[NDR-97] Post document reference (#321)

* [NDR-96] initial commit, new lambda and endpoint

* [NDR-97] Renaming current upload endpoint

* [NDR-97] Renaming upload gateway endpoint

* [NDR-97] changing doc ref gateway conf

* [NDR-97] changing doc ref gateway conf

* [NDR-97] name changes

* [NDR-97] add env var

* [NDR-97] line ending

* [NDR-97] format

* [NDR-97] fix name change

* [NDR-97] missing permission

* [NDR-97] missing iam role for pre-sign

* [NDR-97] presign url iam policy

* [NDR-97] move gateway doc ref to new file

* [NDR-101] remove implicit depends on

---------

Co-authored-by: robg-nhs <[email protected]>

Author: NogaNHS

infrastructure/README.md

@@ -50,6 +50,7 @@
 | <a name="module_create-token-lambda"></a> [create-token-lambda](#module\_create-token-lambda) | ./modules/lambda | n/a |
 | <a name="module_create_doc_alarm"></a> [create\_doc\_alarm](#module\_create\_doc\_alarm) | ./modules/lambda_alarms | n/a |
 | <a name="module_create_doc_alarm_topic"></a> [create\_doc\_alarm\_topic](#module\_create\_doc\_alarm\_topic) | ./modules/sns | n/a |
+| <a name="module_create_document_reference_gateway"></a> [create\_document\_reference\_gateway](#module\_create\_document\_reference\_gateway) | ./modules/gateway | n/a |
 | <a name="module_create_token-alarm"></a> [create\_token-alarm](#module\_create\_token-alarm) | ./modules/lambda_alarms | n/a |
 | <a name="module_create_token-alarm_topic"></a> [create\_token-alarm\_topic](#module\_create\_token-alarm\_topic) | ./modules/sns | n/a |
 | <a name="module_data-collection-alarm"></a> [data-collection-alarm](#module\_data-collection-alarm) | ./modules/lambda_alarms | n/a |
@@ -128,6 +129,7 @@
 | <a name="module_pdf-stitching-alarm-topic"></a> [pdf-stitching-alarm-topic](#module\_pdf-stitching-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_pdf-stitching-lambda"></a> [pdf-stitching-lambda](#module\_pdf-stitching-lambda) | ./modules/lambda | n/a |
 | <a name="module_pdf-stitching-lambda-alarms"></a> [pdf-stitching-lambda-alarms](#module\_pdf-stitching-lambda-alarms) | ./modules/lambda_alarms | n/a |
+| <a name="module_post-document-references-fhir-lambda"></a> [post-document-references-fhir-lambda](#module\_post-document-references-fhir-lambda) | ./modules/lambda | n/a |
 | <a name="module_pdm-document-store"></a> [pdm-document-store](#module\_pdm-document-store) | ./modules/s3/ | n/a |
 | <a name="module_pdm_dynamodb_table"></a> [pdm\_dynamodb\_table](#module\_pdm\_dynamodb\_table) | ./modules/dynamo_db | n/a |
 | <a name="module_route53_fargate_ui"></a> [route53\_fargate\_ui](#module\_route53\_fargate\_ui) | ./modules/route53 | n/a |
@@ -193,7 +195,6 @@
 | [aws_api_gateway_integration_response.get_document_reference_mock_403_response](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration_response) | resource |
 | [aws_api_gateway_integration_response.get_document_reference_mock_404_response](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration_response) | resource |
 | [aws_api_gateway_method.get_document_reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
-| [aws_api_gateway_method.get_document_references_fhir](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
 | [aws_api_gateway_method.login_proxy_method](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
 | [aws_api_gateway_method.sandbox_get_document_reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
 | [aws_api_gateway_method_response.response_200](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_response) | resource |

infrastructure/api.tf

@@ -49,6 +49,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.back_channel_logout_lambda,
     module.document_reference_gateway,
     module.create-doc-ref-lambda,
+    module.create_document_reference_gateway,
     module.create-token-gateway,
     module.create-token-lambda,
     module.delete-doc-ref-gateway,
@@ -74,6 +75,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.update-upload-state-lambda,
     module.upload_confirm_result_gateway,
     module.upload_confirm_result_lambda,
+    module.post-document-references-fhir-lambda,
     module.virus_scan_result_gateway,
     module.virus_scan_result_lambda
   ]

infrastructure/gateway-document-reference.tf

@@ -0,0 +1,10 @@
+module "document_reference_gateway" {
+  source              = "./modules/gateway"
+  api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
+  http_methods        = ["POST", "GET"]
+  authorization       = "NONE"
+  api_key_required    = true
+  gateway_path        = "DocumentReference"
+  require_credentials = true
+}

infrastructure/iam.tf

@@ -20,8 +20,12 @@ data "aws_iam_policy_document" "assume_role_policy_for_create_lambda" {
     actions = ["sts:AssumeRole"]
 
