Merge pull request #939 from NHSDigital/feature/made14-NRL-1379-add-lambda-errs-to-prod

[NRL-1379] Add TF config for lambda error notifications in test and prod

Author: mattdean3-nhs

terraform/account-wide-infrastructure/dev/locals.tf

@@ -4,5 +4,5 @@ locals {
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
 
-  notification_emails = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
+  notification_emails = tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))
 }

terraform/account-wide-infrastructure/dev/secrets.tf

@@ -7,10 +7,6 @@ resource "aws_secretsmanager_secret" "backup_destination_parameters" {
   description = "Parameters used to configure the backup destination"
 }
 
-resource "aws_secretsmanager_secret" "notification_email_addresses" {
-  name = "${local.prefix}-dev-notification-email-addresses"
-}
-
 resource "aws_secretsmanager_secret" "dev_smoke_test_apigee_app" {
   name        = "${local.prefix}--dev--apigee-app--smoke-test"
   description = "APIGEE App used to run Smoke Tests against the DEV environment"

terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/sns.tf

@@ -4,8 +4,8 @@ resource "aws_sns_topic" "sns_topic" {
 }
 
 resource "aws_sns_topic_subscription" "sns_subscription" {
-  for_each  = var.notification_emails
+  count     = length(var.notification_emails)
   topic_arn = aws_sns_topic.sns_topic.arn
   protocol  = "email"
-  endpoint  = sensitive(each.value)
+  endpoint  = var.notification_emails[count.index]
 }

terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/vars.tf

@@ -27,7 +27,8 @@ variable "kms_deletion_window_in_days" {
 }
 
 variable "notification_emails" {
-  type        = set(string)
+  type        = list(string)
+  sensitive   = true
   description = "The email addresses to which notifications will be sent."
   default     = []
 }

terraform/account-wide-infrastructure/prod/cloudwatch.tf

@@ -2,6 +2,8 @@ module "lambda_errors_cloudwatch_metric_alarm_dev" {
   source      = "../modules/lambda-errors-metric-alarm"
   name_prefix = "nhsd-nrlf--prod"
 
+  notification_emails = local.notification_emails
+
   evaluation_periods = 1
   period             = 60
   threshold          = 1

terraform/account-wide-infrastructure/prod/data.tf

@@ -1,3 +1,11 @@
 data "aws_secretsmanager_secret_version" "identities_account_id" {
   secret_id = aws_secretsmanager_secret.identities_account_id.name
 }
+
+data "aws_secretsmanager_secret" "emails" {
+  name = "${local.prefix}-emails"
+}
+
+data "aws_secretsmanager_secret_version" "emails" {
+  secret_id = data.aws_secretsmanager_secret.emails.id
+}

terraform/account-wide-infrastructure/prod/locals.tf

@@ -3,4 +3,6 @@ locals {
   project     = "nhsd-nrlf"
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
+
+  notification_emails = tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))
 }

terraform/account-wide-infrastructure/test/cloudwatch.tf

@@ -2,6 +2,8 @@ module "lambda_errors_cloudwatch_metric_alarm_dev" {
   source      = "../modules/lambda-errors-metric-alarm"
   name_prefix = "nhsd-nrlf--test"
 
+  notification_emails = local.notification_emails
+
   evaluation_periods = 1
   period             = 60
   threshold          = 1

terraform/account-wide-infrastructure/test/data.tf

@@ -1,3 +1,12 @@
 data "aws_secretsmanager_secret_version" "identities_account_id" {
   secret_id = aws_secretsmanager_secret.identities_account_id.name
 }
+
+
+data "aws_secretsmanager_secret" "emails" {
+  name = "${local.prefix}-emails"
+}
+
+data "aws_secretsmanager_secret_version" "emails" {
+  secret_id = data.aws_secretsmanager_secret.emails.id
+}

terraform/account-wide-infrastructure/test/locals.tf

@@ -3,4 +3,6 @@ locals {
   project     = "nhsd-nrlf"
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
+
+  notification_emails = tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))
 }