cds-snc · ben851 · Apr 20, 2023 · Apr 20, 2023 · Apr 20, 2023 · Apr 20, 2023
@@ -12,7 +12,7 @@ resource "aws_athena_database" "notification_athena" {
 }
 
 resource "aws_athena_workgroup" "primary" {
-  name = "primary"
+  name = var.athena_workgroup_name
 
   configuration {
     enforce_workgroup_configuration    = true
@@ -40,7 +40,7 @@ resource "aws_athena_named_query" "create_table_alb_logs" {
     {
       database_name   = aws_athena_database.notification_athena.name
       table_name      = "alb_logs"
-      bucket_location = "s3://${var.cbs_satellite_bucket_name}/lb_logs/AWSLogs/${var.account_id}/elasticloadbalancing/${var.region}/"
+      bucket_location = "s3://${aws_s3_bucket.cbs_sensor_bucket.bucket}/lb_logs/AWSLogs/${var.account_id}/elasticloadbalancing/${var.region}/"
   })
 }
 
@@ -52,7 +52,7 @@ resource "aws_athena_named_query" "create_table_waf_logs" {
     {
       database_name   = aws_athena_database.notification_athena.name
       table_name      = "waf_logs_lb"
-      bucket_location = "s3://${var.cbs_satellite_bucket_name}/waf_acl_logs/AWSLogs/${var.account_id}/lb/"
+      bucket_location = "s3://${aws_s3_bucket.cbs_sensor_bucket.bucket}/waf_acl_logs/AWSLogs/${var.account_id}/lb/"
   })
 }
 
@@ -64,7 +64,7 @@ resource "aws_athena_named_query" "create_table_waf_logs_api_lambda" {
     {
       database_name   = aws_athena_database.notification_athena.name
       table_name      = "waf_logs_api_lambda"
-      bucket_location = "s3://${var.cbs_satellite_bucket_name}/waf_acl_logs/AWSLogs/${var.account_id}/lambda/"
+      bucket_location = "s3://${aws_s3_bucket.cbs_sensor_bucket.bucket}/waf_acl_logs/AWSLogs/${var.account_id}/lambda/"
   })
 }
 
@@ -76,6 +76,6 @@ resource "aws_athena_named_query" "create_table_all_waf_logs" {
     {
       database_name   = aws_athena_database.notification_athena.name
       table_name      = "waf_logs"
-      bucket_location = "s3://${var.cbs_satellite_bucket_name}/waf_acl_logs/AWSLogs/${var.account_id}/"
+      bucket_location = "s3://${aws_s3_bucket.cbs_sensor_bucket.bucket}/waf_acl_logs/AWSLogs/${var.account_id}/"
   })
 }
@@ -274,8 +274,8 @@ data "aws_iam_policy_document" "firehose_waf_logs" {
       "s3:PutObject"
     ]
     resources = [
-      "arn:aws:s3:::${var.cbs_satellite_bucket_name}",
-      "arn:aws:s3:::${var.cbs_satellite_bucket_name}/*"
+      "arn:aws:s3:::${aws_s3_bucket.cbs_sensor_bucket.bucket}",
+      "arn:aws:s3:::${aws_s3_bucket.cbs_sensor_bucket.bucket}/*"
     ]
   }
   statement {

diff --git a/aws/common/outputs.tf b/aws/common/outputs.tf
@@ -135,5 +135,5 @@ output "sns_deliveries_failures_us_west_2_name" {
 }
 
 output "sqs_notify_internal_tasks_arn" {
-  value = data.aws_sqs_queue.notify-internal-tasks.arn
+  value = aws_sqs_queue.notify_internal_tasks_queue.arn
 }
@@ -43,7 +43,6 @@ resource "aws_s3_bucket_public_access_block" "csv_bucket" {
 
 resource "aws_s3_bucket" "csv_bucket_logs" {
   bucket = "notification-canada-ca-${var.env}-csv-upload-logs"
-  acl    = "log-delivery-write"
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
@@ -69,6 +68,32 @@ resource "aws_s3_bucket" "csv_bucket_logs" {
   #tfsec:ignore:AWS077 - Versioning is not enabled
 }
 
