From 59dc374e0e301636f9c4273ec5525e9e5cb5c0b1 Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Fri, 23 Aug 2024 14:46:12 +0100
Subject: [PATCH 1/5] move cortex user and policy into cortex.tf

---
 terraform/environments/core-logging/cortex.tf | 45 +++++++++++++++++++
 terraform/environments/core-logging/sqs.tf    | 43 ------------------
 2 files changed, 45 insertions(+), 43 deletions(-)

diff --git a/terraform/environments/core-logging/cortex.tf b/terraform/environments/core-logging/cortex.tf
index 3f72ddfae..3891b1af6 100644
--- a/terraform/environments/core-logging/cortex.tf
+++ b/terraform/environments/core-logging/cortex.tf
@@ -53,6 +53,34 @@ data "aws_iam_policy_document" "logging-sqs" {
   }
 }
 
+data "aws_iam_policy_document" "sqs_queue_read_document" {
+  statement {
+    sid    = "SQSQueueReceiveMessages"
+    effect = "Allow"
+    actions = [
+      "sqs:ReceiveMessage",
+      "sqs:DeleteMessage",
+      "sqs:GetQueueAttributes",
+      "sqs:GetQueueUrl",
+      "sqs:ListQueues"
+    ]
+    resources = flatten([
+      aws_sqs_queue.mp_cloudtrail_log_queue.arn,
+    [ for key in aws_sqs_queue.logging : key.arn ]
+    ])
+  }
+  statement {
+    sid       = "SQSReadLoggingS3"
+    effect    = "Allow"
+    actions   = ["s3:GetObject"]
+    resources = concat(
+      [module.s3-bucket-cloudtrail.bucket.arn, "${module.s3-bucket-cloudtrail.bucket.arn}/*"],
+     [ for key in aws_s3_bucket.logging : key.arn ],
+     [ for key in aws_s3_bucket.logging : "${key.arn}/*"]
+    )
+  }
+}
+
 locals {
   cortex_logging_buckets = toset(["vpc-flow-logs", "r53-resolver-logs", "generic-logs"])
 }
@@ -158,3 +186,20 @@ resource "aws_secretsmanager_secret_version" "logging" {
     key => aws_s3_bucket.logging[key].arn
   })
 }
+
+resource "aws_iam_user" "cortex_xsiam_user" {
+  #checkov:skip=CKV_AWS_273: This has been agreed by the TA that for this purpose an IAM user account can be used.
+  name = "cortex_xsiam_user"
+}
+
+resource "aws_iam_policy" "sqs_queue_read_policy" {
+  name        = "sqs-queue-read-policy"
+  description = "Allows the access to the created SQS queue"
+  policy      = data.aws_iam_policy_document.sqs_queue_read_document.json
+}
+
+resource "aws_iam_user_policy_attachment" "sqs_queue_read_policy_attachment" {
+  #checkov:skip=CKV_AWS_40: User account only has a single purpose so no role or group is needed
+  user       = "cortex_xsiam_user"
+  policy_arn = aws_iam_policy.sqs_queue_read_policy.arn
+}
\ No newline at end of file
diff --git a/terraform/environments/core-logging/sqs.tf b/terraform/environments/core-logging/sqs.tf
index 2d4b97d82..ce6217eef 100644
--- a/terraform/environments/core-logging/sqs.tf
+++ b/terraform/environments/core-logging/sqs.tf
@@ -44,46 +44,3 @@ resource "aws_s3_bucket_notification" "logging_bucket_notification" {
     events    = ["s3:ObjectCreated:*"] # Events to trigger the notification
   }
 }
-
-##### IAM User Account & Resources to access the sqs queue
-
-# Create an IAM policy document to allow access to the SQS Queue
-data "aws_iam_policy_document" "sqs_queue_read_document" {
-  statement {
-    sid    = "SQSQueueReceiveMessages"
-    effect = "Allow"
-    actions = [
-      "sqs:ReceiveMessage",
-      "sqs:DeleteMessage",
-      "sqs:GetQueueAttributes",
-      "sqs:GetQueueUrl",
-      "sqs:ListQueues"
-    ]
-    resources = [aws_sqs_queue.mp_cloudtrail_log_queue.arn]
-  }
-  statement {
-    sid       = "SQSReadLoggingS3"
-    effect    = "Allow"
-    actions   = ["s3:GetObject"]
-    resources = [module.s3-bucket-cloudtrail.bucket.arn, "${module.s3-bucket-cloudtrail.bucket.arn}/*"]
-  }
-}
-
-# IAM policy to read the SQS queue
-resource "aws_iam_policy" "sqs_queue_read_policy" {
-  name        = "sqs-queue-read-policy"
-  description = "Allows the access to the created SQS queue"
-  policy      = data.aws_iam_policy_document.sqs_queue_read_document.json
-}
-
-# Creates an IAM user that will access the sqs queue
-resource "aws_iam_user" "cortex_xsiam_user" {
-  #checkov:skip=CKV_AWS_273: This has been agreed by the TA that for this purpose an IAM user account can be used.
-  name = "cortex_xsiam_user"
-}
-
-resource "aws_iam_user_policy_attachment" "sqs_queue_read_policy_attachment" {
-  #checkov:skip=CKV_AWS_40: User account only has a single purpose so no role or group is needed
-  user       = "cortex_xsiam_user"
-  policy_arn = aws_iam_policy.sqs_queue_read_policy.arn
-}
\ No newline at end of file

