Merge branch 'main' into PRMP-579

Author: steph-torres-nhs

infrastructure/README.md

@@ -51,7 +51,7 @@
 | <a name="module_create-token-lambda"></a> [create-token-lambda](#module_create-token-lambda)                                                                                        | ./modules/lambda                           | n/a               |
 | <a name="module_create_doc_alarm"></a> [create_doc_alarm](#module_create_doc_alarm)                                                                                                 | ./modules/lambda_alarms                    | n/a               |
 | <a name="module_create_doc_alarm_topic"></a> [create_doc_alarm_topic](#module_create_doc_alarm_topic)                                                                               | ./modules/sns                              | n/a               |
-| <a name="module_create_document_reference_gateway"></a> [create_document_reference_gateway](#module_create_document_reference_gateway)                                              | ./modules/gateway                          | n/a               |
+| <a name="module_document_reference_gateway"></a> [document_reference_gateway](#module_document_reference_gateway)                                              | ./modules/gateway                          | n/a               |
 | <a name="module_create_token-alarm"></a> [create_token-alarm](#module_create_token-alarm)                                                                                           | ./modules/lambda_alarms                    | n/a               |
 | <a name="module_create_token-alarm_topic"></a> [create_token-alarm_topic](#module_create_token-alarm_topic)                                                                         | ./modules/sns                              | n/a               |
 | <a name="module_data-collection-alarm"></a> [data-collection-alarm](#module_data-collection-alarm)                                                                                  | ./modules/lambda_alarms                    | n/a               |

infrastructure/api.tf

@@ -23,7 +23,11 @@ resource "aws_api_gateway_base_path_mapping" "api_mapping" {
   stage_name  = var.environment
   domain_name = local.api_gateway_full_domain_name
 
-  depends_on = [aws_api_gateway_deployment.ndr_api_deploy, aws_api_gateway_rest_api.ndr_doc_store_api]
+  depends_on = [
+    aws_api_gateway_deployment.ndr_api_deploy,
+    aws_api_gateway_rest_api.ndr_doc_store_api,
+    aws_api_gateway_stage.ndr_api
+  ]
 }
 
 resource "aws_api_gateway_resource" "auth_resource" {
@@ -45,13 +49,13 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.back-channel-logout-gateway,
     module.back_channel_logout_lambda,
     module.create-doc-ref-lambda,
-    module.create_document_reference_gateway,
     module.create-token-gateway,
     module.create-token-lambda,
     module.delete-doc-ref-gateway,
     module.delete-doc-ref-lambda,
     module.document-manifest-job-gateway,
     module.document-manifest-job-lambda,
+    module.document_reference_gateway,
     module.feature-flags-gateway,
     module.feature-flags-lambda,
     module.fhir_document_reference_gateway,
@@ -68,6 +72,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.search-patient-details-lambda,
     module.send-feedback-gateway,
     module.send-feedback-lambda,
+    module.update_doc_ref_lambda,
     module.update-upload-state-gateway,
     module.update-upload-state-lambda,
     module.document-status-check-gateway,

infrastructure/api_mtls.tf

@@ -35,7 +35,8 @@ resource "aws_api_gateway_base_path_mapping" "api_mapping_mtls" {
 
   depends_on = [
     aws_api_gateway_deployment.ndr_api_deploy_mtls,
-    aws_api_gateway_rest_api.ndr_doc_store_api_mtls
+    aws_api_gateway_rest_api.ndr_doc_store_api_mtls,
+    aws_api_gateway_stage.ndr_api_mtls
   ]
 }
 

infrastructure/dynamo_db.tf

@@ -89,6 +89,10 @@ module "lloyd_george_reference_dynamodb_table" {
     {
       name = "CurrentGpOds"
       type = "S"
+    },
+    {
+      name = "S3FileKey"
+      type = "S"
     }
   ]
 
@@ -107,6 +111,11 @@ module "lloyd_george_reference_dynamodb_table" {
       name            = "OdsCodeIndex"
       hash_key        = "CurrentGpOds"
       projection_type = "ALL"
+    },
+    {
+      name            = "S3FileKeyIndex"
+      hash_key        = "S3FileKey"
+      projection_type = "ALL"
     }
   ]
 

infrastructure/dynamo_db_review.tf

@@ -0,0 +1,84 @@
+module "document_review_dynamodb_table" {
+  source                         = "./modules/dynamo_db"
+  table_name                     = var.document_review_table_name
+  hash_key                       = "ID"
+  deletion_protection_enabled    = local.is_production
+  stream_enabled                 = false
+  ttl_enabled                    = true
+  ttl_attribute_name             = "TTL"
+  point_in_time_recovery_enabled = !local.is_sandbox
+
+  attributes = [
+    {
+      name = "ID"
+      type = "S"
+    },
+    {
+      name = "Custodian"
+      type = "S"
+    },
+    {
+      name = "NhsNumber"
+      type = "S"
+    },
+    {
+      name = "ReviewStatus"
+      type = "S"
+    },
+    {
+      name = "Author"
+      type = "S"
+    },
+    {
+      name = "Reviewer"
+      type = "S"
+    },
+    {
+      name = "ReviewDate"
+      type = "S"
+    },
+    {
+      name = "UploadDate"
+      type = "N"
+    }
+
+  ]
+
+  global_secondary_indexes = [
+    {
+      name            = "CustodianIndex"
+      hash_key        = "Custodian"
+      range_key       = "UploadDate"
+      projection_type = "ALL"
+
+    },
+    {
+      name            = "AuthorIndex"
+      hash_key        = "Author"
+      range_key       = "UploadDate"
+      projection_type = "ALL"
+
+    },
+    {
+      name            = "ReviewStatusIndex"
+      hash_key        = "ReviewStatus"
+      range_key       = "UploadDate"
+      projection_type = "ALL"
+    },
+    {
+      name            = "ReviewerIndex"
+      hash_key        = "Reviewer"
+      range_key       = "ReviewDate"
+      projection_type = "ALL"
+    },
+    {
+      name            = "NhsNumberIndex"
+      hash_key        = "NhsNumber"
+      range_key       = "UploadDate"
+      projection_type = "ALL"
+    }
+  ]
+
+  environment = var.environment
+  owner       = var.owner
+}

infrastructure/gateway-document-reference.tf

@@ -10,3 +10,30 @@ module "fhir_document_reference_gateway" {
   require_credentials = true
 }
 
