feat: cloud integration — WAF v2, Secrets Manager, CloudTrail retention, DynamoDB PITR, SQS DLQ alarms

[Copilot]

The application lacked several foundational cloud security and reliability controls: no WAF on CloudFront, SECRET_KEY exposed as a plaintext Lambda env var, no audit trail or retention safeguards, no DynamoDB backups, and no alerting on dead-letter queue buildup.

Summary

• Add CloudFront-scoped WAF v2 with managed rules and per-IP rate limiting, toggleable via enable_waf.
• Store SECRET_KEY and MSAL_CLIENT_SECRET in Secrets Manager; Lambda now receives only SECRET_ARN, and config.py fetches a shared cached payload and fails closed when the secret is missing.
• Add multi-region CloudTrail with log-file validation and S3 data-event logging to a dedicated encrypted bucket, now with 90-day Glacier transition, ~7-year retention, and no force-destroy.
• Enable DynamoDB point-in-time recovery on all tables (35-day window) and add CloudWatch alarms for DLQ depth on registration and campaign queues.
• Consolidate Terraform outputs to canonical WAF and Secrets Manager ARNs and document the new security/audit controls.

Validation

• make lint
• make test (fails locally: Playwright browsers not installed and moto 5.0.28 leaves existing DynamoDB tables, causing ResourceInUse during setup)
• make docs-check
• terraform -chdir=phishing-platform-infra/terraform validate

Linked Work

• Issue:
• Milestone:

Deployment Notes

• New environment variables:
• Infra impact: CloudTrail log bucket now has lifecycle retention (90-day Glacier transition, ~7-year expiration) and is not force-destroyed; Secrets Manager and WAF outputs consolidated.
• Docs updated:

[Copilot]

Pull request overview

Adds baseline AWS security/audit controls and reliability safeguards to the platform’s Terraform infrastructure, plus runtime support for loading secrets from AWS Secrets Manager in the Flask app configuration.

Changes:

• Provision and attach a CloudFront-scoped WAFv2 Web ACL (managed rule groups + per-IP rate limiting) with an enable/disable toggle.
• Move application secrets into AWS Secrets Manager and add CloudTrail + SQS DLQ depth alarming + DynamoDB PITR.
• Update config.py to resolve SECRET_KEY / MSAL_CLIENT_SECRET via SECRET_ARN at startup (with env-var fallback).

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
VERSION	Bumps project version to 1.3.0.
phishing-platform-infra/terraform/waf.tf	Defines WAFv2 Web ACL for CloudFront (us-east-1 provider alias) + output.
phishing-platform-infra/terraform/variables.tf	Adds feature toggles for WAF and CloudTrail.
phishing-platform-infra/terraform/terraform.tfvars.example	Documents the new infra toggles.
phishing-platform-infra/terraform/secrets_manager.tf	Creates Secrets Manager secret/version for app secrets + output.
phishing-platform-infra/terraform/outputs.tf	Adds outputs for Secrets Manager + WAF.
phishing-platform-infra/terraform/lambda.tf	Switches app Lambda from SECRET_KEY to SECRET_ARN env var.
phishing-platform-infra/terraform/iam.tf	Grants Lambda secretsmanager:GetSecretValue on the app secret.
phishing-platform-infra/terraform/dynamodb.tf	Enables PITR across all DynamoDB tables.
phishing-platform-infra/terraform/cloudwatch_monitoring.tf	Adds CloudWatch alarms for registration/campaign DLQ depth.
phishing-platform-infra/terraform/cloudtrail.tf	Adds multi-region CloudTrail + dedicated encrypted S3 bucket.
phishing-platform-infra/terraform/cloudfront.tf	Attaches WAF Web ACL ARN to CloudFront when enabled.
documentation/ARCHITECTURE.md	Updates diagrams to include WAF/Secrets Manager/CloudTrail/PITR/DLQ alarms.
config.py	Adds Secrets Manager resolution helpers for SECRET_KEY and MSAL client secret.
CHANGELOG.md	Documents new infra/security features for v1.3.0.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This switches SECRET_KEY to SECRET_ARN, but the same file still sets MSAL_CLIENT_SECRET = var.msal_client_secret later in the Lambda environment variables, leaving a secret exposed in plaintext env vars. To fully achieve the stated security goal, remove the plaintext MSAL_CLIENT_SECRET env var and fetch it via Secrets Manager using SECRET_ARN (as config.py now supports).

[Copilot]

When SECRET_ARN is set but the Secrets Manager call fails, this falls back to os.environ.get("SECRET_KEY", "dev-secret-key-change-in-production"). In the new Terraform setup, SECRET_KEY is no longer provided to the Lambda env, so a transient Secrets Manager/VPC endpoint/IAM issue would silently switch production to the insecure dev default (breaking session integrity). Consider failing fast if SECRET_ARN is set and SECRET_KEY env var is absent, or at least avoid ever using the dev default in that path.

