Merge branch 'main' into PRMP-1707

NogaNHS · web-flow · commit 479d49e336af · 2025-03-27T09:27:57.000Z
diff --git a/infrastructure/README.md b/infrastructure/README.md
@@ -117,6 +117,9 @@
 | <a name="module_ndr-lloyd-george-store"></a> [ndr-lloyd-george-store](#module\_ndr-lloyd-george-store) | ./modules/s3/ | n/a |
 | <a name="module_ndr-vpc-ui"></a> [ndr-vpc-ui](#module\_ndr-vpc-ui) | ./modules/vpc/ | n/a |
 | <a name="module_ndr-zip-request-store"></a> [ndr-zip-request-store](#module\_ndr-zip-request-store) | ./modules/s3/ | n/a |
+| <a name="module_nhs-oauth-token-generator-alarm"></a> [nhs-oauth-token-generator-alarm](#module\_nhs-oauth-token-generator-alarm) | ./modules/lambda_alarms | n/a |
+| <a name="module_nhs-oauth-token-generator-alarm-topic"></a> [nhs-oauth-token-generator-alarm-topic](#module\_nhs-oauth-token-generator-alarm-topic) | ./modules/sns | n/a |
+| <a name="module_nhs-oauth-token-generator-lambda"></a> [nhs-oauth-token-generator-lambda](#module\_nhs-oauth-token-generator-lambda) | ./modules/lambda | n/a |
 | <a name="module_nrl-dlq-alarm-topic"></a> [nrl-dlq-alarm-topic](#module\_nrl-dlq-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_pdf-stitching-alarm-topic"></a> [pdf-stitching-alarm-topic](#module\_pdf-stitching-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_pdf-stitching-lambda"></a> [pdf-stitching-lambda](#module\_pdf-stitching-lambda) | ./modules/lambda | n/a |
@@ -204,10 +207,12 @@
 | [aws_cloudwatch_event_rule.bulk_upload_metadata_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_rule.bulk_upload_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_rule.data_collection_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_rule.nhs_oauth_token_generator_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_rule.statistical_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_target.bulk_upload_metadata_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.bulk_upload_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.data_collection_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_cloudwatch_event_target.nhs_oauth_token_generator_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.statistical_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_log_metric_filter.edge_presign_error](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
 | [aws_cloudwatch_metric_alarm.api_gateway_alarm_4XX](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
@@ -293,6 +298,7 @@
 | [aws_lambda_permission.bulk_upload_metadata_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.bulk_upload_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.data_collection_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.nhs_oauth_token_generator_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.statistical_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_rum_app_monitor.ndr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rum_app_monitor) | resource |
 | [aws_s3_bucket.access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
diff --git a/infrastructure/lambda-nhs-oauth-token-generator.tf b/infrastructure/lambda-nhs-oauth-token-generator.tf
@@ -0,0 +1,58 @@
+module "nhs-oauth-token-generator-lambda" {
+  source         = "./modules/lambda"
+  name           = "NhsOauthTokenGeneratorLambda"
+  handler        = "handlers.nhs_oauth_token_generator_handler.lambda_handler"
+  lambda_timeout = 120
+  iam_role_policy_documents = [
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-app-config.app_config_policy
+  ]
+
+  rest_api_id       = null
+  api_execution_arn = null
+
+  lambda_environment_variables = {
+    WORKSPACE = terraform.workspace
+  }
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+}
+
+module "nhs-oauth-token-generator-alarm" {
+  source               = "./modules/lambda_alarms"
+  lambda_function_name = module.nhs-oauth-token-generator-lambda.function_name
+  lambda_timeout       = module.nhs-oauth-token-generator-lambda.timeout
+  lambda_name          = "nhs_oauth_token_generator_handler"
+  namespace            = "AWS/Lambda"
+  alarm_actions        = [module.nhs-oauth-token-generator-alarm-topic.arn]
+  ok_actions           = [module.nhs-oauth-token-generator-alarm-topic.arn]
+}
+
+module "nhs-oauth-token-generator-alarm-topic" {
+  source                = "./modules/sns"
+  sns_encryption_key_id = module.sns_encryption_key.id
+  current_account_id    = data.aws_caller_identity.current.account_id
+  topic_name            = "nhs-oauth-token-generator-topic"
+  topic_protocol        = "lambda"
+  topic_endpoint        = module.nhs-oauth-token-generator-lambda.lambda_arn
+  delivery_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "cloudwatch.amazonaws.com"
+        },
+        "Action" : [
+          "SNS:Publish",
+        ],
+        "Condition" : {
+          "ArnLike" : {
+            "aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
+          }
+        }
+        "Resource" : "*"
+      }
+    ]
+  })
+}
diff --git a/infrastructure/schedules.tf b/infrastructure/schedules.tf
@@ -164,4 +164,24 @@ resource "aws_iam_role_policy_attachment" "ods_weekly_update_ecs_execution" {
   count      = local.is_sandbox ? 0 : 1
   role       = aws_iam_role.ods_weekly_update_ecs_execution[0].name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
-}
+}
+
+resource "aws_cloudwatch_event_rule" "nhs_oauth_token_generator_schedule" {
+  name                = "${terraform.workspace}_nhs_oauth_token_generator_schedule"
+  description         = "Schedule for NHS OAuth Token Generator Lambda"
+  schedule_expression = "rate(9 minutes)"
+}
+
+resource "aws_cloudwatch_event_target" "nhs_oauth_token_generator_schedule" {
+  rule      = aws_cloudwatch_event_rule.nhs_oauth_token_generator_schedule.name
+  target_id = "nhs_oauth_token_generator_schedule"
+  arn       = module.nhs-oauth-token-generator-lambda.lambda_arn
+}
+
+resource "aws_lambda_permission" "nhs_oauth_token_generator_schedule" {
+  statement_id  = "AllowExecutionFromCloudWatch"
+  action        = "lambda:InvokeFunction"
+  function_name = module.nhs-oauth-token-generator-lambda.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.nhs_oauth_token_generator_schedule.arn
+}
