Merge branch 'main' into PRMP-1580

robg-nhs · web-flow · commit 0a9c89efbb5a · 2025-03-25T10:49:49.000Z
diff --git a/.github/workflows/sonarcloud-analysis.yml b/.github/workflows/sonarcloud-analysis.yml
@@ -18,7 +18,7 @@ jobs:
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
       - name: SonarQube Scan
-        uses: SonarSource/sonarqube-scan-action@v4
+        uses: SonarSource/sonarqube-scan-action@v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/infrastructure/README.md b/infrastructure/README.md
@@ -14,6 +14,10 @@
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_access-audit-alarm"></a> [access-audit-alarm](#module\_access-audit-alarm) | ./modules/lambda_alarms | n/a |
+| <a name="module_access-audit-alarm-topic"></a> [access-audit-alarm-topic](#module\_access-audit-alarm-topic) | ./modules/sns | n/a |
+| <a name="module_access-audit-gateway"></a> [access-audit-gateway](#module\_access-audit-gateway) | ./modules/gateway | n/a |
+| <a name="module_access-audit-lambda"></a> [access-audit-lambda](#module\_access-audit-lambda) | ./modules/lambda | n/a |
 | <a name="module_access_audit_dynamodb_table"></a> [access\_audit\_dynamodb\_table](#module\_access\_audit\_dynamodb\_table) | ./modules/dynamo_db | n/a |
 | <a name="module_api_endpoint_url_ssm_parameter"></a> [api\_endpoint\_url\_ssm\_parameter](#module\_api\_endpoint\_url\_ssm\_parameter) | ./modules/ssm_parameter | n/a |
 | <a name="module_auth_session_dynamodb_table"></a> [auth\_session\_dynamodb\_table](#module\_auth\_session\_dynamodb\_table) | ./modules/dynamo_db | n/a |
@@ -315,6 +319,7 @@
 | [aws_lambda_event_source_mapping.nems_message_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.nrl_pointer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_event_source_mapping.pdf-stitching-lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
+| [aws_lambda_event_source_mapping.unstitched_lloyd_george_dynamodb_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
 | [aws_lambda_permission.bulk_upload_metadata_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.bulk_upload_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.data_collection_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
diff --git a/infrastructure/api.tf b/infrastructure/api.tf
@@ -74,7 +74,9 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
       module.upload_confirm_result_gateway,
       module.upload_confirm_result_lambda,
       module.virus_scan_result_gateway,
-      module.virus_scan_result_lambda
+      module.virus_scan_result_lambda,
+      module.access-audit-gateway,
+      module.access-audit-lambda
     ]))
   }
 
diff --git a/infrastructure/lambda-access-audit.tf b/infrastructure/lambda-access-audit.tf
@@ -0,0 +1,93 @@
+module "access-audit-gateway" {
+  # Gateway Variables
+  source              = "./modules/gateway"
+  api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
+  http_methods        = ["POST"]
+  authorization       = "CUSTOM"
+  gateway_path        = "AccessAudit"
+  authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
+  require_credentials = true
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
+
+  # Lambda Variables
+  api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
+  owner             = var.owner
+  environment       = var.environment
+
+  depends_on = [
+    aws_api_gateway_rest_api.ndr_doc_store_api,
+  ]
+}
+
+module "access-audit-alarm" {
+  source               = "./modules/lambda_alarms"
+  lambda_function_name = module.access-audit-lambda.function_name
+  lambda_timeout       = module.access-audit-lambda.timeout
+  lambda_name          = "access_audit_handler"
+  namespace            = "AWS/Lambda"
+  alarm_actions        = [module.access-audit-alarm-topic.arn]
+  ok_actions           = [module.access-audit-alarm-topic.arn]
+  depends_on           = [module.access-audit-lambda, module.access-audit-alarm-topic]
+}
+
+
+module "access-audit-alarm-topic" {
+  source                = "./modules/sns"
+  sns_encryption_key_id = module.sns_encryption_key.id
+  current_account_id    = data.aws_caller_identity.current.account_id
+  topic_name            = "access-audit-alarms-topic"
+  topic_protocol        = "lambda"
+  topic_endpoint        = module.access-audit-lambda.lambda_arn
+  depends_on            = [module.sns_encryption_key]
+  delivery_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "cloudwatch.amazonaws.com"
+        },
+        "Action" : [
+          "SNS:Publish",
+        ],
+        "Condition" : {
+          "ArnLike" : {
+            "aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
+          }
+        }
+        "Resource" : "*"
+      }
+    ]
+  })
+}
+
+module "access-audit-lambda" {
+  source  = "./modules/lambda"
+  name    = "AccessAuditLambda"
+  handler = "handlers.access_audit_handler.lambda_handler"
+  iam_role_policy_documents = [
+    module.ndr-app-config.app_config_policy,
+    module.auth_session_dynamodb_table.dynamodb_write_policy_document,
+    module.auth_session_dynamodb_table.dynamodb_read_policy_document,
+    module.access_audit_dynamodb_table.dynamodb_write_policy_document
+  ]
+  rest_api_id  = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  resource_id  = module.access-audit-gateway.gateway_resource_id
