[NRL-853] Move notification email config out of lambda-error module and re-use for backup notifications

mattdean3-nhs · mattdean3-nhs · commit b00d59882fb2 · 2024-11-18T14:40:45.000Z
diff --git a/terraform/account-wide-infrastructure/dev/aws-backups.tf b/terraform/account-wide-infrastructure/dev/aws-backups.tf
@@ -104,6 +104,8 @@ module "source" {
   #terraform_role_arn                = data.aws_caller_identity.current.arn
   terraform_role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
 
+  notification_target_email_addresses = local.notification_emails
+
   backup_plan_config = {
     "compliance_resource_types" : [
       "S3"
diff --git a/terraform/account-wide-infrastructure/dev/cloudwatch.tf b/terraform/account-wide-infrastructure/dev/cloudwatch.tf
@@ -2,6 +2,8 @@ module "lambda_errors_cloudwatch_metric_alarm_dev" {
   source      = "../modules/lambda-errors-metric-alarm"
   name_prefix = "nhsd-nrlf--dev"
 
+  notification_emails = local.notification_emails
+
   evaluation_periods = 1
   period             = 60
   threshold          = 1
diff --git a/terraform/account-wide-infrastructure/dev/data.tf b/terraform/account-wide-infrastructure/dev/data.tf
@@ -1,3 +1,11 @@
 data "aws_secretsmanager_secret_version" "identities_account_id" {
   secret_id = aws_secretsmanager_secret.identities_account_id.name
 }
+
+data "aws_secretsmanager_secret" "emails" {
+  name = "${local.prefix}-emails"
+}
+
+data "aws_secretsmanager_secret_version" "emails" {
+  secret_id = data.aws_secretsmanager_secret.emails.id
+}
diff --git a/terraform/account-wide-infrastructure/dev/locals.tf b/terraform/account-wide-infrastructure/dev/locals.tf
@@ -3,4 +3,6 @@ locals {
   project     = "nhsd-nrlf"
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
+
+  notification_emails = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
 }
diff --git a/terraform/account-wide-infrastructure/dev/secrets.tf b/terraform/account-wide-infrastructure/dev/secrets.tf
@@ -2,6 +2,10 @@ resource "aws_secretsmanager_secret" "identities_account_id" {
   name = "${local.prefix}--nhs-identities-account-id"
 }
 
+resource "aws_secretsmanager_secret" "notification_email_addresses" {
+  name = "${local.prefix}-dev-notification-email-addresses"
+}
+
 resource "aws_secretsmanager_secret" "dev_smoke_test_apigee_app" {
   name        = "${local.prefix}--dev--apigee-app--smoke-test"
   description = "APIGEE App used to run Smoke Tests against the DEV environment"
diff --git a/terraform/account-wide-infrastructure/modules/backup-source/backup_notification.tf b/terraform/account-wide-infrastructure/modules/backup-source/backup_notification.tf
@@ -1,7 +1,6 @@
 resource "aws_backup_vault_notifications" "backup_notification" {
-  count             = var.notifications_target_email_address != "" ? 1 : 0
   backup_vault_name = aws_backup_vault.main.name
-  sns_topic_arn     = aws_sns_topic.backup[0].arn
+  sns_topic_arn     = aws_sns_topic.backup.arn
   backup_vault_events = [
     "BACKUP_JOB_COMPLETED",
     "RESTORE_JOB_COMPLETED",
diff --git a/terraform/account-wide-infrastructure/modules/backup-source/sns.tf b/terraform/account-wide-infrastructure/modules/backup-source/sns.tf
@@ -1,5 +1,4 @@
 resource "aws_sns_topic" "backup" {
-  count             = var.notifications_target_email_address != "" ? 1 : 0
   name              = "${local.resource_name_prefix}-notifications"
   kms_master_key_id = var.bootstrap_kms_key_arn
   policy            = data.aws_iam_policy_document.allow_backup_to_sns.json
@@ -27,9 +26,9 @@ data "aws_iam_policy_document" "allow_backup_to_sns" {
 }
 
 resource "aws_sns_topic_subscription" "aws_backup_notifications_email_target" {
-  count         = var.notifications_target_email_address != "" ? 1 : 0
-  topic_arn     = aws_sns_topic.backup[0].arn
+  for_each      = var.notification_target_email_addresses
+  topic_arn     = aws_sns_topic.backup.arn
   protocol      = "email"
-  endpoint      = var.notifications_target_email_address
+  endpoint      = each.value
   filter_policy = jsonencode({ "State" : [{ "anything-but" : "COMPLETED" }] })
 }
diff --git a/terraform/account-wide-infrastructure/modules/backup-source/variables.tf b/terraform/account-wide-infrastructure/modules/backup-source/variables.tf
@@ -8,10 +8,10 @@ variable "environment_name" {
   type        = string
 }
 
-variable "notifications_target_email_address" {
-  description = "The email address to which backup notifications will be sent via SNS."
-  type        = string
-  default     = ""
+variable "notification_target_email_addresses" {
+  description = "The email addresses to which backup notifications will be sent via SNS."
+  type        = set(string)
+  default     = []
 }
 
 variable "bootstrap_kms_key_arn" {
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/secretsmanager.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/secretsmanager.tf
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/sns.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/sns.tf
@@ -4,7 +4,7 @@ resource "aws_sns_topic" "sns_topic" {
 }
 
 resource "aws_sns_topic_subscription" "sns_subscription" {
-  for_each  = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
+  for_each  = var.notification_emails
   topic_arn = aws_sns_topic.sns_topic.arn
   protocol  = "email"
   endpoint  = sensitive(each.value)
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/vars.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/vars.tf
@@ -25,3 +25,9 @@ variable "kms_deletion_window_in_days" {
   description = "The duration in days after which the key is deleted after destruction of the resource."
   default     = 7
 }
+
+variable "notification_emails" {
+  type        = set(string)
+  description = "The email addresses to which notifications will be sent."
+  default     = []
+}

Original file line number	Diff line number	Diff line change
`@@ -3,4 +3,6 @@ locals {`
`3`	`3`	`project = "nhsd-nrlf"`
`4`	`4`	`environment = terraform.workspace`
`5`	`5`	`prefix = "${local.project}--${local.environment}"`
	`6`	`+`
	`7`	`+ notification_emails = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))`
`6`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,10 +8,10 @@ variable "environment_name" {`
`8`	`8`	`type = string`
`9`	`9`	`}`
`10`	`10`
`11`		`-variable "notifications_target_email_address" {`
`12`		`- description = "The email address to which backup notifications will be sent via SNS."`
`13`		`- type = string`
`14`		`- default = ""`
	`11`	`+variable "notification_target_email_addresses" {`
	`12`	`+ description = "The email addresses to which backup notifications will be sent via SNS."`
	`13`	`+ type = set(string)`
	`14`	`+ default = []`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`variable "bootstrap_kms_key_arn" {`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ resource "aws_sns_topic" "sns_topic" {`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`resource "aws_sns_topic_subscription" "sns_subscription" {`
`7`		`- for_each = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))`
	`7`	`+ for_each = var.notification_emails`
`8`	`8`	`topic_arn = aws_sns_topic.sns_topic.arn`
`9`	`9`	`protocol = "email"`
`10`	`10`	`endpoint = sensitive(each.value)`