[PRMP-1469] NRL queue - DLQ (#241)

* [PRMP-1469] add dlq for nrl queue
* [PRMP-1469] add alarm to dlq nrl
---------

Co-authored-by: Steph Torres <stephane.torres1@nhs.net>

Author: NogaNHS

infrastructure/README.md

@@ -110,6 +110,7 @@
 | <a name="module_nems-message-lambda"></a> [nems-message-lambda](#module\_nems-message-lambda) | ./modules/lambda | n/a |
 | <a name="module_nems-message-lambda-alarm"></a> [nems-message-lambda-alarm](#module\_nems-message-lambda-alarm) | ./modules/lambda_alarms | n/a |
 | <a name="module_nems-message-lambda-alarm-topic"></a> [nems-message-lambda-alarm-topic](#module\_nems-message-lambda-alarm-topic) | ./modules/sns | n/a |
+| <a name="module_nrl-dlq-alarm-topic"></a> [nrl-dlq-alarm-topic](#module\_nrl-dlq-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_route53_fargate_ui"></a> [route53\_fargate\_ui](#module\_route53\_fargate\_ui) | ./modules/route53 | n/a |
 | <a name="module_search-document-references-gateway"></a> [search-document-references-gateway](#module\_search-document-references-gateway) | ./modules/gateway | n/a |
 | <a name="module_search-document-references-lambda"></a> [search-document-references-lambda](#module\_search-document-references-lambda) | ./modules/lambda | n/a |
@@ -206,6 +207,7 @@
 | [aws_cloudwatch_metric_alarm.edge_presign_lambda_error](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_cloudwatch_metric_alarm.error_log_alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_cloudwatch_metric_alarm.inbox-messages-not-consumed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
+| [aws_cloudwatch_metric_alarm.nrl_dlq_new_messages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_cloudwatch_metric_alarm.sns_topic_error_log_alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_ecs_cluster.mesh-forwarder-ecs-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource |
 | [aws_ecs_service.mesh_forwarder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource |

infrastructure/modules/sns/README.md

@@ -17,7 +17,8 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_sns_topic.sns_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
-| [aws_sns_topic_subscription.sns_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_sns_topic_subscription.sns_subscription_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_sns_topic_subscription.sns_subscription_single](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 
 ## Inputs
 
@@ -27,10 +28,12 @@ No modules.
 | <a name="input_delivery_policy"></a> [delivery\_policy](#input\_delivery\_policy) | Attach delivery or IAM policy | `string` | n/a | yes |
 | <a name="input_enable_deduplication"></a> [enable\_deduplication](#input\_enable\_deduplication) | Prevent content based duplication in notification queue | `bool` | `false` | no |
 | <a name="input_enable_fifo"></a> [enable\_fifo](#input\_enable\_fifo) | Attach first in first out policy to notification queue | `bool` | `false` | no |
+| <a name="input_is_topic_endpoint_list"></a> [is\_topic\_endpoint\_list](#input\_is\_topic\_endpoint\_list) | n/a | `bool` | `false` | no |
 | <a name="input_raw_message_delivery"></a> [raw\_message\_delivery](#input\_raw\_message\_delivery) | n/a | `bool` | `false` | no |
 | <a name="input_sns_encryption_key_id"></a> [sns\_encryption\_key\_id](#input\_sns\_encryption\_key\_id) | n/a | `string` | n/a | yes |
 | <a name="input_sqs_feedback"></a> [sqs\_feedback](#input\_sqs\_feedback) | Map of IAM role ARNs and sample rate for success and failure feedback | `map(string)` | `{}` | no |
-| <a name="input_topic_endpoint"></a> [topic\_endpoint](#input\_topic\_endpoint) | n/a | `any` | n/a | yes |
+| <a name="input_topic_endpoint"></a> [topic\_endpoint](#input\_topic\_endpoint) | n/a | `any` | `null` | no |
+| <a name="input_topic_endpoint_list"></a> [topic\_endpoint\_list](#input\_topic\_endpoint\_list) | n/a | `any` | `[]` | no |
 | <a name="input_topic_name"></a> [topic\_name](#input\_topic\_name) | Name of the SNS topic | `string` | n/a | yes |
 | <a name="input_topic_protocol"></a> [topic\_protocol](#input\_topic\_protocol) | n/a | `string` | n/a | yes |
 

infrastructure/modules/sns/main.tf

@@ -9,13 +9,22 @@ resource "aws_sns_topic" "sns_topic" {
   sqs_success_feedback_sample_rate = try(var.sqs_feedback.success_sample_rate, null)
 }
 
