[PRMP-1517] Authorisation changes (#246)

NogaNHS · web-flow · commit 39935aeb79bb · 2025-02-11T13:58:34.000Z
* [PRMP-1517] add permission to search lambda to write to auth table
* [PRMP-1517] Change aws_api_gateway_authorizer to REQUEST type
* [PRMP-1517] add permission to search patient
* [PRMP-1517] add redeployment triggers
diff --git a/infrastructure/api.tf b/infrastructure/api.tf
@@ -41,6 +41,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
   triggers = {
     redeployment = sha1(jsonencode([
       aws_api_gateway_rest_api.ndr_doc_store_api.body,
+      aws_api_gateway_authorizer.repo_authoriser,
       module.authoriser-lambda,
       module.back-channel-logout-gateway,
       module.back_channel_logout_lambda,
diff --git a/infrastructure/lambda-authoriser.tf b/infrastructure/lambda-authoriser.tf
@@ -75,7 +75,7 @@ module "authoriser-alarm-topic" {
 
 resource "aws_api_gateway_authorizer" "repo_authoriser" {
   name                             = "${terraform.workspace}_repo_authoriser"
-  type                             = "TOKEN"
+  type                             = "REQUEST"
   identity_source                  = "method.request.header.Authorization"
   rest_api_id                      = aws_api_gateway_rest_api.ndr_doc_store_api.id
   authorizer_uri                   = module.authoriser-lambda.invoke_arn
diff --git a/infrastructure/lambda-search-patient.tf b/infrastructure/lambda-search-patient.tf
@@ -68,7 +68,9 @@ module "search-patient-details-lambda" {
   handler = "handlers.search_patient_details_handler.lambda_handler"
   iam_role_policy_documents = [
     aws_iam_policy.ssm_access_policy.policy,
-    module.ndr-app-config.app_config_policy
+    module.ndr-app-config.app_config_policy,
+    module.auth_session_dynamodb_table.dynamodb_write_policy_document,
+    module.auth_session_dynamodb_table.dynamodb_read_policy_document,
   ]
   rest_api_id  = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id  = module.search-patient-details-gateway.gateway_resource_id
@@ -82,6 +84,7 @@ module "search-patient-details-lambda" {
     PDS_FHIR_IS_STUBBED            = local.is_sandbox,
     SPLUNK_SQS_QUEUE_URL           = try(module.sqs-splunk-queue[0].sqs_url, null)
     WORKSPACE                      = terraform.workspace
+    AUTH_SESSION_TABLE_NAME        = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
   }
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   depends_on = [
