[PRMP-166] Add update doc ref lambda and refactor create gateway to use shared doc ref gateway

Author: adamwhitingnhs

infrastructure/README.md

@@ -51,7 +51,7 @@
 | <a name="module_create-token-lambda"></a> [create-token-lambda](#module_create-token-lambda)                                                                                        | ./modules/lambda                           | n/a               |
 | <a name="module_create_doc_alarm"></a> [create_doc_alarm](#module_create_doc_alarm)                                                                                                 | ./modules/lambda_alarms                    | n/a               |
 | <a name="module_create_doc_alarm_topic"></a> [create_doc_alarm_topic](#module_create_doc_alarm_topic)                                                                               | ./modules/sns                              | n/a               |
-| <a name="module_create_document_reference_gateway"></a> [create_document_reference_gateway](#module_create_document_reference_gateway)                                              | ./modules/gateway                          | n/a               |
+| <a name="module_document_reference_gateway"></a> [document_reference_gateway](#module_document_reference_gateway)                                              | ./modules/gateway                          | n/a               |
 | <a name="module_create_token-alarm"></a> [create_token-alarm](#module_create_token-alarm)                                                                                           | ./modules/lambda_alarms                    | n/a               |
 | <a name="module_create_token-alarm_topic"></a> [create_token-alarm_topic](#module_create_token-alarm_topic)                                                                         | ./modules/sns                              | n/a               |
 | <a name="module_data-collection-alarm"></a> [data-collection-alarm](#module_data-collection-alarm)                                                                                  | ./modules/lambda_alarms                    | n/a               |

infrastructure/api.tf

@@ -45,13 +45,13 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.back-channel-logout-gateway,
     module.back_channel_logout_lambda,
     module.create-doc-ref-lambda,
-    module.create_document_reference_gateway,
     module.create-token-gateway,
     module.create-token-lambda,
     module.delete-doc-ref-gateway,
     module.delete-doc-ref-lambda,
     module.document-manifest-job-gateway,
     module.document-manifest-job-lambda,
+    module.document_reference_gateway,
     module.feature-flags-gateway,
     module.feature-flags-lambda,
     module.fhir_document_reference_gateway,
@@ -68,6 +68,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.search-patient-details-lambda,
     module.send-feedback-gateway,
     module.send-feedback-lambda,
+    module.update-doc-ref-lambda,
     module.update-upload-state-gateway,
     module.update-upload-state-lambda,
     module.document-status-check-gateway,

infrastructure/gateway-document-reference.tf

@@ -10,3 +10,14 @@ module "fhir_document_reference_gateway" {
   require_credentials = true
 }
 
+module "document_reference_gateway" {
+  source              = "./modules/gateway"
+  api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
+  http_methods        = ["POST", "PUT"]
+  authorization       = "CUSTOM"
+  gateway_path        = "DocumentReference"
+  authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
+  require_credentials = true
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
+}

infrastructure/iam.tf

@@ -243,3 +243,26 @@ resource "aws_api_gateway_account" "logging" {
   count               = local.is_sandbox ? 0 : 1
   cloudwatch_role_arn = aws_iam_role.api_gateway_cloudwatch[0].arn
 }
+
+data "aws_iam_policy_document" "assume_role_policy_for_update_lambda" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type = "AWS"
+      identifiers = compact([
+        module.update-doc-ref-lambda.lambda_execution_role_arn
+      ])
+    }
+  }
+}
+
+resource "aws_iam_role" "update_put_presign_url_role" {
+  name               = "${terraform.workspace}update_put_presign_url_role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_for_update_lambda.json
+}
+
+resource "aws_iam_role_policy_attachment" "update_put_presign_url" {
+  role       = aws_iam_role.update_put_presign_url_role.name
+  policy_arn = aws_iam_policy.s3_document_data_policy_put_only.arn
+}

infrastructure/lambda-authoriser.tf

@@ -46,7 +46,7 @@ module "authoriser-alarm" {
 module "authoriser-alarm-topic" {
   source                = "./modules/sns"
   sns_encryption_key_id = module.sns_encryption_key.id
-  topic_name            = "create_doc-alarms-topic"
+  topic_name            = "authoriser-alarms-topic"
   topic_protocol        = "lambda"
   topic_endpoint        = module.authoriser-lambda.lambda_arn
   delivery_policy = jsonencode({

infrastructure/lambda-create-doc-ref.tf

@@ -1,15 +1,3 @@
-module "create_document_reference_gateway" {
-  source              = "./modules/gateway"
-  api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
-  http_methods        = ["POST"]
-  authorization       = "CUSTOM"
-  gateway_path        = "CreateDocumentReference"
-  authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
-  require_credentials = true
-  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
-}
-
 module "create_doc_alarm" {
   source               = "./modules/lambda_alarms"
   lambda_function_name = module.create-doc-ref-lambda.function_name
@@ -73,7 +61,7 @@ module "create-doc-ref-lambda" {
   ]
   kms_deletion_window = var.kms_deletion_window
   rest_api_id         = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  resource_id         = module.create_document_reference_gateway.gateway_resource_id
+  resource_id         = module.document_reference_gateway.gateway_resource_id
   http_methods        = ["POST"]
   memory_size         = 512
 
