[PRMP-840] Add POST method and IAM roles for document review (#517)

Signed-off-by: NogaNHS <[email protected]>

Author: NogaNHS

infrastructure/api.tf

@@ -84,6 +84,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.document-status-check-gateway,
     module.document-status-check-lambda,
     module.post-document-references-fhir-lambda,
+    module.post_document_review_lambda,
     module.patch_document_review_lambda,
     module.virus_scan_result_gateway,
     module.virus_scan_result_lambda

infrastructure/gateway-review-document.tf

@@ -2,7 +2,7 @@ module "review_document_gateway" {
   source              = "./modules/gateway"
   api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
   parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
-  http_methods        = ["GET"]
+  http_methods        = ["GET", "POST"]
   authorization       = "CUSTOM"
   gateway_path        = "DocumentReview"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id

infrastructure/iam.tf

@@ -317,3 +317,41 @@ resource "aws_iam_role_policy_attachment" "get_doc_ref_presign_url" {
   role       = aws_iam_role.get_doc_ref_presign_url_role.name
   policy_arn = aws_iam_policy.s3_document_data_policy_for_get_doc_ref_lambda.arn
 }
+
+data "aws_iam_policy_document" "assume_role_policy_post_document_review_lambda" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [module.post_document_review_lambda.lambda_execution_role_arn]
+    }
+  }
+}
+
+resource "aws_iam_role" "post_document_review_presign" {
+  name               = "${terraform.workspace}_post_review_presign_url_role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_post_document_review_lambda.json
+}
+
+resource "aws_iam_role_policy_attachment" "post_document_review" {
+  role       = aws_iam_role.post_document_review_presign.name
+  policy_arn = aws_iam_policy.s3_document_data_policy_post_document_review_lambda.arn
+}
+
+resource "aws_iam_policy" "s3_document_data_policy_post_document_review_lambda" {
+  name = "${terraform.workspace}_put_document_only_policy_for_post_document_review_lambda"
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:PutObject",
+        ],
+        "Resource" : ["${module.ndr-bulk-staging-store.bucket_arn}/review/*"]
+      }
+    ]
+  })
+}

infrastructure/lambda-post-document-review.tf

@@ -0,0 +1,76 @@
+module "post_document_review_lambda" {
+  source  = "./modules/lambda"
+  name    = "PostDocumentReview"
+  handler = "handlers.post_document_review_handler.lambda_handler"
+  iam_role_policy_documents = [
+    module.ndr-app-config.app_config_policy,
+    local.is_production ? "" : module.document_review_dynamodb_table[0].dynamodb_write_policy_document,
+    local.is_production ? "" : module.document_review_dynamodb_table[0].dynamodb_read_policy_document,
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-bulk-staging-store.s3_write_policy_document,
+    module.cloudfront_edge_dynamodb_table.dynamodb_write_policy_document,
+  ]
+
+  rest_api_id                   = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  api_execution_arn             = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
+  http_methods                  = ["POST"]
+  resource_id                   = module.review_document_gateway.gateway_resource_id
+  kms_deletion_window           = var.kms_deletion_window
+  is_gateway_integration_needed = true
+  is_invoked_from_gateway       = true
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION         = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT         = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION       = module.ndr-app-config.app_config_configuration_profile_id
+    DOCUMENT_REVIEW_DYNAMODB_NAME = local.is_production ? "" : module.document_review_dynamodb_table[0].table_name
+    PRESIGNED_ASSUME_ROLE         = aws_iam_role.post_document_review_presign.arn
+    WORKSPACE                     = terraform.workspace
+    STAGING_STORE_BUCKET_NAME     = module.ndr-bulk-staging-store.bucket_id
+    EDGE_REFERENCE_TABLE          = module.cloudfront_edge_dynamodb_table.table_name
+  }
+  depends_on = [
+    aws_api_gateway_rest_api.ndr_doc_store_api,
+    module.review_document_gateway
+  ]
+}
+
+
+module "post_document_review_lambda_alarm" {
+  source               = "./modules/lambda_alarms"
+  lambda_function_name = module.post_document_review_lambda.function_name
+  lambda_timeout       = module.post_document_review_lambda.timeout
+  lambda_name          = "post_document_review_handler"
+  namespace            = "AWS/Lambda"
+  alarm_actions        = [module.post_document_review_lambda_alarm_topic.arn]
+  ok_actions           = [module.post_document_review_lambda_alarm_topic.arn]
+}
+
+
+module "post_document_review_lambda_alarm_topic" {
+  source                = "./modules/sns"
+  sns_encryption_key_id = module.sns_encryption_key.id
+  topic_name            = "post-document-review-lambda-alarm-topic"
+  topic_protocol        = "lambda"
+  topic_endpoint        = module.post_document_review_lambda.lambda_arn
+  delivery_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "cloudwatch.amazonaws.com"
+        },
+        "Action" : [
+          "SNS:Publish",
+        ],
+        "Condition" : {
+          "ArnLike" : {
+            "aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
+          }
+        }
+        "Resource" : "*"
+      }
+    ]
+  })
+}
+