+module "document_reference_gateway" {
+  source              = "./modules/gateway"
+  api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
+  http_methods        = ["POST"]
+  authorization       = "CUSTOM"
+  gateway_path        = "DocumentReference"
+  authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
+  require_credentials = true
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
+}
+
+module "document_reference_id_gateway" {
+  source              = "./modules/gateway"
+  api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  parent_id           = module.document_reference_gateway.gateway_resource_id
+  http_methods        = ["PUT"]
+  authorization       = "CUSTOM"
+  gateway_path        = "{id}"
+  authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
+  require_credentials = true
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
+
+  request_parameters = {
+    "method.request.path.id" = true
+  }
+}

infrastructure/iam.tf

@@ -23,7 +23,7 @@ data "aws_iam_policy_document" "assume_role_policy_for_create_lambda" {
       type = "AWS"
       identifiers = compact([
         module.create-doc-ref-lambda.lambda_execution_role_arn,
-        local.is_production ? null : module.post-document-references-fhir-lambda.lambda_execution_role_arn
+        module.post-document-references-fhir-lambda.lambda_execution_role_arn
       ])
     }
   }
@@ -243,3 +243,26 @@ resource "aws_api_gateway_account" "logging" {
   count               = local.is_sandbox ? 0 : 1
   cloudwatch_role_arn = aws_iam_role.api_gateway_cloudwatch[0].arn
 }
+
+data "aws_iam_policy_document" "assume_role_policy_for_update_lambda" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type = "AWS"
+      identifiers = compact([
+        module.update_doc_ref_lambda.lambda_execution_role_arn
+      ])
+    }
+  }
+}
+
+resource "aws_iam_role" "update_put_presign_url_role" {
+  name               = "${terraform.workspace}_update_put_presign_url_role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_for_update_lambda.json
+}
+
+resource "aws_iam_role_policy_attachment" "update_put_presign_url" {
+  role       = aws_iam_role.update_put_presign_url_role.name
+  policy_arn = aws_iam_policy.s3_document_data_policy_put_only.arn
+}

infrastructure/lambda-authoriser.tf

@@ -46,7 +46,7 @@ module "authoriser-alarm" {
 module "authoriser-alarm-topic" {
   source                = "./modules/sns"
   sns_encryption_key_id = module.sns_encryption_key.id
-  topic_name            = "create_doc-alarms-topic"
+  topic_name            = "authoriser-alarms-topic"
   topic_protocol        = "lambda"
   topic_endpoint        = module.authoriser-lambda.lambda_arn
   delivery_policy = jsonencode({

infrastructure/lambda-bulk-upload-metadata-processor.tf

@@ -72,3 +72,26 @@ module "bulk-upload-metadata-processor-alarm-topic" {
 
   depends_on = [module.bulk-upload-metadata-processor-lambda, module.sns_encryption_key]
 }
+
+resource "aws_lambda_permission" "bulk_upload_metadata_processor_lambda" {
+  statement_id  = "AllowS3Invoke"
+  action        = "lambda:InvokeFunction"
+  function_name = module.bulk-upload-metadata-processor-lambda.function_name
+  principal     = "s3.amazonaws.com"
+  source_arn    = module.ndr-bulk-staging-store.bucket_arn
+}
+
+resource "aws_s3_bucket_notification" "bulk_upload_metadata_processor_lambda_trigger" {
+  bucket = module.ndr-bulk-staging-store.bucket_id
+
+  lambda_function {
+    lambda_function_arn = module.bulk-upload-metadata-processor-lambda.lambda_arn
+    events              = ["s3:ObjectCreated:*"]
+    filter_prefix       = "expedite/"
+    filter_suffix       = ".pdf"
+  }
+
+  depends_on = [
+    aws_lambda_permission.bulk_upload_metadata_processor_lambda
+  ]
+}

infrastructure/lambda-create-doc-ref.tf

@@ -1,15 +1,3 @@
-module "create_document_reference_gateway" {
-  source              = "./modules/gateway"
-  api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
-  http_methods        = ["POST"]
-  authorization       = "CUSTOM"
-  gateway_path        = "CreateDocumentReference"
-  authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
-  require_credentials = true
-  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
-}
-
 module "create_doc_alarm" {
   source               = "./modules/lambda_alarms"
   lambda_function_name = module.create-doc-ref-lambda.function_name
@@ -73,7 +61,7 @@ module "create-doc-ref-lambda" {
   ]
   kms_deletion_window = var.kms_deletion_window
   rest_api_id         = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  resource_id         = module.create_document_reference_gateway.gateway_resource_id
+  resource_id         = module.document_reference_gateway.gateway_resource_id
   http_methods        = ["POST"]
   memory_size         = 512
 
@@ -92,7 +80,7 @@ module "create-doc-ref-lambda" {
     PRESIGNED_ASSUME_ROLE         = aws_iam_role.create_post_presign_url_role.arn
   }
   depends_on = [
-    module.create_document_reference_gateway,
+    module.document_reference_gateway,
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.document_reference_dynamodb_table,
     module.lloyd_george_reference_dynamodb_table,