name="input_topic_protocol"></a> [topic\_protocol](#input\_topic\_protocol) | The protocol to use for the subscription (e.g., 'sqs', 'lambda'). | `string` | n/a | yes |
 
 ## Outputs