Add notification for object logging to events received lambda (#792)

terraform/environment/region/modules/event_received/lambda.tf

@@ -38,29 +38,6 @@ resource "aws_cloudwatch_event_target" "receive_events" {
   provider       = aws.region
 }
 
-resource "aws_cloudwatch_event_rule" "s3_object_tags_added" {
-  name           = "${data.aws_default_tags.current.tags.environment-name}-s3-object-tags-added"
-  description    = "S3 Object Tags Added"
-  event_bus_name = "default"
-
-  event_pattern = jsonencode({
-    source      = ["aws.s3"],
-    detail-type = ["Object Tags Added"],
-    detail = {
-      bucketName = [var.uploads_bucket.bucket]
-    }
-  })
-  provider = aws.region
-}
-
-resource "aws_cloudwatch_event_target" "s3_object_tags_added" {
-  target_id      = "${data.aws_default_tags.current.tags.environment-name}-s3-object-tags-added"
-  event_bus_name = "default"
-  rule           = aws_cloudwatch_event_rule.s3_object_tags_added.name
-  arn            = module.event_received.lambda.arn
-  provider       = aws.region
-}
-
 resource "aws_lambda_permission" "allow_cloudwatch_to_call_event_received" {
   statement_id   = "AllowExecutionFromCloudWatch"
   action         = "lambda:InvokeFunction"

terraform/environment/region/modules/event_received/outputs.tf

@@ -0,0 +1,3 @@
+output "lambda_function" {
+  value = module.event_received.lambda
+}

terraform/environment/region/modules/s3_antivirus/s3.tf

@@ -1,13 +1,20 @@
 resource "aws_s3_bucket_notification" "bucket_notification" {
-  count  = var.enable_autoscan ? 1 : 0
-  bucket = var.data_store_bucket.id
+  count       = var.enable_autoscan ? 1 : 0
+  bucket      = var.data_store_bucket.id
+  eventbridge = true
 
   lambda_function {
     id                  = "bucket-av-scan"
     lambda_function_arn = aws_lambda_function.lambda_function.arn
     events              = ["s3:ObjectCreated:Put"]
   }
 
+  lambda_function {
+    id                  = "av-object-tagging"
+    lambda_function_arn = var.events_received_lambda_function_arn
+    events              = ["s3:ObjectTagging:Put"]
+  }
+
   depends_on = [
     aws_lambda_permission.allow_bucket_to_run
   ]

terraform/environment/region/modules/s3_antivirus/variables.tf

@@ -34,3 +34,7 @@ variable "environment_variables" {
 variable "lambda_task_role" {
   description = "Execution role for Lambda"
 }
+
+variable "events_received_lambda_function_arn" {
+  description = "Lambda function ARN for events received"
+}

terraform/environment/region/s3_antivirus.tf

@@ -15,14 +15,15 @@ data "aws_s3_bucket" "antivirus_definitions" {
 }
 
 module "s3_antivirus" {
-  source              = "./modules/s3_antivirus"
-  alarm_sns_topic_arn = data.aws_sns_topic.custom_cloudwatch_alarms.arn
-  aws_subnet_ids      = data.aws_subnet.application.*.id
-  data_store_bucket   = module.uploads_s3_bucket.bucket
-  definition_bucket   = data.aws_s3_bucket.antivirus_definitions
-  ecr_image_uri       = "${data.aws_ecr_repository.s3_antivirus.repository_url}@${data.aws_ecr_image.s3_antivirus.image_digest}"
-  enable_autoscan     = true
-  lambda_task_role    = var.iam_roles.s3_antivirus
+  source                              = "./modules/s3_antivirus"
+  alarm_sns_topic_arn                 = data.aws_sns_topic.custom_cloudwatch_alarms.arn
+  aws_subnet_ids                      = data.aws_subnet.application.*.id
+  data_store_bucket                   = module.uploads_s3_bucket.bucket
+  definition_bucket                   = data.aws_s3_bucket.antivirus_definitions
+  ecr_image_uri                       = "${data.aws_ecr_repository.s3_antivirus.repository_url}@${data.aws_ecr_image.s3_antivirus.image_digest}"
+  enable_autoscan                     = true
+  lambda_task_role                    = var.iam_roles.s3_antivirus
+  events_received_lambda_function_arn = module.event_received.lambda_function.arn
 
   environment_variables = {
     ANTIVIRUS_DEFINITIONS_BUCKET = data.aws_s3_bucket.antivirus_definitions.id