Propagate the latest bugfixes and improvements

* Supply VirusTotal API key from SSM which is queried directly by the dmr-initiator Lambda
* Provide an error when VirusTotal scan is successful but the file cannot be scanned with Clamav (file could be too large, exceeding the multipart upload timeout or lambda hard-cap runtime)
* Add maximum retention to DMR queue to ensure that a DMR does not sit on the queue indefinitely should something go wrong

Author: edhull

functions/dmr-clamav.zip

@@ -3,6 +3,24 @@ variable dmr_initiator {
   default = "dmr-initiator"
 }
 
+# Generate a placeholder VirusTotal API key to be updated manually
+resource "aws_ssm_parameter" "virustotal_apikey" {
+  name              = "/dmr/virustotal"
+  type              = "SecureString"
+  key_id            = CHANGEME
+  value             = "PLACEHOLDER_REPLACEBYHAND"
+  overwrite         = false
+  lifecycle {
+    ignore_changes = [value, key_id]
+  }
+}
+
+# Lookup value post creation
+data "aws_ssm_parameter" "virustotal_apikey" {
+  name              = "/dmr/virustotal"
+  depends_on        = [aws_ssm_parameter.virustotal_apikey]
+}
+
 resource "aws_lambda_alias" "dmr_initiator" {
   name              = var.dmr_initiator
   description       = "Handle DMR requests"
@@ -22,7 +40,7 @@ resource "aws_lambda_function" "dmr_initiator" {
   environment {
     variables      = {
       LOG_LEVEL           = var.lambda_loglevel
-      VT_API_KEY          = var.vt_api_key
+      VT_API_KEY          = data.aws_ssm_parameter.virustotal_apikey.value
       S3_STAGING_BUCKET   = aws_s3_bucket.dmr_staging_bucket.id
       SEND_JIRA_COMMENT   = var.create_jira
       DMR_JIRA_ARN        = var.create_jira ? aws_lambda_function.dmr_jira[0].arn : ""

functions/dmr-initiator.zip

@@ -1,8 +1,8 @@
 resource "aws_sqs_queue" "dmr_queue" {
   name                        = "dmr-queue"
-  delay_seconds               = 10
+  delay_seconds               = 1
   max_message_size            = 2048
-  message_retention_seconds   = 86400
+  message_retention_seconds   = 600
   visibility_timeout_seconds  = 900
 
   tags = {