Merge branch 'PRMP-1587' into PRMP-1601

Author: NogaNHS

infrastructure/dynamo_db.tf

@@ -345,6 +345,61 @@ module "statistics_dynamodb_table" {
     }
   ]
 
+  environment = var.environment
+  owner       = var.owner
+}
+
+module "access_audit_dynamodb_table" {
+  source                         = "./modules/dynamo_db"
+  table_name                     = var.access_audit_dynamodb_table_name
+  hash_key                       = "Type"
+  sort_key                       = "ID"
+  deletion_protection_enabled    = local.is_production
+  stream_enabled                 = false
+  ttl_enabled                    = false
+  point_in_time_recovery_enabled = !local.is_sandbox
+
+  attributes = [
+    {
+      name = "Type"
+      type = "S"
+    },
+    {
+      name = "ID"
+      type = "S"
+    },
+    {
+      name = "UserSessionID"
+      type = "S"
+    },
+    {
+      name = "UserID"
+      type = "S"
+    },
+    {
+      name = "UserOdsCode"
+      type = "S"
+    }
+  ]
+
+  global_secondary_indexes = [
+    {
+      name            = "UserSessionIDIndex"
+      hash_key        = "UserSessionID"
+      projection_type = "ALL"
+    },
+    {
+      name            = "UserIDIndex"
+      hash_key        = "UserID"
+      projection_type = "ALL"
+    },
+    {
+      name            = "UserOdsCodeIndex"
+      hash_key        = "UserOdsCode"
+      projection_type = "ALL"
+    }
+  ]
+
   environment = var.environment
   owner       = var.owner
 }

infrastructure/modules/dynamo_db/main.tf

@@ -120,4 +120,18 @@ data "aws_iam_policy_document" "dynamodb_write_policy" {
       aws_dynamodb_table.ndr_dynamodb_table.arn,
     ]
   }
+}
+
+data "aws_iam_policy_document" "dynamodb_write_without_update_policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem",
+      "dynamodb:BatchWriteItem"
+    ]
+    resources = [
+      aws_dynamodb_table.ndr_dynamodb_table.arn,
+    ]
+  }
 }

infrastructure/modules/dynamo_db/output.tf

@@ -20,4 +20,8 @@ output "dynamodb_read_policy_document" {
 
 output "dynamodb_write_policy_document" {
   value = data.aws_iam_policy_document.dynamodb_write_policy.json
+}
+
+output "dynamodb_write_without_update_policy_document" {
+  value = data.aws_iam_policy_document.dynamodb_write_without_update_policy.json
 }

infrastructure/variable.tf

@@ -106,6 +106,12 @@ variable "statistics_dynamodb_table_name" {
   default     = "ApplicationStatistics"
 }
 
+variable "access_audit_dynamodb_table_name" {
+  type        = string
+  description = "The name of the dynamodb table to store the audit of access to deceased patient records"
+  default     = "AccessAudit"
+}
+
 # VPC Variables
 
 variable "standalone_vpc_tag" {