From 9948abd21fce000b338fffa6665e23c40c899686 Mon Sep 17 00:00:00 2001 From: jamesrwarren Date: Tue, 26 Nov 2024 10:37:19 +0000 Subject: [PATCH] DDLS-408 add encryption to remaining dynamo table --- terraform/account/region/dynamodb.tf | 8 +++---- terraform/account/region/elasticache.tf | 24 +++++++++++++++++-- terraform/account/region/lambda_ip_blocker.tf | 14 +++++++++++ 3 files changed, 40 insertions(+), 6 deletions(-) diff --git a/terraform/account/region/dynamodb.tf b/terraform/account/region/dynamodb.tf index fc0f561ec4..5e03714ac2 100644 --- a/terraform/account/region/dynamodb.tf +++ b/terraform/account/region/dynamodb.tf @@ -76,10 +76,10 @@ resource "aws_dynamodb_table" "blocked_ips_table" { enabled = true } - # server_side_encryption { - # enabled = true - # kms_key_arn = module.dynamodb_kms.eu_west_1_target_key_arn - # } + server_side_encryption { + enabled = true + kms_key_arn = module.dynamodb_kms.eu_west_1_target_key_arn + } lifecycle { prevent_destroy = false diff --git a/terraform/account/region/elasticache.tf b/terraform/account/region/elasticache.tf index 1088d111ac..90cb415ed2 100644 --- a/terraform/account/region/elasticache.tf +++ b/terraform/account/region/elasticache.tf @@ -12,7 +12,7 @@ resource "aws_elasticache_replication_group" "cache_api" { num_cache_clusters = 2 port = 6379 subnet_group_name = var.account.ec_subnet_group - security_group_ids = [aws_security_group.cache_api_sg.id] + security_group_ids = [aws_security_group.cache_api_sg.id, aws_security_group.api_cache_sg.id] snapshot_retention_limit = 1 apply_immediately = var.account.apply_immediately snapshot_window = "02:00-03:50" @@ -36,6 +36,16 @@ resource "aws_security_group" "cache_api_sg" { } } +resource "aws_security_group" "api_cache_sg" { + name = "${var.account.name}-shared-cache-api" + vpc_id = aws_vpc.main.id + tags = merge(var.default_tags, { Name = "cache-api" }) + + lifecycle { + create_before_destroy = true + } +} + # see comments for ticket ddpb-3661 for extra details on in transit encryption decisions resource "aws_elasticache_replication_group" "front_api" { automatic_failover_enabled = true @@ -48,7 +58,7 @@ resource "aws_elasticache_replication_group" "front_api" { num_cache_clusters = 2 port = 6379 subnet_group_name = var.account.ec_subnet_group - security_group_ids = [aws_security_group.cache_front_sg.id] + security_group_ids = [aws_security_group.cache_front_sg.id, aws_security_group.front_cache_sg.id] snapshot_retention_limit = 1 apply_immediately = var.account.apply_immediately snapshot_window = "02:00-03:50" @@ -72,6 +82,16 @@ resource "aws_security_group" "cache_front_sg" { } } +resource "aws_security_group" "front_cache_sg" { + name = "${var.account.name}-shared-cache-front" + vpc_id = aws_vpc.main.id + tags = merge(var.default_tags, { Name = "cache-front" }) + + lifecycle { + create_before_destroy = true + } +} + resource "aws_elasticache_parameter_group" "digideps" { name = "api-cache-params" family = "redis6.x" diff --git a/terraform/account/region/lambda_ip_blocker.tf b/terraform/account/region/lambda_ip_blocker.tf index 3860281780..4019b1db4e 100644 --- a/terraform/account/region/lambda_ip_blocker.tf +++ b/terraform/account/region/lambda_ip_blocker.tf @@ -119,6 +119,20 @@ data "aws_iam_policy_document" "lambda_block_ips" { resources = ["*"] } + statement { + sid = "UseDynamodbKMSKey" + effect = "Allow" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + resources = [ + module.dynamodb_kms.eu_west_1_target_key_arn + ] + } } data "archive_file" "block_ips_zip" {