-resource "aws_sns_topic_subscription" "sns_subscription" {
+resource "aws_sns_topic_subscription" "sns_subscription_single" {
+  count                = var.is_topic_endpoint_list ? 0 : 1
   topic_arn            = aws_sns_topic.sns_topic.arn
   protocol             = var.topic_protocol
   endpoint             = var.topic_endpoint
   raw_message_delivery = var.raw_message_delivery
 }
 
+resource "aws_sns_topic_subscription" "sns_subscription_list" {
+  for_each             = toset(var.topic_endpoint_list)
+  topic_arn            = aws_sns_topic.sns_topic.arn
+  protocol             = var.topic_protocol
+  endpoint             = each.value
+  raw_message_delivery = var.raw_message_delivery
+}
+
 output "arn" {
   value = aws_sns_topic.sns_topic.arn
 }

infrastructure/modules/sns/variable.tf

@@ -24,7 +24,14 @@ variable "topic_protocol" {
 }
 
 variable "topic_endpoint" {
-  type = any
+  type    = any
+  default = null
+}
+
+
+variable "topic_endpoint_list" {
+  type    = any
+  default = []
 }
 
 variable "current_account_id" {
@@ -43,4 +50,9 @@ variable "sqs_feedback" {
 
 variable "raw_message_delivery" {
   default = false
-}
+}
+
+variable "is_topic_endpoint_list" {
+  default = false
+  type    = bool
+}

infrastructure/modules/sqs/README.md

@@ -46,6 +46,7 @@ No modules.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_dlq_name"></a> [dlq\_name](#output\_dlq\_name) | n/a |
 | <a name="output_endpoint"></a> [endpoint](#output\_endpoint) | Same as sqs queue arn. For use when setting the queue as endpoint of sns topic |
 | <a name="output_sqs_arn"></a> [sqs\_arn](#output\_sqs\_arn) | n/a |
 | <a name="output_sqs_id"></a> [sqs\_id](#output\_sqs\_id) | n/a |

infrastructure/modules/sqs/main.tf

@@ -20,7 +20,7 @@ resource "aws_sqs_queue" "sqs_queue" {
 
 resource "aws_sqs_queue" "queue_deadletter" {
   count                       = var.enable_dlq ? 1 : 0
-  name                        = "${terraform.workspace}-${var.name}-deadletter-queue"
+  name                        = "${terraform.workspace}-deadletter-${var.name}"
   delay_seconds               = var.delay
   visibility_timeout_seconds  = var.max_visibility
   max_message_size            = var.max_size_message

infrastructure/modules/sqs/variable.tf

@@ -98,4 +98,7 @@ output "sqs_read_policy_document" {
 
 output "sqs_write_policy_document" {
   value = data.aws_iam_policy_document.sqs_write_policy.json
+}
+output "dlq_name" {
+  value = var.enable_dlq ? aws_sqs_queue.queue_deadletter[0].name : null
 }

infrastructure/sqs-nrl.tf

@@ -3,9 +3,63 @@ module "sqs-nrl-queue" {
   name                 = "nrl-queue.fifo"
   environment          = var.environment
   owner                = var.owner
-  message_retention    = 1800
+  message_retention    = 1209600
   enable_sse           = true
   enable_fifo          = true
   max_visibility       = 601
   enable_deduplication = true
+  enable_dlq           = true
+  max_receive_count    = 1
 }
+
+resource "aws_cloudwatch_metric_alarm" "nrl_dlq_new_messages" {
+  alarm_name          = "${terraform.workspace}_NRL_dlq_messages"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "ApproximateNumberOfMessagesVisible"
+  namespace           = "AWS/SQS"
+  period              = 60
+  statistic           = "Sum"
+  threshold           = 0
+  alarm_description   = "Alarm when there are new messages in the nrl dlq"
+  alarm_actions       = [module.nrl-dlq-alarm-topic.arn]
+
+  dimensions = {
+    QueueName = module.sqs-nrl-queue.dlq_name
+  }
+}
+
+module "nrl-dlq-alarm-topic" {
+  source                 = "./modules/sns"
+  sns_encryption_key_id  = module.sns_encryption_key.id
+  current_account_id     = data.aws_caller_identity.current.account_id
+  topic_name             = "nrl-dlq-topic"
+  topic_protocol         = "email"
+  is_topic_endpoint_list = true
+  topic_endpoint_list    = nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))
+  delivery_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "cloudwatch.amazonaws.com"
+        },
+        "Action" : [
+          "SNS:Publish",
+        ],
+        "Condition" : {
+          "ArnLike" : {
+            "aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
+          }
+        }
+        "Resource" : "*"
+      }
+    ]
+  })
+
+  depends_on = [module.sqs-nrl-queue]
+}
+
+
+