@@ -92,7 +80,7 @@ module "create-doc-ref-lambda" {
     PRESIGNED_ASSUME_ROLE         = aws_iam_role.create_post_presign_url_role.arn
   }
   depends_on = [
-    module.create_document_reference_gateway,
+    module.document_reference_gateway,
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.document_reference_dynamodb_table,
     module.lloyd_george_reference_dynamodb_table,

infrastructure/lambda-update-doc-ref.tf

@@ -0,0 +1,93 @@
+module "update_doc_alarm" {
+  source               = "./modules/lambda_alarms"
+  lambda_function_name = module.update-doc-ref-lambda.function_name
+  lambda_timeout       = module.update-doc-ref-lambda.timeout
+  lambda_name          = "update_document_reference_handler"
+  namespace            = "AWS/Lambda"
+  alarm_actions        = [module.update_doc_alarm_topic.arn]
+  ok_actions           = [module.update_doc_alarm_topic.arn]
+  depends_on           = [module.update-doc-ref-lambda, module.update_doc_alarm_topic]
+}
+
+
+module "update_doc_alarm_topic" {
+  source                = "./modules/sns"
+  sns_encryption_key_id = module.sns_encryption_key.id
+  topic_name            = "update_doc-alarms-topic"
+  topic_protocol        = "lambda"
+  topic_endpoint        = module.update-doc-ref-lambda.lambda_arn
+  depends_on            = [module.sns_encryption_key]
+  delivery_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "cloudwatch.amazonaws.com"
+        },
+        "Action" : [
+          "SNS:Publish",
+        ],
+        "Condition" : {
+          "ArnLike" : {
+            "aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
+          }
+        }
+        "Resource" : "*"
+      }
+    ]
+  })
+}
+
+module "update-doc-ref-lambda" {
+  source  = "./modules/lambda"
+  name    = "UpdateDocRefLambda"
+  handler = "handlers.update_document_reference_handler.lambda_handler"
+  iam_role_policy_documents = [
+    module.ndr-bulk-staging-store.s3_read_policy_document,
+    module.ndr-bulk-staging-store.s3_write_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-document-store.s3_read_policy_document,
+    module.ndr-document-store.s3_write_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.document_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-app-config.app_config_policy,
+  ]
+  kms_deletion_window = var.kms_deletion_window
+  rest_api_id         = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  resource_id         = module.document_reference_gateway.gateway_resource_id
+  http_methods        = ["PUT"]
+  memory_size         = 512
+
+  api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
+  lambda_environment_variables = {
+    STAGING_STORE_BUCKET_NAME     = "${terraform.workspace}-${var.staging_store_bucket_name}"
+    APPCONFIG_APPLICATION         = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT         = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION       = module.ndr-app-config.app_config_configuration_profile_id
+    DOCUMENT_STORE_BUCKET_NAME    = "${terraform.workspace}-${var.docstore_bucket_name}"
+    DOCUMENT_STORE_DYNAMODB_NAME  = "${terraform.workspace}_${var.docstore_dynamodb_table_name}"
+    LLOYD_GEORGE_DYNAMODB_NAME    = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
+    STITCH_METADATA_DYNAMODB_NAME = "${terraform.workspace}_${var.stitch_metadata_dynamodb_table_name}"
+    PDS_FHIR_IS_STUBBED           = local.is_sandbox,
+    WORKSPACE                     = terraform.workspace
+    PRESIGNED_ASSUME_ROLE         = aws_iam_role.update_put_presign_url_role.arn
+  }
+  depends_on = [
+    module.document_reference_gateway,
+    aws_api_gateway_rest_api.ndr_doc_store_api,
+    module.document_reference_dynamodb_table,
+    module.lloyd_george_reference_dynamodb_table,
+    module.ndr-bulk-staging-store,
+    module.ndr-app-config,
+    module.lloyd_george_reference_dynamodb_table,
+    module.document_reference_dynamodb_table,
+    module.stitch_metadata_reference_dynamodb_table
+  ]
+}

infrastructure/modules/app_config/configurations/dev.json

@@ -14,6 +14,9 @@
         },
         "lloydGeorgeValidationStrictModeEnabled": {
             "name": "lloydGeorgeValidationStrictModeEnabled"
+        },
+        "addDocumentEnabled": {
+            "name": "addDocumentEnabled"
         }
     },
     "values": {
@@ -31,6 +34,9 @@
         },
         "lloydGeorgeValidationStrictModeEnabled": {
             "enabled": "true"
+        },
+        "addDocumentEnabled": {
+            "enabled": "true"
         }
     },
     "version": "1"

infrastructure/modules/app_config/configurations/pre-prod.json

@@ -14,6 +14,9 @@
         },
         "lloydGeorgeValidationStrictModeEnabled": {
             "name": "lloydGeorgeValidationStrictModeEnabled"
+        },
+        "addDocumentEnabled": {
+            "name": "addDocumentEnabled"
         }
     },
     "values": {
@@ -31,6 +34,9 @@
         },
         "lloydGeorgeValidationStrictModeEnabled": {
             "enabled": "true"
+        },
+        "addDocumentEnabled": {
+            "enabled": "false"
         }
     },
     "version": "1"

infrastructure/modules/app_config/configurations/prod.json

@@ -14,6 +14,9 @@
         },
         "lloydGeorgeValidationStrictModeEnabled": {
             "name": "lloydGeorgeValidationStrictModeEnabled"
+        },
+        "addDocumentEnabled": {
+            "name": "addDocumentEnabled"
         }
     },
     "values": {
@@ -31,6 +34,9 @@
         },
         "lloydGeorgeValidationStrictModeEnabled": {
             "enabled": "true"
+        },
+        "addDocumentEnabled": {
+            "enabled": "false"
         }
     },
     "version": "1"