From f7e524c6572af4778e859b91f8a005b6e878c4a2 Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Fri, 23 Aug 2024 15:16:44 +0100
Subject: [PATCH 2/5] correctly scope sqs policies

---
 terraform/environments/core-logging/cortex.tf | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/terraform/environments/core-logging/cortex.tf b/terraform/environments/core-logging/cortex.tf
index 3891b1af6..df76bfaf4 100644
--- a/terraform/environments/core-logging/cortex.tf
+++ b/terraform/environments/core-logging/cortex.tf
@@ -34,6 +34,7 @@ data "aws_iam_policy_document" "logging-bucket" {
 }
 
 data "aws_iam_policy_document" "logging-sqs" {
+  for_each = local.cortex_logging_buckets
   statement {
     sid    = "AllowSendMessage"
     effect = "Allow"
@@ -42,13 +43,11 @@ data "aws_iam_policy_document" "logging-sqs" {
       identifiers = ["s3.amazonaws.com"]
     }
     actions = ["sqs:SendMessage"]
-    resources = [
-      for key in aws_sqs_queue.logging : key.arn
-    ]
+    resources = [aws_sqs_queue.logging[each.key].arn]
     condition {
       test     = "ArnEquals"
       variable = "aws:SourceArn"
-      values   = [for key in aws_s3_bucket.logging : key.arn]
+      values   = [aws_s3_bucket.logging[each.key].arn]
     }
   }
 }
@@ -160,7 +159,7 @@ resource "aws_sqs_queue" "logging" {
 
 resource "aws_sqs_queue_policy" "logging" {
   for_each  = local.cortex_logging_buckets
-  policy    = data.aws_iam_policy_document.logging-sqs.json
+  policy    = data.aws_iam_policy_document.logging-sqs[each.key].json
   queue_url = aws_sqs_queue.logging[each.key].url
 }
 

From a1346d6355c6e3a9d95030ef96940c85d952af3f Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Fri, 23 Aug 2024 15:46:27 +0100
Subject: [PATCH 3/5] small referencing change for policy attachment

---
 terraform/environments/core-logging/cortex.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environments/core-logging/cortex.tf b/terraform/environments/core-logging/cortex.tf
index df76bfaf4..0ca2ba89a 100644
--- a/terraform/environments/core-logging/cortex.tf
+++ b/terraform/environments/core-logging/cortex.tf
@@ -199,6 +199,6 @@ resource "aws_iam_policy" "sqs_queue_read_policy" {
 
 resource "aws_iam_user_policy_attachment" "sqs_queue_read_policy_attachment" {
   #checkov:skip=CKV_AWS_40: User account only has a single purpose so no role or group is needed
-  user       = "cortex_xsiam_user"
+  user       = aws_iam_user.cortex_xsiam_user.name
   policy_arn = aws_iam_policy.sqs_queue_read_policy.arn
 }
\ No newline at end of file

From 6412beee88b8553eaabe104bfbdb2b1ca962fd3d Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Fri, 23 Aug 2024 17:02:04 +0100
Subject: [PATCH 4/5] add statement for xsiam to GetObject from buckets

---
 terraform/environments/core-logging/cortex.tf | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/terraform/environments/core-logging/cortex.tf b/terraform/environments/core-logging/cortex.tf
index 0ca2ba89a..3bda89ae1 100644
--- a/terraform/environments/core-logging/cortex.tf
+++ b/terraform/environments/core-logging/cortex.tf
@@ -31,6 +31,28 @@ data "aws_iam_policy_document" "logging-bucket" {
       values   = ["arn:aws:iam::*:role/firehose-to-s3*"]
     }
   }
+  statement {
+    sid    = "AllowXSIAMGetObject"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_user.cortex_xsiam_user.arn]
+    }
+    actions = [
+      "s3:GetObject"
+    ]
+    resources = [
+      aws_s3_bucket.logging[each.key].arn,
+      "${aws_s3_bucket.logging[each.key].arn}/*"
+    ]
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "aws:PrincipalOrgPaths"
+      values = [
+        "${data.aws_organizations_organization.root_account.id}/*/${local.environment_management.modernisation_platform_organisation_unit_id}/*"
+      ]
+    }
+  }
 }
 
 data "aws_iam_policy_document" "logging-sqs" {
@@ -57,6 +79,7 @@ data "aws_iam_policy_document" "sqs_queue_read_document" {
     sid    = "SQSQueueReceiveMessages"
     effect = "Allow"
     actions = [
+      "sqs:ChangeMessageVisibility",
       "sqs:ReceiveMessage",
       "sqs:DeleteMessage",
       "sqs:GetQueueAttributes",