     principals {
-      type        = "AWS"
-      identifiers = [module.create-doc-ref-lambda.lambda_execution_role_arn]
+      type = "AWS"
+      identifiers = compact([
+        module.create-doc-ref-lambda.lambda_execution_role_arn,
+        local.is_production ? null : module.post-document-references-fhir-lambda[0].lambda_execution_role_arn
+      ])
+
     }
   }
 }

infrastructure/lambda-create-doc-ref.tf

@@ -1,10 +1,10 @@
-module "document_reference_gateway" {
+module "create_document_reference_gateway" {
   source              = "./modules/gateway"
   api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
   parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
   http_methods        = ["POST"]
   authorization       = "CUSTOM"
-  gateway_path        = "DocumentReference"
+  gateway_path        = "CreateDocumentReference"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
   origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
@@ -73,7 +73,7 @@ module "create-doc-ref-lambda" {
     module.ndr-app-config.app_config_policy,
   ]
   rest_api_id  = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  resource_id  = module.document_reference_gateway.gateway_resource_id
+  resource_id  = module.create_document_reference_gateway.gateway_resource_id
   http_methods = ["POST"]
   memory_size  = 512
 

infrastructure/lambda-post-document-fhir.tf

@@ -0,0 +1,29 @@
+module "post-document-references-fhir-lambda" {
+  count   = local.is_production ? 0 : 1
+  source  = "./modules/lambda"
+  name    = "PostDocumentReferencesFHIR"
+  handler = "handlers.post_fhir_document_reference_handler.lambda_handler"
+  iam_role_policy_documents = [
+    module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-bulk-staging-store.s3_write_policy_document,
+    module.ndr-app-config.app_config_policy,
+    aws_iam_policy.ssm_access_policy.policy
+  ]
+  rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  resource_id       = module.document_reference_gateway.gateway_resource_id
+  http_methods      = ["POST"]
+  api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION           = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT           = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION         = module.ndr-app-config.app_config_configuration_profile_id
+    DOCUMENT_STORE_DYNAMODB_NAME    = "${terraform.workspace}_${var.docstore_dynamodb_table_name}"
+    LLOYD_GEORGE_DYNAMODB_NAME      = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
+    STAGING_STORE_BUCKET_NAME       = "${terraform.workspace}-${var.staging_store_bucket_name}"
+    DOCUMENT_RETRIEVE_ENDPOINT_APIM = "${local.apim_api_url}/DocumentReference"
+    PDS_FHIR_IS_STUBBED             = local.is_sandbox
+    WORKSPACE                       = terraform.workspace
+    PRESIGNED_ASSUME_ROLE           = aws_iam_role.create_post_presign_url_role.arn
+  }
+}

infrastructure/lambda-search-document-references-fhir.tf

@@ -1,13 +1,3 @@
-resource "aws_api_gateway_method" "get_document_references_fhir" {
-  count            = local.is_production ? 0 : 1
-  rest_api_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  resource_id      = module.document_reference_gateway.gateway_resource_id
-  http_method      = "GET"
-  authorization    = "NONE"
-  api_key_required = true
-}
-
-
 module "search-document-references-fhir-lambda" {
   count   = local.is_production ? 0 : 1
   source  = "./modules/lambda"

infrastructure/modules/gateway/outputs.tf

@@ -1,3 +1,3 @@
-output "gateway_resource_id" {
-  value = aws_api_gateway_resource.gateway_resource.id
+output "gateway_resource_id" {
+  value = aws_api_gateway_resource.gateway_resource.id
 }

infrastructure/modules/gateway/variable.tf

@@ -30,7 +30,8 @@ variable "require_credentials" {
 }
 
 variable "origin" {
-  type = string
+  type    = string
+  default = "'*'"
 }
 
 variable "api_key_required" {

infrastructure/modules/lambda/outputs.tf

@@ -1,27 +1,27 @@
-output "invoke_arn" {
-  value = aws_lambda_function.lambda.invoke_arn
-}
-
-output "qualified_arn" {
-  value = aws_lambda_function.lambda.qualified_arn
-}
-
-output "function_name" {
-  value = aws_lambda_function.lambda.function_name
-}
-
-output "timeout" {
-  value = aws_lambda_function.lambda.timeout
-}
-
-output "lambda_arn" {
-  value = aws_lambda_function.lambda.arn
-}
-
-output "lambda_execution_role_name" {
-  value = aws_iam_role.lambda_execution_role.name
-}
-
-output "lambda_execution_role_arn" {
-  value = aws_iam_role.lambda_execution_role.arn
+output "invoke_arn" {
+  value = aws_lambda_function.lambda.invoke_arn
+}
+
+output "qualified_arn" {
+  value = aws_lambda_function.lambda.qualified_arn
+}
+
+output "function_name" {
+  value = aws_lambda_function.lambda.function_name
+}
+
+output "timeout" {
+  value = aws_lambda_function.lambda.timeout
+}
+
+output "lambda_arn" {
+  value = aws_lambda_function.lambda.arn
+}
+
+output "lambda_execution_role_name" {
+  value = aws_iam_role.lambda_execution_role.name
+}
+
+output "lambda_execution_role_arn" {
+  value = aws_iam_role.lambda_execution_role.arn
 }