Merge branch 'main' of github.com:ministryofjustice/opg-digideps into…

… renovate-weasyprint-63.x

client/app/src/Service/HtmlToPdfGenerator.php

@@ -34,12 +34,6 @@ public function isAlive()
     {
         $pdf = $this->getPdfFromHtml('test');
 
-        //        file_put_contents('php://stderr', print_r(strlen($pdf), TRUE));
-        //        file_put_contents('php://stderr', print_r(' JIMMY1 ', TRUE));
-        //        file_put_contents('php://stderr', print_r(preg_match('/PDF-\d/', $pdf), TRUE));
-        //        file_put_contents('php://stderr', print_r(' JIMMY2 ', TRUE));
-        //        file_put_contents('php://stderr', print_r(strlen($pdf) > 700, TRUE));
-        //        file_put_contents('php://stderr', print_r(' JIMMY3 ', TRUE));
         return strlen($pdf) > 700 && preg_match('/PDF-\d/', $pdf);
     }
 

terraform/account/region/kms_service_sns.tf

@@ -0,0 +1,71 @@
+##### Shared KMS key for SNS #####
+
+# Account logs encryption
+module "sns_kms" {
+  source                  = "./modules/kms_key"
+  encrypted_resource      = "SNS"
+  kms_key_alias_name      = "digideps_sns_encryption_key"
+  enable_key_rotation     = true
+  enable_multi_region     = false
+  deletion_window_in_days = 10
+  kms_key_policy          = var.account.name == "development" ? data.aws_iam_policy_document.kms_sns_merged_for_development.json : data.aws_iam_policy_document.kms_sns_merged.json
+  providers = {
+    aws.eu_west_1 = aws.eu_west_1
+    aws.eu_west_2 = aws.eu_west_2
+  }
+}
+
+# Policies
+data "aws_iam_policy_document" "kms_sns_merged_for_development" {
+  provider = aws.global
+  source_policy_documents = [
+    data.aws_iam_policy_document.kms_sns.json,
+    data.aws_iam_policy_document.kms_base_permissions.json,
+    data.aws_iam_policy_document.kms_development_account_operator_admin.json
+  ]
+}
+
+data "aws_iam_policy_document" "kms_sns_merged" {
+  provider = aws.global
+  source_policy_documents = [
+    data.aws_iam_policy_document.kms_sns.json,
+    data.aws_iam_policy_document.kms_base_permissions.json
+  ]
+}
+
+data "aws_iam_policy_document" "kms_sns" {
+  statement {
+    sid       = "Allow Key to be used for Encryption by SNS"
+    effect    = "Allow"
+    resources = ["*"]
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "events.amazonaws.com",
+        "cloudwatch.amazonaws.com"
+      ]
+    }
+  }
+
+  statement {
+    sid       = "Allow Key to be decrypted by lambda"
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["kms:Decrypt"]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        aws_iam_role.lambda_monitor_notify.arn
+      ]
+    }
+  }
+}

terraform/account/region/lambda_monitor_notify.tf

@@ -102,6 +102,17 @@ data "aws_iam_policy_document" "lambda_monitor_notify" {
     ]
   }
 
+  statement {
+    sid    = "SnsDecryptKms"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt"
+    ]
+    resources = [
+      module.sns_kms.eu_west_1_target_key_arn
+    ]
+  }
+
   statement {
     sid    = "ReadSecret"
     effect = "Allow"

terraform/account/region/sns.tf

@@ -1,11 +1,13 @@
 resource "aws_sns_topic" "alerts" {
-  name = "alerts"
+  name              = "alerts"
+  kms_master_key_id = module.sns_kms.eu_west_1_target_key_arn
   tags = merge(
     var.default_tags,
     { Name = "alerts-${var.account.name}" },
   )
 }
 
+# Can't do cross region SNS encryption
 resource "aws_sns_topic" "availability-alert" {
   provider     = aws.global
   name         = "availability-alert-${local.current_main_region}"