CCM-16776: Enable S3 ABAC

sidnhs · sidnhs · commit 4401d131481f · 2026-04-30T16:37:56.000+01:00
diff --git a/infrastructure/terraform/components/dl/README.md b/infrastructure/terraform/components/dl/README.md
@@ -54,6 +54,7 @@ No requirements.
 | <a name="input_report_scheduler_schedule"></a> [report\_scheduler\_schedule](#input\_report\_scheduler\_schedule) | Schedule to trigger sender reports | `string` | `"cron(30 4 * * ? *)"` | no |
 | <a name="input_reports_data_retention_non_current_days"></a> [reports\_data\_retention\_non\_current\_days](#input\_reports\_data\_retention\_non\_current\_days) | The number of non current days for data retention policy for reports generated by Athena in the reporting bucket | `number` | `14` | no |
 | <a name="input_reports_data_retention_policy_days"></a> [reports\_data\_retention\_policy\_days](#input\_reports\_data\_retention\_policy\_days) | The number of days for data retention policy for reports generated by Athena in the reporting bucket | `number` | `90` | no |
+| <a name="input_restrict_pii_data_access"></a> [restrict\_pii\_data\_access](#input\_restrict\_pii\_data\_access) | Whether to restrict access to PII data in the bucket using a bucket policy | `bool` | `true` | no |
 | <a name="input_shared_infra_account_id"></a> [shared\_infra\_account\_id](#input\_shared\_infra\_account\_id) | The AWS Shared Infra Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_sns_success_logging_sample_percent"></a> [sns\_success\_logging\_sample\_percent](#input\_sns\_success\_logging\_sample\_percent) | Enable SNS Delivery Successful Sample Percentage | `number` | `0` | no |
 | <a name="input_sqs_max_receive_count"></a> [sqs\_max\_receive\_count](#input\_sqs\_max\_receive\_count) | Maximum number of times a message can be received before being sent to the DLQ | `string` | `"3"` | no |
@@ -85,10 +86,10 @@ No requirements.
 | <a name="module_report_scheduler"></a> [report\_scheduler](#module\_report\_scheduler) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-lambda.zip | n/a |
 | <a name="module_report_sender"></a> [report\_sender](#module\_report\_sender) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-lambda.zip | n/a |
 | <a name="module_s3bucket_file_quarantine"></a> [s3bucket\_file\_quarantine](#module\_s3bucket\_file\_quarantine) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
-| <a name="module_s3bucket_file_safe"></a> [s3bucket\_file\_safe](#module\_s3bucket\_file\_safe) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
+| <a name="module_s3bucket_file_safe"></a> [s3bucket\_file\_safe](#module\_s3bucket\_file\_safe) | git::ssh://git@github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/terraform/modules/s3bucket | feature/CCM-16776_s3_pii_access |
 | <a name="module_s3bucket_letters"></a> [s3bucket\_letters](#module\_s3bucket\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_non_pii_data"></a> [s3bucket\_non\_pii\_data](#module\_s3bucket\_non\_pii\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
-| <a name="module_s3bucket_pii_data"></a> [s3bucket\_pii\_data](#module\_s3bucket\_pii\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
+| <a name="module_s3bucket_pii_data"></a> [s3bucket\_pii\_data](#module\_s3bucket\_pii\_data) | git::ssh://git@github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/terraform/modules/s3bucket | feature/CCM-16776_s3_pii_access |
 | <a name="module_s3bucket_reporting"></a> [s3bucket\_reporting](#module\_s3bucket\_reporting) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_static_assets"></a> [s3bucket\_static\_assets](#module\_s3bucket\_static\_assets) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
 | <a name="module_sqs_core_notifier"></a> [sqs\_core\_notifier](#module\_sqs\_core\_notifier) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-sqs.zip | n/a |
diff --git a/infrastructure/terraform/components/dl/data_iam_roles_sso_dev.tf b/infrastructure/terraform/components/dl/data_iam_roles_sso_dev.tf
@@ -0,0 +1,5 @@
+data "aws_iam_roles" "sso_bc_restricted_dev" {
+  count       = var.restrict_pii_data_access ? 1 : 0
+  name_regex  = "AWSReservedSSO_nhs-notify-bc-developer_.*"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
diff --git a/infrastructure/terraform/components/dl/locals.tf b/infrastructure/terraform/components/dl/locals.tf
@@ -16,4 +16,6 @@ locals {
   ssm_senders_prefix                   = "${local.ssm_prefix}/senders"
   ttl_shard_count                      = 3
   unscanned_files_bucket               = local.acct.additional_s3_buckets["digital-letters_unscanned-files"]["id"]
+
+  bc_restricted_dev_role = try(tolist(data.aws_iam_roles.sso_bc_restricted_dev[0].arns)[0], null)
 }
diff --git a/infrastructure/terraform/components/dl/module_s3bucket_file_safe.tf b/infrastructure/terraform/components/dl/module_s3bucket_file_safe.tf
@@ -1,5 +1,5 @@
 module "s3bucket_file_safe" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip"
+  source = "git::ssh://git@github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/terraform/modules/s3bucket?ref=feature/CCM-16776_s3_pii_access" #Change this later to actual tag
 
   name = "file-safe"
 
