CCM-12616: mock mesh only when enabled

Author: lapenna-bjss

infrastructure/terraform/components/dl/README.md

@@ -13,13 +13,14 @@ No requirements.
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"dl"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_enable_dynamodb_delete_protection"></a> [enable\_dynamodb\_delete\_protection](#input\_enable\_dynamodb\_delete\_protection) | Enable DynamoDB Delete Protection on all Tables | `bool` | `true` | no |
+| <a name="input_enable_mock_mesh"></a> [enable\_mock\_mesh](#input\_enable\_mock\_mesh) | Enable mock mesh access (dev only). Grants lambda permission to read mock-mesh prefix in non-pii bucket. | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
-| <a name="input_mesh_poll_schedule"></a> [mesh\_poll\_schedule](#input\_mesh\_poll\_schedule) | Schedule to poll MESH for messages | `string` | `"cron(0,30 8-16 ? * MON-FRI *)"` | no |
+| <a name="input_mesh_poll_schedule"></a> [mesh\_poll\_schedule](#input\_mesh\_poll\_schedule) | Schedule to poll MESH for messages | `string` | `"rate(5 minutes)"` | no |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_queue_batch_size"></a> [queue\_batch\_size](#input\_queue\_batch\_size) | maximum number of queue items to process | `number` | `10` | no |

infrastructure/terraform/components/dl/module_lambda_mesh_download.tf

@@ -36,14 +36,60 @@ module "mesh_download" {
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
   lambda_env_vars = {
+    # Required by Config
     EVENT_PUBLISHER_EVENT_BUS_ARN = aws_cloudwatch_event_bus.main.arn
     EVENT_PUBLISHER_DLQ_URL       = module.sqs_event_publisher_dlq.queue_url
     ENVIRONMENT                   = var.environment
     DEPLOYMENT                    = var.deployment
+
+    # Optional
+    USE_MESH_MOCK                 = var.enable_mock_mesh ? "true" : "false"
+    MOCK_MESH_BUCKET              = module.s3bucket_non_pii_data.bucket
   }
+
 }
 
 data "aws_iam_policy_document" "mesh_download_lambda" {
+  # Mock S3 ListBucket only when enabled
+  dynamic "statement" {
+    for_each = var.enable_mock_mesh ? [1] : []
+    content {
+      sid    = "MockMeshListBucket"
+      effect = "Allow"
+
+      actions = [
+        "s3:ListBucket"
+      ]
+
+      resources = [
+        module.s3bucket_non_pii_data.arn
+      ]
+
+      condition {
+        test     = "StringLike"
+        variable = "s3:prefix"
+        values   = ["mock-mesh/*"]
+      }
+    }
+  }
+
+  # Mock S3 GetObject only when enabled
+  dynamic "statement" {
+    for_each = var.enable_mock_mesh ? [1] : []
+    content {
+      sid    = "MockMeshGetObject"
+      effect = "Allow"
+
+      actions = [
+        "s3:GetObject"
+      ]
+
+      resources = [
+        "${module.s3bucket_non_pii_data.arn}/mock-mesh/*"
+      ]
+    }
+  }
+
   statement {
     sid    = "KMSPermissions"
     effect = "Allow"

infrastructure/terraform/components/dl/module_lambda_mesh_poll.tf

@@ -37,35 +37,78 @@ module "mesh_poll" {
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
   lambda_env_vars = {
+    # Required by Config
+    SSM_PREFIX                          = var.ssm_prefix
+    SSM_CLIENTS_PARAMETER_PATH          = var.ssm_clients_parameter_path
+    INBOX_WORKFLOW_ID                   = var.inbox_workflow_id
+    OUTBOX_WORKFLOW_ID                  = var.outbox_workflow_id
+    MAXIMUM_RUNTIME_MILLISECONDS        = var.maximum_runtime_milliseconds
+    ENVIRONMENT                         = var.environment
+    EVENT_PUBLISHER_EVENT_BUS_ARN       = aws_cloudwatch_event_bus.main.arn
+    CERTIFICATE_EXPIRY_METRIC_NAME      = var.certificate_expiry_metric_name
+    CERTIFICATE_EXPIRY_METRIC_NAMESPACE = var.certificate_expiry_metric_namespace
+    POLLING_METRIC_NAME                 = var.polling_metric_name
+    POLLING_METRIC_NAMESPACE            = var.polling_metric_namespace
+
+    # Optional
+    USE_MESH_MOCK                       = var.enable_mock_mesh ? "true" : "false"
+    MOCK_MESH_BUCKET                    = module.s3bucket_non_pii_data.bucket
   }
+
 }
 
 data "aws_iam_policy_document" "mesh_poll_lambda" {
-  statement {
-    sid    = "KMSPermissions"
-    effect = "Allow"
+  # Mock S3 ListBucket only when enabled
+  dynamic "statement" {
+    for_each = var.enable_mock_mesh ? [1] : []
+    content {
+      sid    = "MockMeshListBucket"
+      effect = "Allow"
 
