[PRMP-1580] NHSOAuthTokenGenerator lambda

* [PRMP-1580] Added NHS OAuth Token Generator Lambda

* [PRMP-1580] corrected ssm_access_policy

* [PRMP-1580] - Add alarm and topic for nhs-oauth-token-generator-lambda

* [PRMP-1580] Removed implicit dependencies, extended Lambda timeout

* [PRMP-1580] Terraform formatting

---------

Co-authored-by: Andy Flint <[email protected]>
Co-authored-by: Mohammad Iqbal <[email protected]>
Co-authored-by: robg-nhs <[email protected]>

Author: 4 people

infrastructure/README.md

@@ -120,6 +120,9 @@
 | <a name="module_nems-message-lambda"></a> [nems-message-lambda](#module\_nems-message-lambda) | ./modules/lambda | n/a |
 | <a name="module_nems-message-lambda-alarm"></a> [nems-message-lambda-alarm](#module\_nems-message-lambda-alarm) | ./modules/lambda_alarms | n/a |
 | <a name="module_nems-message-lambda-alarm-topic"></a> [nems-message-lambda-alarm-topic](#module\_nems-message-lambda-alarm-topic) | ./modules/sns | n/a |
+| <a name="module_nhs-oauth-token-generator-alarm"></a> [nhs-oauth-token-generator-alarm](#module\_nhs-oauth-token-generator-alarm) | ./modules/lambda_alarms | n/a |
+| <a name="module_nhs-oauth-token-generator-alarm-topic"></a> [nhs-oauth-token-generator-alarm-topic](#module\_nhs-oauth-token-generator-alarm-topic) | ./modules/sns | n/a |
+| <a name="module_nhs-oauth-token-generator-lambda"></a> [nhs-oauth-token-generator-lambda](#module\_nhs-oauth-token-generator-lambda) | ./modules/lambda | n/a |
 | <a name="module_nrl-dlq-alarm-topic"></a> [nrl-dlq-alarm-topic](#module\_nrl-dlq-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_pdf-stitching-alarm-topic"></a> [pdf-stitching-alarm-topic](#module\_pdf-stitching-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_pdf-stitching-lambda"></a> [pdf-stitching-lambda](#module\_pdf-stitching-lambda) | ./modules/lambda | n/a |
@@ -209,10 +212,12 @@
 | [aws_cloudwatch_event_rule.bulk_upload_metadata_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_rule.bulk_upload_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_rule.data_collection_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_rule.nhs_oauth_token_generator_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_rule.statistical_report_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_target.bulk_upload_metadata_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.bulk_upload_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.data_collection_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_cloudwatch_event_target.nhs_oauth_token_generator_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.statistical_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_log_group.mesh_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_log_metric_filter.edge_presign_error](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
@@ -318,6 +323,7 @@
 | [aws_lambda_permission.bulk_upload_metadata_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.bulk_upload_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.data_collection_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.nhs_oauth_token_generator_schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.statistical_report_schedule_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_rum_app_monitor.ndr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rum_app_monitor) | resource |
 | [aws_s3_bucket.access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |

infrastructure/lambda-nhs-oauth-token-generator.tf

@@ -0,0 +1,58 @@
+module "nhs-oauth-token-generator-lambda" {
+  source         = "./modules/lambda"
+  name           = "NhsOauthTokenGeneratorLambda"
+  handler        = "handlers.nhs_oauth_token_generator_handler.lambda_handler"
+  lambda_timeout = 120
+  iam_role_policy_documents = [
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-app-config.app_config_policy
+  ]
+
+  rest_api_id       = null
+  api_execution_arn = null
+
+  lambda_environment_variables = {
+    WORKSPACE = terraform.workspace
+  }
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+}
+
+module "nhs-oauth-token-generator-alarm" {
+  source               = "./modules/lambda_alarms"
+  lambda_function_name = module.nhs-oauth-token-generator-lambda.function_name
+  lambda_timeout       = module.nhs-oauth-token-generator-lambda.timeout
+  lambda_name          = "nhs_oauth_token_generator_handler"
+  namespace            = "AWS/Lambda"
+  alarm_actions        = [module.nhs-oauth-token-generator-alarm-topic.arn]
+  ok_actions           = [module.nhs-oauth-token-generator-alarm-topic.arn]
+}
+
+module "nhs-oauth-token-generator-alarm-topic" {
+  source                = "./modules/sns"
+  sns_encryption_key_id = module.sns_encryption_key.id
+  current_account_id    = data.aws_caller_identity.current.account_id
+  topic_name            = "nhs-oauth-token-generator-topic"
+  topic_protocol        = "lambda"
+  topic_endpoint        = module.nhs-oauth-token-generator-lambda.lambda_arn
+  delivery_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "cloudwatch.amazonaws.com"
+        },
+        "Action" : [
+          "SNS:Publish",
+        ],
+        "Condition" : {
+          "ArnLike" : {
+            "aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
+          }
+        }
+        "Resource" : "*"
+      }
+    ]
+  })
+}

infrastructure/schedules.tf

@@ -164,4 +164,24 @@ resource "aws_iam_role_policy_attachment" "ods_weekly_update_ecs_execution" {
   count      = local.is_sandbox ? 0 : 1
   role       = aws_iam_role.ods_weekly_update_ecs_execution[0].name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
-}
+}
+
+resource "aws_cloudwatch_event_rule" "nhs_oauth_token_generator_schedule" {
+  name                = "${terraform.workspace}_nhs_oauth_token_generator_schedule"
+  description         = "Schedule for NHS OAuth Token Generator Lambda"
+  schedule_expression = "rate(9 minutes)"
+}
+
+resource "aws_cloudwatch_event_target" "nhs_oauth_token_generator_schedule" {
+  rule      = aws_cloudwatch_event_rule.nhs_oauth_token_generator_schedule.name
+  target_id = "nhs_oauth_token_generator_schedule"
+  arn       = module.nhs-oauth-token-generator-lambda.lambda_arn
+}
+
+resource "aws_lambda_permission" "nhs_oauth_token_generator_schedule" {
+  statement_id  = "AllowExecutionFromCloudWatch"
+  action        = "lambda:InvokeFunction"
+  function_name = module.nhs-oauth-token-generator-lambda.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.nhs_oauth_token_generator_schedule.arn
+}