@@ -10,6 +10,7 @@ module "s3bucket_file_safe" {
   component      = local.component
 
   kms_key_arn = module.kms.key_arn
+  enable_abac = var.restrict_pii_data_access ? true : false
 
   policy_documents = [data.aws_iam_policy_document.s3bucket_file_safe.json]
 
@@ -41,7 +42,8 @@ module "s3bucket_file_safe" {
   ]
 
   default_tags = {
-    NHSE-Enable-S3-Backup-Acct = "True"
+    NHSE-Enable-S3-Backup-Acct = "True",
+    NHSE-PII-Data              = "True"
   }
 }
 
@@ -85,4 +87,28 @@ data "aws_iam_policy_document" "s3bucket_file_safe" {
       ]
     }
   }
+
+  # dynamic "statement" {
+  #   for_each = var.restrict_pii_data_access ? [1] : []
+  #   content {
+  #     effect = "Deny"
+  #     actions = [
+  #       "s3:GetObject",
+  #       "s3:GetObjectVersion",
+  #       "s3:PutObject",
+  #       "s3:DeleteObject"
+  #     ]
+  #     resources = [
+  #       module.s3bucket_file_safe.arn,
+  #       "${module.s3bucket_file_safe.arn}/*",
+  #     ]
+
+  #     principals {
+  #       type = "AWS"
+  #       identifiers = [
+  #         local.bc_restricted_dev_role
+  #       ]
+  #     }
+  #   }
+  # }
 }
diff --git a/infrastructure/terraform/components/dl/module_s3bucket_pii_data.tf b/infrastructure/terraform/components/dl/module_s3bucket_pii_data.tf
@@ -1,5 +1,5 @@
 module "s3bucket_pii_data" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip"
+  source = "git::ssh://git@github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/terraform/modules/s3bucket?ref=feature/CCM-16776_s3_pii_access" #Change this later to actual tag
 
   name = "pii-data"
 
@@ -9,14 +9,15 @@ module "s3bucket_pii_data" {
   environment    = var.environment
   component      = local.component
 
-  kms_key_arn = module.kms.key_arn
-
+  kms_key_arn      = module.kms.key_arn
+  enable_abac      = var.restrict_pii_data_access ? true : false
   policy_documents = [data.aws_iam_policy_document.s3bucket_pii_data.json]
 
   force_destroy = var.force_destroy
 
   default_tags = {
-    NHSE-Enable-S3-Backup-Acct = "True"
+    NHSE-Enable-S3-Backup-Acct = "True",
+    NHSE-PII-Data              = "True",
   }
 }
 
@@ -61,4 +62,28 @@ data "aws_iam_policy_document" "s3bucket_pii_data" {
       ]
     }
   }
+
+  # dynamic "statement" {
+  #   for_each = var.restrict_pii_data_access ? [1] : []
+  #   content {
+  #     effect = "Deny"
+  #     actions = [
+  #       "s3:GetObject",
+  #       "s3:GetObjectVersion",
+  #       "s3:PutObject",
+  #       "s3:DeleteObject"
+  #     ]
+  #     resources = [
+  #       module.s3bucket_pii_data.arn,
+  #       "${module.s3bucket_pii_data.arn}/*",
+  #     ]
+
+  #     principals {
+  #       type = "AWS"
+  #       identifiers = [
+  #         local.bc_restricted_dev_role
+  #       ]
+  #     }
+  #   }
+  # }
 }
diff --git a/infrastructure/terraform/components/dl/variables.tf b/infrastructure/terraform/components/dl/variables.tf
@@ -319,3 +319,9 @@ variable "event_anomaly_band_width" {
     error_message = "Band width must be between 2 and 10"
   }
 }
+
+variable "restrict_pii_data_access" {
+  type        = bool
+  description = "Whether to restrict access to PII data in the bucket using a bucket policy"
+  default     = true
+}

Original file line number	Diff line number	Diff line change
`@@ -16,4 +16,6 @@ locals {`
`16`	`16`	`ssm_senders_prefix = "${local.ssm_prefix}/senders"`
`17`	`17`	`ttl_shard_count = 3`
`18`	`18`	`unscanned_files_bucket = local.acct.additional_s3_buckets["digital-letters_unscanned-files"]["id"]`
	`19`	`+`
	`20`	`+ bc_restricted_dev_role = try(tolist(data.aws_iam_roles.sso_bc_restricted_dev[0].arns)[0], null)`
`19`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -319,3 +319,9 @@ variable "event_anomaly_band_width" {`
`319`	`319`	`error_message = "Band width must be between 2 and 10"`
`320`	`320`	`}`
`321`	`321`	`}`
	`322`	`+`
	`323`	`+variable "restrict_pii_data_access" {`
	`324`	`+ type = bool`
	`325`	`+ description = "Whether to restrict access to PII data in the bucket using a bucket policy"`
	`326`	`+ default = true`
	`327`	`+}`