+resource "aws_s3_bucket_public_access_block" "csv_bucket_logs" {
+  bucket = aws_s3_bucket.csv_bucket_logs.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_ownership_controls" "csv_bucket_logs" {
+  bucket = aws_s3_bucket.csv_bucket_logs.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "csv_bucket_logs" {
+  depends_on = [
+    aws_s3_bucket_public_access_block.csv_bucket_logs,
+    aws_s3_bucket_ownership_controls.csv_bucket_logs,
+  ]
+
+  bucket = aws_s3_bucket.csv_bucket_logs.id
+  acl    = "log-delivery-write"
+}
+
 resource "aws_s3_bucket" "bulk_send" {
   bucket = "notification-canada-ca-${var.env}-bulk-send"
   acl    = "private"
@@ -110,7 +135,6 @@ resource "aws_s3_bucket_public_access_block" "bulk_send" {
 
 resource "aws_s3_bucket" "bulk_send_logs" {
   bucket = "notification-canada-ca-${var.env}-bulk-send-logs"
-  acl    = "log-delivery-write"
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
@@ -135,15 +159,33 @@ resource "aws_s3_bucket" "bulk_send_logs" {
   #tfsec:ignore:AWS077 - Versioning is not enabled
 }
 
-resource "aws_s3_bucket_public_access_block" "csv_bucket_logs" {
-  bucket = aws_s3_bucket.csv_bucket_logs.id
+resource "aws_s3_bucket_public_access_block" "bulk_send_logs" {
+  bucket = aws_s3_bucket.bulk_send_logs.id
 
   block_public_acls       = true
   block_public_policy     = true
   ignore_public_acls      = true
   restrict_public_buckets = true
 }
 
+resource "aws_s3_bucket_ownership_controls" "bulk_send_logs" {
+  bucket = aws_s3_bucket.bulk_send_logs.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "bulk_send_logs" {
+  depends_on = [
+    aws_s3_bucket_public_access_block.bulk_send_logs,
+    aws_s3_bucket_ownership_controls.bulk_send_logs,
+  ]
+
+  bucket = aws_s3_bucket.bulk_send_logs.id
+  acl    = "log-delivery-write"
+}
+
+
 resource "aws_s3_bucket" "asset_bucket" {
   bucket = "notification-canada-ca-${var.env}-asset-upload"
   server_side_encryption_configuration {
@@ -301,7 +343,6 @@ resource "aws_s3_bucket_public_access_block" "scan_files_document_bucket" {
 
 resource "aws_s3_bucket" "document_bucket_logs" {
   bucket = "notification-canada-ca-${var.env}-document-download-logs"
-  acl    = "log-delivery-write"
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
@@ -335,6 +376,23 @@ resource "aws_s3_bucket_public_access_block" "document_bucket_logs" {
   restrict_public_buckets = true
 }
 
+resource "aws_s3_bucket_ownership_controls" "document_bucket_logs" {
+  bucket = aws_s3_bucket.document_bucket_logs.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "document_bucket_logs" {
+  depends_on = [
+    aws_s3_bucket_public_access_block.document_bucket_logs,
+    aws_s3_bucket_ownership_controls.document_bucket_logs,
+  ]
+
+  bucket = aws_s3_bucket.document_bucket_logs.id
+  acl    = "log-delivery-write"
+}
+
 resource "aws_s3_bucket" "alb_log_bucket" {
   bucket = "notification-canada-ca-${var.env}-alb-logs"
   acl    = "private"
@@ -454,7 +512,6 @@ resource "aws_s3_bucket_public_access_block" "athena_bucket" {
 