-    actions = [
-      "kms:Decrypt",
-      "kms:GenerateDataKey",
-    ]
+      actions = [
+        "s3:ListBucket"
+      ]
 
-    resources = [
-      module.kms.key_arn,
-    ]
+      resources = [
+        module.s3bucket_non_pii_data.arn
+      ]
+
+      condition {
+        test     = "StringLike"
+        variable = "s3:prefix"
+        values   = ["mock-mesh/*"]
+      }
+    }
+  }
+
+  # Mock S3 GetObject only when enabled
+  dynamic "statement" {
+    for_each = var.enable_mock_mesh ? [1] : []
+    content {
+      sid    = "MockMeshGetObject"
+      effect = "Allow"
+
+      actions = [
+        "s3:GetObject"
+      ]
+
+      resources = [
+        "${module.s3bucket_non_pii_data.arn}/mock-mesh/*"
+      ]
+    }
   }
 
   statement {
-    sid    = "LettersBucketPermissions"
+    sid    = "KMSPermissions"
     effect = "Allow"
 
     actions = [
-      "s3:ListBucket",
-      "s3:GetObject",
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
     ]
 
     resources = [
-      "${module.s3bucket_letters.arn}/mock-mesh/*",
+      module.kms.key_arn,
     ]
   }
 }

infrastructure/terraform/components/dl/variables.tf

@@ -89,7 +89,13 @@ variable "parent_acct_environment" {
 variable "mesh_poll_schedule" {
   type        = string
   description = "Schedule to poll MESH for messages"
-  default     = "cron(0,30 8-16 ? * MON-FRI *)"  # Every 30 minutes between 8am and 4:30pm Mon-Fri
+  default     = "rate(5 minutes)"  # Every 5 minutes
+}
+
+variable "enable_mock_mesh" {
+  description = "Enable mock mesh access (dev only). Grants lambda permission to read mock-mesh prefix in non-pii bucket."
+  type        = bool
+  default     = false
 }
 
