DPTS-1286 Fixes for s3 encryption (#68)

tamaragoldschmidt · web-flow · commit f3f741fc601c · 2023-04-25T13:01:58.000+01:00
* DPTS-1268 Updated the DB Host parameter

* DPTS-1268 Reset to pipeline RDS

* DPTS-1268 Add s3 copy encryption

* DPTS-1268 Revertng security group

* DPTS-1268 Add service side encryption to copy olbject
diff --git a/application/utilities/s3.py b/application/utilities/s3.py
@@ -30,6 +30,7 @@ def copy_object(self, bucket, file, event, start):
                 Bucket=bucket,
                 CopySource="{}/{}".format(bucket, file),
                 Key="{}/archive/{}".format(file.split("/")[0], file.split("/")[1]),
+                ServerSideEncryption='AES256',
             )
             return response
         except ClientError as e:
diff --git a/build/automation/lib/aws.mk b/build/automation/lib/aws.mk
@@ -171,15 +171,15 @@ aws-s3-upload: ### Upload file to bucket - mandatory: FILE=[local path (inside c
 	make -s docker-run-tools ARGS="$$(echo $(AWSCLI) | grep awslocal > /dev/null 2>&1 && echo '--env LOCALSTACK_HOST=$(LOCALSTACK_HOST)' ||:)" CMD=" \
 		$(AWSCLI) s3 cp \
 			$(FILE) \
-			s3://$(URI) \
+			s3://$(URI) --sse AES256 \
 			$(ARGS) \
 	"
 
 aws-s3-download: ### Download file from bucket - mandatory: URI=[remote path],FILE=[local path (inside container)]; optional: ARGS=[S3 cp options]
 	make -s docker-run-tools ARGS="$$(echo $(AWSCLI) | grep awslocal > /dev/null 2>&1 && echo '--env LOCALSTACK_HOST=$(LOCALSTACK_HOST)' ||:)" CMD=" \
 		$(AWSCLI) s3 cp \
 			s3://$(URI) \
-			$(FILE) \
+			$(FILE) --sse AES256 \
 			$(ARGS) \
 	"
 
diff --git a/build/automation/var/profile/integration.mk b/build/automation/var/profile/integration.mk
@@ -32,7 +32,7 @@ TF_VAR_hk_integration_tester_lambda_function_name = $(PROJECT_ID)-$(ENV)-$(TF_VA
 # Lambda layer
 TF_VAR_uec_dos_tasks_python_libs = uec-dos-tasks-python-libs
 
-TF_VAR_db_security_group_name = uec-core-dos-integration-datastore-sg
+TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-sg
 
 # Build slack secrets
 TF_VAR_sm_required = true
diff --git a/build/automation/var/profile/nonprod.mk b/build/automation/var/profile/nonprod.mk
@@ -27,4 +27,4 @@ TF_VAR_splunk_firehose_role := dos_cw_w_events_firehose_access_role
 
 LAMBDA_VERSIONS_TO_RETAIN = 5
 
-TF_VAR_db_security_group_name = uec-core-dos-integration-datastore-sg
+TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-sg
diff --git a/build/jenkins/Jenkinsfile.hk-integration b/build/jenkins/Jenkinsfile.hk-integration
@@ -35,7 +35,7 @@ pipeline {
         DB_SUFFIX = 'tasks'
         PIPELINE_DATABASE = "${DB_PREFIX}_${ENVIRONMENT}"
         BUCKET = "uec-dos-tasks-${PROFILE}-housekeeping-bucket/${ENVIRONMENT}"
-        DB_HOST = 'uec-core-dos-integration-data.dos-db-rds'
+        DB_HOST = 'uec-core-dos-pipeline-primary.dos-db-rds'
         SLACK_CHANNEL = 'dos-tasks-integration-notifications'
         PATHWAYSDOS_V4_BRANCH = 'develop'
         BRANCH_NAME = sh(returnStdout: true, script: "make git-branch-format BRANCH_NAME=${GIT_BRANCH}").trim()

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ def copy_object(self, bucket, file, event, start):`
`30`	`30`	`Bucket=bucket,`
`31`	`31`	`CopySource="{}/{}".format(bucket, file),`
`32`	`32`	`Key="{}/archive/{}".format(file.split("/")[0], file.split("/")[1]),`
	`33`	`+ ServerSideEncryption='AES256',`
`33`	`34`	`)`
`34`	`35`	`return response`
`35`	`36`	`except ClientError as e:`
Original file line number	Diff line number	Diff line change
`@@ -27,4 +27,4 @@ TF_VAR_splunk_firehose_role := dos_cw_w_events_firehose_access_role`
`27`	`27`
`28`	`28`	`LAMBDA_VERSIONS_TO_RETAIN = 5`
`29`	`29`
`30`		`-TF_VAR_db_security_group_name = uec-core-dos-integration-datastore-sg`
	`30`	`+TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-sg`