MLPAB-1507 - Fix issue creating bucket notification links (#794)

* remove notifications from av (only one resource per bucket)

* output functions for use in bucket module

* add permissions to lambdas for s3 bucket

* remove duplicated permissions

terraform/environment/region/modules/s3_antivirus/main.tf

@@ -38,16 +38,6 @@ resource "aws_lambda_function" "lambda_function" {
   provider = aws.region
 }
 
-resource "aws_lambda_permission" "allow_bucket_to_run" {
-  statement_id   = "AllowExecutionFromS3Bucket"
-  action         = "lambda:InvokeFunction"
-  function_name  = aws_lambda_function.lambda_function.function_name
-  principal      = "s3.amazonaws.com"
-  source_account = data.aws_caller_identity.current.account_id
-  source_arn     = var.data_store_bucket.arn
-  provider       = aws.region
-}
-
 data "aws_security_group" "lambda_egress" {
   name     = "lambda-egress-${data.aws_region.current.name}"
   provider = aws.region

terraform/environment/region/modules/s3_antivirus/outputs.tf

@@ -0,0 +1,3 @@
+output "lambda_function" {
+  value = aws_lambda_function.lambda_function
+}

terraform/environment/region/modules/s3_antivirus/variables.tf

@@ -34,7 +34,3 @@ variable "environment_variables" {
 variable "lambda_task_role" {
   description = "Execution role for Lambda"
 }
-
-variable "events_received_lambda_function_arn" {
-  description = "Lambda function ARN for events received"
-}

terraform/environment/region/modules/uploads_s3_bucket/s3_notifications.tf

@@ -0,0 +1,37 @@
+resource "aws_s3_bucket_notification" "bucket_notification" {
+  bucket = aws_s3_bucket.bucket.id
+
+  lambda_function {
+    id                  = "bucket-av-scan"
+    lambda_function_arn = var.s3_antivirus_lambda_function.arn
+    events              = ["s3:ObjectCreated:Put"]
+  }
+
+  lambda_function {
+    id                  = "av-object-tagging"
+    lambda_function_arn = var.events_received_lambda_function.arn
+    events              = ["s3:ObjectTagging:Put"]
+  }
+  depends_on = [aws_lambda_permission.av_scan, aws_lambda_permission.object_tagging]
+  provider   = aws.region
+}
+
+resource "aws_lambda_permission" "av_scan" {
+  statement_id   = "AllowExecutionFromS3BucketAvScan"
+  action         = "lambda:InvokeFunction"
+  function_name  = var.s3_antivirus_lambda_function.function_name
+  principal      = "s3.amazonaws.com"
+  source_account = data.aws_caller_identity.current.account_id
+  source_arn     = aws_s3_bucket.bucket.arn
+  provider       = aws.region
+}
+
+resource "aws_lambda_permission" "object_tagging" {
+  statement_id   = "AllowExecutionFromS3BucketObjectTagging"
+  action         = "lambda:InvokeFunction"
+  function_name  = var.events_received_lambda_function.function_name
+  principal      = "s3.amazonaws.com"
+  source_account = data.aws_caller_identity.current.account_id
+  source_arn     = aws_s3_bucket.bucket.arn
+  provider       = aws.region
+}

terraform/environment/region/modules/uploads_s3_bucket/variables.tf

@@ -33,3 +33,11 @@ variable "s3_replication" {
     }
     EOT
 }
+
+variable "events_received_lambda_function" {
+  description = "Lambda function ARN for events received"
+}
+
+variable "s3_antivirus_lambda_function" {
+  description = "Lambda function ARN for events received"
+}

terraform/environment/region/s3_antivirus.tf

@@ -15,15 +15,14 @@ data "aws_s3_bucket" "antivirus_definitions" {
 }
 
 module "s3_antivirus" {
-  source                              = "./modules/s3_antivirus"
-  alarm_sns_topic_arn                 = data.aws_sns_topic.custom_cloudwatch_alarms.arn
-  aws_subnet_ids                      = data.aws_subnet.application.*.id
-  data_store_bucket                   = module.uploads_s3_bucket.bucket
-  definition_bucket                   = data.aws_s3_bucket.antivirus_definitions
-  ecr_image_uri                       = "${data.aws_ecr_repository.s3_antivirus.repository_url}@${data.aws_ecr_image.s3_antivirus.image_digest}"
-  enable_autoscan                     = true
-  lambda_task_role                    = var.iam_roles.s3_antivirus
-  events_received_lambda_function_arn = module.event_received.lambda_function.arn
+  source              = "./modules/s3_antivirus"
+  alarm_sns_topic_arn = data.aws_sns_topic.custom_cloudwatch_alarms.arn
+  aws_subnet_ids      = data.aws_subnet.application.*.id
+  data_store_bucket   = module.uploads_s3_bucket.bucket
+  definition_bucket   = data.aws_s3_bucket.antivirus_definitions
+  ecr_image_uri       = "${data.aws_ecr_repository.s3_antivirus.repository_url}@${data.aws_ecr_image.s3_antivirus.image_digest}"
+  enable_autoscan     = true
+  lambda_task_role    = var.iam_roles.s3_antivirus
 
   environment_variables = {
     ANTIVIRUS_DEFINITIONS_BUCKET = data.aws_s3_bucket.antivirus_definitions.id

terraform/environment/region/uploads_s3_bucket.tf

@@ -17,8 +17,10 @@ data "aws_ecr_repository" "s3_create_batch_replication_jobs" {
 module "uploads_s3_bucket" {
   source = "./modules/uploads_s3_bucket"
 
-  bucket_name   = "uploads-${data.aws_default_tags.current.tags.application}-${data.aws_default_tags.current.tags.environment-name}-${data.aws_region.current.name}"
-  force_destroy = data.aws_default_tags.current.tags.environment-name != "production" ? true : false
+  bucket_name                     = "uploads-${data.aws_default_tags.current.tags.application}-${data.aws_default_tags.current.tags.environment-name}-${data.aws_region.current.name}"
+  force_destroy                   = data.aws_default_tags.current.tags.environment-name != "production" ? true : false
+  events_received_lambda_function = module.event_received.lambda_function
+  s3_antivirus_lambda_function    = module.s3_antivirus.lambda_function
   s3_replication = {
     enabled                                   = var.reduced_fees.s3_object_replication_enabled
     destination_bucket_arn                    = data.aws_ssm_parameter.replication_bucket_arn.value