 variable "queue_batch_size" {

lambdas/mesh-download/src/config.py

@@ -0,0 +1,188 @@
+"""
+Module for configuring MESH Download application
+"""
+import json
+import os
+import tempfile
+import boto3
+import structlog
+import mesh_client
+from py_mock_mesh.mesh_client import MockMeshClient
+from metric_publishers.certificate_monitor import report_expiry_time
+from metric_publishers.metric_client import Metric
+
+structlog.configure(processors=[structlog.processors.JSONRenderer()])
+log = structlog.get_logger()
+
+
+class InvalidMeshEndpointError(Exception):
+    """
+    Indicates an invalid MESH endpoint in configuration
+    """
+
+
+class InvalidEnvironmentVariableError(Exception):
+    """
+    Indicates an invalid environment variable
+    """
+
+
+def store_file(content):
+    """
+    Writes a temp file and returns the name
+    """
+
+    with tempfile.NamedTemporaryFile(delete=False) as file:
+        file.write(content)
+        file.close()
+        return file.name
+
+
+_REQUIRED_ENV_VAR_MAP = {
+    "ssm_prefix": "SSM_PREFIX",
+    "inbox_workflow_id": "INBOX_WORKFLOW_ID",
+    "outbox_workflow_id": "OUTBOX_WORKFLOW_ID",
+    "environment": "ENVIRONMENT",
+    "certificate_expiry_metric_name": "CERTIFICATE_EXPIRY_METRIC_NAME",
+    "certificate_expiry_metric_namespace": "CERTIFICATE_EXPIRY_METRIC_NAMESPACE",
+    "polling_metric_name": "POLLING_METRIC_NAME",
+    "polling_metric_namespace": "POLLING_METRIC_NAMESPACE"
+}
+
+_OPTIONAL_ENV_VAR_MAP = {
+    "use_mesh_mock": "USE_MESH_MOCK"
+}
+
+
+class Config:  # pylint: disable=too-many-instance-attributes
+
+    """
+    Represents the configuration of the MESH Download application
+    """
+
+    def __init__(self,
+                ssm=None,
+                s3_client=None):
+
+        self.ssm = ssm if ssm is not None else boto3.client('ssm')
+        self.s3_client = s3_client if s3_client is not None else boto3.client('s3')
+        self.mesh_endpoint = None
+        self.mesh_mailbox = None
+        self.mesh_mailbox_password = None
+        self.mesh_shared_key = None
+        self.client_cert = None
+        self.client_key = None
+        self.mesh_client = None
+        self.ssm_prefix = None
+        self.inbox_workflow_id = None
+        self.outbox_workflow_id = None
+        self.environment = None
+        self.certificate_expiry_metric_name = None
+        self.certificate_expiry_metric_namespace = None
+        self.use_mesh_mock = False
+
+        missing_env_vars = []
+        for attr, key in _REQUIRED_ENV_VAR_MAP.items():
+            if key not in os.environ:
+                missing_env_vars.append(f'"{key}"')
+            else:
+                setattr(self, attr, os.environ[key])
+
+        # Handle optional environment variables
+        for attr, key in _OPTIONAL_ENV_VAR_MAP.items():
+            if key in os.environ:
+                value = os.environ[key]
+                if attr == "use_mesh_mock":
+                    # Convert string to boolean
+                    setattr(self, attr, value.lower() in ('true', '1', 'yes', 'on'))
+                else:
+                    setattr(self, attr, value)
+
+        if len(missing_env_vars) > 0:
+            raise InvalidEnvironmentVariableError(
+                f"Required environment variables {', '.join(missing_env_vars)} not set.")
+
+    def __enter__(self):
+        ssm_response = self.ssm.get_parameter(
+            Name=self.ssm_prefix + '/config',
+            WithDecryption=True
+        )
+        mesh_config = json.loads(
+            ssm_response['Parameter']['Value']
+        )
+
+        self.mesh_endpoint = mesh_config['mesh_endpoint']
+        self.mesh_mailbox = mesh_config['mesh_mailbox']
+        self.mesh_mailbox_password = mesh_config['mesh_mailbox_password']
+        self.mesh_shared_key = mesh_config['mesh_shared_key'].encode('ascii')
+
+        # Build Mesh Client
+
+        client_cert_parameter = self.ssm.get_parameter(
+            Name=self.ssm_prefix + '/client-cert',
+            WithDecryption=True
+        )
+        client_key_parameter = self.ssm.get_parameter(
+            Name=self.ssm_prefix + '/client-key',
+            WithDecryption=True
+        )
+
+        self.client_cert = store_file(
+            client_cert_parameter['Parameter']['Value'].encode('utf-8')
+        )
+        self.client_key = store_file(
+            client_key_parameter['Parameter']['Value'].encode('utf-8')
+        )
+
+        self.mesh_client = self.build_mesh_client()
+
+        return self
+
+    def __exit__(self, exc_type, exc_value, traceback):
+        log.info('Cleaning up temporary files')
+        os.unlink(self.client_cert)
+        os.unlink(self.client_key)
+        self.mesh_client.close()
+
+    def lookup_endpoint(self, endpoint_identifier):
+        """
+        Looks up a MESH endpoint URL
+        """
+
+        variable_name = f"{endpoint_identifier}_ENDPOINT"
+
+        if hasattr(mesh_client, variable_name):
+            return getattr(mesh_client, variable_name)
+
+        raise InvalidMeshEndpointError(
+            f"mesh_client module has no such endpoint {variable_name}")
+
+    def build_mesh_client(self):
+        """
+        Returns a MESH client based on the USE_MESH_MOCK environment variable
+        """
+        if self.use_mesh_mock:
+            mock_bucket = os.getenv("MOCK_MESH_BUCKET")
+            mock_endpoint = f"s3://{mock_bucket}/mock-mesh/"
+            return MockMeshClient(
+                boto3.client('s3'),
+                mock_endpoint,
+                self.mesh_mailbox,
+                log
+            )
+
+        # Use real MESH client
+        report_expiry_time(
+            self.client_cert,
+            self.certificate_expiry_metric_name,
+            self.certificate_expiry_metric_namespace,
+            self.environment)
+
+        return mesh_client.MeshClient(
+            self.lookup_endpoint(self.mesh_endpoint),
+            self.mesh_mailbox,
+            self.mesh_mailbox_password,
+            self.mesh_shared_key,
+            transparent_compress=True,
+            cert=(self.client_cert, self.client_key)
+        )

lambdas/mesh-poll/src/config.py

@@ -75,7 +75,7 @@ def __init__(self,
         self.polling_metric_name = None
         self.polling_metric_namespace = None
         self.polling_metric = None
-        self.use_mesh_mock = None
+        self.use_mesh_mock = False
 
         missing_env_vars = []
         for attr, key in _REQUIRED_ENV_VAR_MAP.items():
@@ -162,8 +162,7 @@ def build_mesh_client(self):
         Returns a MESH client based on the USE_MESH_MOCK environment variable
         """
         if self.use_mesh_mock:
-            # Use mock MESH client with S3 bucket for dev/testing
-            mock_bucket = f"{self.environment}-mock-mesh"
+            mock_bucket = os.getenv("MOCK_MESH_BUCKET")
             mock_endpoint = f"s3://{mock_bucket}/mock-mesh/"
             return MockMeshClient(
                 boto3.client('s3'),