[Copilot]

Both _resolve_secret_key() and _resolve_msal_client_secret() call Secrets Manager independently, which results in two network calls during cold start (and repeats JSON parsing). Consider factoring this into a single helper that fetches/parses the secret once and memoizes the result (module-level cache), then have both resolvers read from that cached dict.

[Copilot]

force_destroy = true on the CloudTrail log bucket makes it easy to accidentally delete audit logs (including non-empty buckets) during Terraform destroy/replace, which is usually undesirable for audit/compliance and incident response. Consider removing force_destroy (or making it an explicit opt-in variable for non-prod) and adding a retention/lifecycle policy instead.

[Copilot]

There are now two different outputs for the same Secrets Manager ARN (app_secrets_arn in secrets_manager.tf and secrets_manager_arn here), and similarly two for the WAF ACL ARN (waf_web_acl_arn vs waf_arn). Keeping duplicate outputs with different names can confuse downstream consumers; consider consolidating to a single canonical output name for each value and removing the redundant ones.

Suggested change

	output "secrets_manager_arn" {
	description = "ARN of the Secrets Manager secret holding Flask SECRET_KEY and MSAL credentials"
	value = aws_secretsmanager_secret.app_secrets.arn
	}
	output "waf_arn" {
	description = "ARN of the WAF v2 Web ACL attached to CloudFront (empty if WAF disabled)"
	value = var.enable_waf ? aws_wafv2_web_acl.app[0].arn : ""
	}

[Copilot]

This entry says MSAL_CLIENT_SECRET was removed from plaintext Lambda env vars and that Lambda receives only SECRET_ARN, but phishing-platform-infra/terraform/lambda.tf still sets MSAL_CLIENT_SECRET = var.msal_client_secret in the environment. Either update the infrastructure to actually remove it, or adjust the changelog to reflect the current behavior.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 357f4ffaf2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fail closed when SECRET_KEY cannot be retrieved

When SECRET_ARN is present and Secrets Manager retrieval fails (for example due to IAM, throttling, or regional issues), this path falls back to os.environ.get("SECRET_KEY", "dev-secret-key-change-in-production"). In the same commit lambda.tf replaces SECRET_KEY with SECRET_ARN, so production can start with the known dev key instead of refusing to boot, which weakens session and CSRF signing security.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Grant deploy role rights for newly managed AWS resources

This adds new Terraform-managed resources (starting with aws_secretsmanager_secret here), but the GitHub deploy role policy in phishing-platform-infra/terraform/github_actions_oidc.tf does not include required actions for these changes (e.g., Secrets Manager CRUD, WAFv2, CloudTrail, and dynamodb:UpdateContinuousBackups for PITR). In the CI deploy workflows that assume AWS_DEPLOY_ROLE_ARN, terraform apply will fail with AccessDenied before rollout completes.

Useful? React with 👍 / 👎.

[Panacota96]

@openai-code-agent review the pr

[Panacota96]

@copilot

[Panacota96]

@codex[agent] review the comments on #28 (review) and #28 (review) investigate, an apli a fix on this

[chatgpt-codex-connector]

Summary

• Investigated the review feedback and applied a follow-up fix focused on CI deploy reliability by extending the GitHub Actions OIDC deploy role policy with missing permissions for newly managed resources:
  • Secrets Manager: GetResourcePolicy, ListSecrets, RestoreSecret.
  • CloudTrail: GetEventSelectors, ListTrails, PutEventSelectors.
  • WAFv2: GetWebACLForResource. phishing-platform-infra/terraform/github_actions_oidc.tfL153-L207
• Documented the permission-hardening change in the Unreleased → Changed section of the changelog so the PR history reflects this follow-up clearly. CHANGELOG.mdL16-L21
• Committed the fix on the current branch with commit message: fix: extend deploy role permissions for new security resources (commit 1a971b4).
• Created a follow-up PR message via make_pr summarizing the fix and rationale, as requested.

Testing

• ⚠️ terraform -chdir=phishing-platform-infra/terraform fmt -check github_actions_oidc.tf (warning: terraform is not installed in this environment).
• ⚠️ python -m pytest tests/ -q (warning: missing test dependency moto in this environment).

View task →

[Codex]

@codex[agent] review the comments on #28 (review) and #28 (comment)...

Addressed the review points in a9a1e47: CloudTrail bucket now retains logs with lifecycle (no force-destroy) and changelog updated; MSAL secret already pulled from Lambda env, secret resolvers cache the bundle, and duplicate outputs removed.

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.