From 1f8e2de1fa29e9f3491e95211df2491a9be2965c Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Thu, 29 Aug 2024 14:08:20 +0100
Subject: [PATCH 5/5] removed default attributtes

---
 terraform/environments/core-logging/cortex.tf | 47 ++++---------------
 1 file changed, 10 insertions(+), 37 deletions(-)

diff --git a/terraform/environments/core-logging/cortex.tf b/terraform/environments/core-logging/cortex.tf
index 3bda89ae1..44e65b1db 100644
--- a/terraform/environments/core-logging/cortex.tf
+++ b/terraform/environments/core-logging/cortex.tf
@@ -1,3 +1,7 @@
+locals {
+  cortex_logging_buckets = toset(["vpc-flow-logs", "r53-resolver-logs", "generic-logs"])
+}
+
 # Because we can't use wildcards beyond "*" in a principal identifier, we use a policy condition to scope access only
 # to accounts in our OU, where the role matches the name created through the cloudwatch-firehose module
 data "aws_iam_policy_document" "logging-bucket" {
@@ -31,28 +35,6 @@ data "aws_iam_policy_document" "logging-bucket" {
       values   = ["arn:aws:iam::*:role/firehose-to-s3*"]
     }
   }
-  statement {
-    sid    = "AllowXSIAMGetObject"
-    effect = "Allow"
-    principals {
-      type        = "AWS"
-      identifiers = [aws_iam_user.cortex_xsiam_user.arn]
-    }
-    actions = [
-      "s3:GetObject"
-    ]
-    resources = [
-      aws_s3_bucket.logging[each.key].arn,
-      "${aws_s3_bucket.logging[each.key].arn}/*"
-    ]
-    condition {
-      test     = "ForAnyValue:StringLike"
-      variable = "aws:PrincipalOrgPaths"
-      values = [
-        "${data.aws_organizations_organization.root_account.id}/*/${local.environment_management.modernisation_platform_organisation_unit_id}/*"
-      ]
-    }
-  }
 }
 
 data "aws_iam_policy_document" "logging-sqs" {
@@ -74,7 +56,7 @@ data "aws_iam_policy_document" "logging-sqs" {
   }
 }
 
-data "aws_iam_policy_document" "sqs_queue_read_document" {
+data "aws_iam_policy_document" "cortex_user_policy" {
   statement {
     sid    = "SQSQueueReceiveMessages"
     effect = "Allow"
@@ -92,21 +74,16 @@ data "aws_iam_policy_document" "sqs_queue_read_document" {
     ])
   }
   statement {
-    sid       = "SQSReadLoggingS3"
+    sid       = "S3GetLogs"
     effect    = "Allow"
     actions   = ["s3:GetObject"]
     resources = concat(
       [module.s3-bucket-cloudtrail.bucket.arn, "${module.s3-bucket-cloudtrail.bucket.arn}/*"],
-     [ for key in aws_s3_bucket.logging : key.arn ],
      [ for key in aws_s3_bucket.logging : "${key.arn}/*"]
     )
   }
 }
 
-locals {
-  cortex_logging_buckets = toset(["vpc-flow-logs", "r53-resolver-logs", "generic-logs"])
-}
-
 resource "aws_s3_bucket" "logging" {
   #  checkov:skip=CKV_AWS_18: Access logs not presently required
   #  checkov:skip=CKV_AWS_21: Versioning of log objects not required
@@ -172,11 +149,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "logging" {
 resource "aws_sqs_queue" "logging" {
   for_each                   = local.cortex_logging_buckets
   name_prefix                = "${local.application_name}-${each.key}"
-  delay_seconds              = 0      # The default is 0 but can be up to 15 minutes
-  max_message_size           = 262144 # 256k which is the max size
-  message_retention_seconds  = 345600 # This is 4 days. The max is 14 days
   sqs_managed_sse_enabled    = true   # Using managed encryption
-  visibility_timeout_seconds = 30     # This is only useful for queues that have multiple subscribers
   tags                       = local.tags
 }
 
@@ -214,14 +187,14 @@ resource "aws_iam_user" "cortex_xsiam_user" {
   name = "cortex_xsiam_user"
 }
 
-resource "aws_iam_policy" "sqs_queue_read_policy" {
-  name        = "sqs-queue-read-policy"
+resource "aws_iam_policy" "cortex_user_policy" {
+  name        = "cortex-user-policy"
   description = "Allows the access to the created SQS queue"
-  policy      = data.aws_iam_policy_document.sqs_queue_read_document.json
+  policy      = data.aws_iam_policy_document.cortex_user_policy.json
 }
 
 resource "aws_iam_user_policy_attachment" "sqs_queue_read_policy_attachment" {
   #checkov:skip=CKV_AWS_40: User account only has a single purpose so no role or group is needed
   user       = aws_iam_user.cortex_xsiam_user.name
-  policy_arn = aws_iam_policy.sqs_queue_read_policy.arn
+  policy_arn = aws_iam_policy.cortex_user_policy.arn
 }
\ No newline at end of file