+  http_methods = ["POST"]
+
+  api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+    WORKSPACE               = terraform.workspace
+    AUTH_SESSION_TABLE_NAME = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
+    ACCESS_AUDIT_TABLE_NAME = "${terraform.workspace}_${var.access_audit_dynamodb_table_name}"
+  }
+  depends_on = [
+    aws_api_gateway_rest_api.ndr_doc_store_api,
+    module.access-audit-gateway,
+    module.ndr-app-config,
+  ]
+}
diff --git a/infrastructure/lambda-delete-doc-object.tf b/infrastructure/lambda-delete-doc-object.tf
@@ -77,7 +77,8 @@ resource "aws_iam_policy" "dynamodb_stream_delete_object_policy" {
         Effect = "Allow"
         Resource = [
           module.lloyd_george_reference_dynamodb_table.dynamodb_stream_arn,
-          module.document_reference_dynamodb_table.dynamodb_stream_arn
+          module.document_reference_dynamodb_table.dynamodb_stream_arn,
+          module.unstitched_lloyd_george_reference_dynamodb_table.dynamodb_stream_arn
         ]
       },
     ]
@@ -95,7 +96,32 @@ resource "aws_lambda_event_source_mapping" "lloyd_george_dynamodb_stream" {
       pattern = jsonencode({
         "eventName" : [
           "REMOVE"
-        ]
+        ],
+        userIdentity = {
+          type        = ["Service"],
+          principalId = ["dynamodb.amazonaws.com"]
+        }
+      })
+    }
+  }
+}
+
+resource "aws_lambda_event_source_mapping" "unstitched_lloyd_george_dynamodb_stream" {
+  event_source_arn  = module.unstitched_lloyd_george_reference_dynamodb_table.dynamodb_stream_arn
+  function_name     = module.delete-document-object-lambda.lambda_arn
+  batch_size        = 1
+  starting_position = "LATEST"
+
+  filter_criteria {
+    filter {
+      pattern = jsonencode({
+        "eventName" : [
+          "REMOVE"
+        ],
+        userIdentity = {
+          type        = ["Service"],
+          principalId = ["dynamodb.amazonaws.com"]
+        }
       })
     }
   }
@@ -112,7 +138,11 @@ resource "aws_lambda_event_source_mapping" "document_reference_dynamodb_stream"
       pattern = jsonencode({
         "eventName" : [
           "REMOVE"
-        ]
+        ],
+        userIdentity = {
+          type        = ["Service"],
+          principalId = ["dynamodb.amazonaws.com"]
+        }
       })
     }
   }
diff --git a/infrastructure/lambda-delete-doc-ref.tf b/infrastructure/lambda-delete-doc-ref.tf
@@ -78,21 +78,24 @@ module "delete-doc-ref-lambda" {
     module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
     module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
     module.sqs-nrl-queue.sqs_read_policy_document,
-    module.sqs-nrl-queue.sqs_write_policy_document
+    module.sqs-nrl-queue.sqs_write_policy_document,
+    module.unstitched_lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.unstitched_lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.delete-doc-ref-gateway.gateway_resource_id
   http_methods      = ["DELETE"]
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   lambda_environment_variables = {
-    APPCONFIG_APPLICATION         = module.ndr-app-config.app_config_application_id
-    APPCONFIG_ENVIRONMENT         = module.ndr-app-config.app_config_environment_id
-    APPCONFIG_CONFIGURATION       = module.ndr-app-config.app_config_configuration_profile_id
-    DOCUMENT_STORE_DYNAMODB_NAME  = "${terraform.workspace}_${var.docstore_dynamodb_table_name}"
-    LLOYD_GEORGE_DYNAMODB_NAME    = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
-    STITCH_METADATA_DYNAMODB_NAME = "${terraform.workspace}_${var.stitch_metadata_dynamodb_table_name}"
-    WORKSPACE                     = terraform.workspace
-    NRL_SQS_QUEUE_URL             = module.sqs-nrl-queue.sqs_url
+    APPCONFIG_APPLICATION                 = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT                 = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION               = module.ndr-app-config.app_config_configuration_profile_id
+    DOCUMENT_STORE_DYNAMODB_NAME          = "${terraform.workspace}_${var.docstore_dynamodb_table_name}"
+    LLOYD_GEORGE_DYNAMODB_NAME            = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
+    STITCH_METADATA_DYNAMODB_NAME         = "${terraform.workspace}_${var.stitch_metadata_dynamodb_table_name}"
+    UNSTITCHED_LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.unstitched_lloyd_george_dynamodb_table_name}"
+    WORKSPACE                             = terraform.workspace
+    NRL_SQS_QUEUE_URL                     = module.sqs-nrl-queue.sqs_url
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
diff --git a/infrastructure/lambda-pdf-stitching.tf b/infrastructure/lambda-pdf-stitching.tf
@@ -20,6 +20,7 @@ module "pdf-stitching-lambda" {
   api_execution_arn       = null
   is_invoked_from_gateway = false
   lambda_environment_variables = {
+    APIM_API_URL                          = data.aws_ssm_parameter.apim_url.value
     PDF_STITCHING_SQS_URL                 = module.sqs-stitching-queue.sqs_url
     NRL_SQS_URL                           = module.sqs-nrl-queue.sqs_url
     LLOYD_GEORGE_BUCKET_NAME              = "${terraform.workspace}-${var.lloyd_george_bucket_name}"