 resource "aws_s3_bucket" "athena_bucket_logs" {
   bucket = "notification-canada-ca-${var.env}-athena-logs"
-  acl    = "log-delivery-write"
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
@@ -478,3 +535,81 @@ resource "aws_s3_bucket" "athena_bucket_logs" {
   #tfsec:ignore:AWS002 - Ignore log of logs
   #tfsec:ignore:AWS077 - Versioning is not enabled
 }
+
+resource "aws_s3_bucket_public_access_block" "athena_bucket_logs" {
+  bucket = aws_s3_bucket.athena_bucket_logs.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_ownership_controls" "athena_bucket_logs" {
+  bucket = aws_s3_bucket.athena_bucket_logs.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "athena_bucket_logs" {
+  depends_on = [
+    aws_s3_bucket_public_access_block.athena_bucket_logs,
+    aws_s3_bucket_ownership_controls.athena_bucket_logs,
+  ]
+
+  bucket = aws_s3_bucket.athena_bucket_logs.id
+  acl    = "log-delivery-write"
+}
+
+resource "aws_s3_bucket" "cbs_sensor_bucket" {
+  bucket = "cbs-satellite-${var.account_id}"
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  lifecycle_rule {
+    enabled = true
+
+    expiration {
+      days = 14
+    }
+  }
+
+  tags = {
+    CostCenter = "notification-canada-ca-${var.env}"
+  }
+
+  #tfsec:ignore:AWS002 - Ignore log of logs
+  #tfsec:ignore:AWS077 - Versioning is not enabled
+}
+
+resource "aws_s3_bucket_public_access_block" "cbs_sensor_bucket" {
+  bucket = aws_s3_bucket.cbs_sensor_bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_ownership_controls" "cbs_sensor_bucket" {
+  bucket = aws_s3_bucket.cbs_sensor_bucket.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "cbs_sensor_bucket" {
+  depends_on = [
+    aws_s3_bucket_public_access_block.cbs_sensor_bucket,
+    aws_s3_bucket_ownership_controls.cbs_sensor_bucket,
+  ]
+
+  bucket = aws_s3_bucket.cbs_sensor_bucket.id
+  acl    = "log-delivery-write"
+}
@@ -22,8 +22,9 @@ resource "aws_sqs_queue" "bulk_db_tasks_queue" {
   # AWS managed encryption is good enough for us
 }
 
-# We are doing this here as it is required for ses_receiving_emails lambda
-# That folder is configured to use us-east-1, but the below queue is in ca-central-1
-data "aws_sqs_queue" "notify-internal-tasks" {
-  name = "${var.celery_queue_prefix}notify-internal-tasks"
+resource "aws_sqs_queue" "notify_internal_tasks_queue" {
+  name                    = "${var.celery_queue_prefix}notify-internal-tasks"
+  sqs_managed_sse_enabled = false
+  # This queue was created outside of terraform and has this value set to false in staging and production.
+  visibility_timeout_seconds = 310
 }
@@ -211,3 +211,9 @@ variable "alarm_critical_expired_email_created_threshold" {
   description = "Critical alarm threshold for expired email batches created"
   type        = number
 }
+
+variable "athena_workgroup_name" {
+  description = "The name of the athena workgroup. This resource seems to be created by default in new environments and thus needs to be overridden. For prod and staging, the default primary is sufficient"
+  type        = string
+  default     = "primary"
+}
@@ -203,7 +203,7 @@ resource "aws_default_network_acl" "notification-canada-ca" {
 }
 
 resource "aws_flow_log" "cloud-based-sensor" {
-  log_destination      = "arn:aws:s3:::${var.cbs_satellite_bucket_name}/vpc_flow_logs/"
+  log_destination      = aws_s3_bucket.cbs_sensor_bucket.arn
   log_destination_type = "s3"
   traffic_type         = "ALL"
   vpc_id               = aws_vpc.notification-canada-ca.id

@@ -13,7 +13,7 @@ resource "aws_alb" "notification-canada-ca" {
   subnets = var.vpc_public_subnets
 
   access_logs {
-    bucket  = var.cbs_satellite_bucket_name
+    bucket  = aws_s3_bucket.cbs_sensor_bucket.bucket
     prefix  = "lb_logs"
     enabled = true
   }

@@ -593,7 +593,7 @@ resource "aws_kinesis_firehose_delivery_stream" "firehose-waf-logs" {
   extended_s3_configuration {
     role_arn           = var.firehose_waf_logs_iam_role_arn
     prefix             = "waf_acl_logs/AWSLogs/${var.account_id}/lb/"
-    bucket_arn         = "arn:aws:s3:::${var.cbs_satellite_bucket_name}"
+    bucket_arn         = "arn:aws:s3:::${aws_s3_bucket.cbs_sensor_bucket.bucket}"
     compression_format = "GZIP"
 
     # Buffer incoming data size (MB), before delivering to S3 bucket

@@ -366,7 +366,7 @@ resource "aws_kinesis_firehose_delivery_stream" "firehose-api-lambda-waf-logs" {
   extended_s3_configuration {
     role_arn           = var.firehose_waf_logs_iam_role_arn
     prefix             = "waf_acl_logs/AWSLogs/${var.account_id}/lambda/"
-    bucket_arn         = "arn:aws:s3:::${var.cbs_satellite_bucket_name}"
+    bucket_arn         = "arn:aws:s3:::${aws_s3_bucket.cbs_sensor_bucket.bucket}"
     compression_format = "GZIP"
 
     # Buffer incoming data size (MB), before delivering to S3 bucket