Merge branch 'main' into PRM-536

Author: chrisbloe

infrastructure/lambda-document-upload-check.tf

@@ -48,7 +48,8 @@ data "aws_security_groups" "virus_scanner_api" {
 }
 
 resource "aws_s3_bucket_notification" "document_upload_check_lambda_trigger" {
-  bucket = module.ndr-bulk-staging-store.bucket_id
+  bucket      = module.ndr-bulk-staging-store.bucket_id
+  eventbridge = true
   lambda_function {
     lambda_function_arn = module.document_upload_check_lambda.lambda_arn
     events              = ["s3:ObjectCreated:*"]

infrastructure/lambda-get-document-fhir.tf

@@ -55,12 +55,17 @@ module "get-doc-fhir-lambda" {
     WORKSPACE                  = terraform.workspace
     ENVIRONMENT                = var.environment
     PRESIGNED_ASSUME_ROLE      = aws_iam_role.get_fhir_doc_presign_url_role.arn
-    LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
+    LLOYD_GEORGE_DYNAMODB_NAME = module.lloyd_george_reference_dynamodb_table.table_name
+    PDM_DYNAMODB_NAME          = module.pdm_dynamodb_table.table_name
     OIDC_CALLBACK_URL          = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback"
     CLOUDFRONT_URL             = module.cloudfront-distribution-lg.cloudfront_url
     PDS_FHIR_IS_STUBBED        = local.is_sandbox
   }
-  depends_on = [aws_api_gateway_method.get_document_reference]
+  depends_on = [
+    aws_api_gateway_method.get_document_reference,
+    module.pdm_dynamodb_table,
+    module.lloyd_george_reference_dynamodb_table,
+  ]
 }
 
 resource "aws_api_gateway_integration" "get_doc_fhir_lambda_integration" {
@@ -83,4 +88,5 @@ resource "aws_lambda_permission" "lambda_permission_get_mtls_api" {
   # The "/*/*" portion grants access from any method on any resource
   # within the API Gateway REST API.
   source_arn = "${aws_api_gateway_rest_api.ndr_doc_store_api_mtls.execution_arn}/*/*"
-}
+}
+

infrastructure/lambda-post-document-fhir.tf

@@ -18,14 +18,19 @@ module "post-document-references-fhir-lambda" {
     APPCONFIG_APPLICATION           = module.ndr-app-config.app_config_application_id
     APPCONFIG_ENVIRONMENT           = module.ndr-app-config.app_config_environment_id
     APPCONFIG_CONFIGURATION         = module.ndr-app-config.app_config_configuration_profile_id
-    DOCUMENT_STORE_DYNAMODB_NAME    = "${terraform.workspace}_${var.docstore_dynamodb_table_name}"
-    LLOYD_GEORGE_DYNAMODB_NAME      = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
+    LLOYD_GEORGE_DYNAMODB_NAME      = module.lloyd_george_reference_dynamodb_table.table_name
+    PDM_DYNAMODB_NAME               = module.pdm_dynamodb_table.table_name
     STAGING_STORE_BUCKET_NAME       = "${terraform.workspace}-${var.staging_store_bucket_name}"
     DOCUMENT_RETRIEVE_ENDPOINT_APIM = "${local.apim_api_url}/DocumentReference"
     PDS_FHIR_IS_STUBBED             = local.is_sandbox
     WORKSPACE                       = terraform.workspace
     PRESIGNED_ASSUME_ROLE           = aws_iam_role.create_post_presign_url_role.arn
   }
+
+  depends_on = [
+    module.pdm_dynamodb_table,
+    module.lloyd_george_reference_dynamodb_table,
+  ]
 }
 
 resource "aws_api_gateway_integration" "post_doc_fhir_lambda_integration" {
@@ -48,4 +53,5 @@ resource "aws_lambda_permission" "lambda_permission_post_mtls_api" {
   # The "/*/*" portion grants access from any method on any resource
   # within the API Gateway REST API.
   source_arn = "${aws_api_gateway_rest_api.ndr_doc_store_api_mtls.execution_arn}/*/*"
-}
+}
+

infrastructure/lambda-search-document-references-fhir.tf

@@ -20,14 +20,16 @@ module "search-document-references-fhir-lambda" {
     APPCONFIG_APPLICATION           = module.ndr-app-config.app_config_application_id
     APPCONFIG_ENVIRONMENT           = module.ndr-app-config.app_config_environment_id
     APPCONFIG_CONFIGURATION         = module.ndr-app-config.app_config_configuration_profile_id
-    DYNAMODB_TABLE_LIST             = "[\u0022${terraform.workspace}_${var.docstore_dynamodb_table_name}\u0022, \u0022${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}\u0022]"
+    DYNAMODB_TABLE_LIST             = "[\u0022${module.pdm_dynamodb_table.table_name}\u0022, \u0022${module.lloyd_george_reference_dynamodb_table.table_name}\u0022]"
     DOCUMENT_RETRIEVE_ENDPOINT_APIM = "${local.apim_api_url}/DocumentReference"
     WORKSPACE                       = terraform.workspace
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.search-document-references-gateway,
-    module.ndr-app-config
+    module.ndr-app-config,
+    module.pdm_dynamodb_table,
+    module.lloyd_george_reference_dynamodb_table,
   ]
 }
 
@@ -50,4 +52,5 @@ resource "aws_lambda_permission" "lambda_permission_search_mtls_api" {
   # The "/*/*" portion grants access from any method on any resource
   # within the API Gateway REST API.
   source_arn = "${aws_api_gateway_rest_api.ndr_doc_store_api_mtls.execution_arn}/*/*"
-}
+}
+

infrastructure/policies.tf

@@ -30,7 +30,7 @@ resource "aws_iam_policy" "read_only_role_extra_permissions" {
           "kms:Decrypt",
         ],
         Resource = [
-          "arn:aws:lambda:eu-west-2:${data.aws_caller_identity.current.account_id}:function:*",
+          "arn:aws:kms:eu-west-2:${data.aws_caller_identity.current.account_id}:key/*",
         ]
       }
     ]