[PRMP-594] New lambda for get doc ref

Author: adamwhitingnhs

infrastructure/api.tf

@@ -60,6 +60,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.feature-flags-lambda,
     module.fhir_document_reference_gateway,
     module.get-doc-fhir-lambda,
+    module.get-doc-ref-lambda,
     module.get-report-by-ods-gateway,
     module.get-report-by-ods-lambda,
     module.lloyd-george-stitch-gateway,

infrastructure/gateway-document-reference.tf

@@ -26,7 +26,7 @@ module "document_reference_id_gateway" {
   source              = "./modules/gateway"
   api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
   parent_id           = module.document_reference_gateway.gateway_resource_id
-  http_methods        = ["PUT"]
+  http_methods        = ["PUT", "GET"]
   authorization       = "CUSTOM"
   gateway_path        = "{id}"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id

infrastructure/iam.tf

@@ -139,8 +139,11 @@ data "aws_iam_policy_document" "assume_role_policy_for_get_doc_ref_lambda" {
     actions = ["sts:AssumeRole"]
 
     principals {
-      type        = "AWS"
-      identifiers = [module.get-doc-fhir-lambda.lambda_execution_role_arn]
+      type = "AWS"
+      identifiers = [
+        module.get-doc-fhir-lambda.lambda_execution_role_arn,
+        module.get-doc-ref-lambda.lambda_execution_role_arn
+      ]
     }
   }
 }
@@ -266,3 +269,13 @@ resource "aws_iam_role_policy_attachment" "update_put_presign_url" {
   role       = aws_iam_role.update_put_presign_url_role.name
   policy_arn = aws_iam_policy.s3_document_data_policy_put_only.arn
 }
+
+resource "aws_iam_role" "get_doc_ref_presign_url_role" {
+  name               = "${terraform.workspace}_get_doc_ref_presign_url_role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_for_get_doc_ref_lambda.json
+}
+
+resource "aws_iam_role_policy_attachment" "get_doc_ref_presign_url" {
+  role       = aws_iam_role.get_doc_ref_presign_url_role.name
+  policy_arn = aws_iam_policy.s3_document_data_policy_for_get_doc_ref_lambda.arn
+}

infrastructure/lambda-get-doc-ref.tf

@@ -0,0 +1,81 @@
+module "get_doc_ref_alarm" {
+  source               = "./modules/lambda_alarms"
+  lambda_function_name = module.get_doc_ref_lambda.function_name
+  lambda_timeout       = module.get_doc_ref_lambda.timeout
+  lambda_name          = "get_document_reference_handler"
+  namespace            = "AWS/Lambda"
+  alarm_actions        = [module.get_doc_ref_alarm_topic.arn]
+  ok_actions           = [module.get_doc_ref_alarm_topic.arn]
+  depends_on           = [module.get_doc_ref_lambda, module.get_doc_ref_alarm_topic]
+}
+
+module "get_doc_ref_alarm_topic" {
+  source                = "./modules/sns"
+  sns_encryption_key_id = module.sns_encryption_key.id
+  topic_name            = "get_doc-alarms-topic"
+  topic_protocol        = "lambda"
+  topic_endpoint        = module.get_doc_ref_lambda.lambda_arn
+  depends_on            = [module.sns_encryption_key]
+  delivery_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "cloudwatch.amazonaws.com"
+        },
+        "Action" : [
+          "SNS:Publish",
+        ],
+        "Condition" : {
+          "ArnLike" : {
+            "aws:SourceArn" : "arn:aws:cloudwatch:eu-west-2:${data.aws_caller_identity.current.account_id}:alarm:*"
+          }
+        }
+        "Resource" : "*"
+      }
+    ]
+  })
+}
+
+module "get_doc_ref_lambda" {
+  source  = "./modules/lambda"
+  name    = "GetDocRefLambda"
+  handler = "handlers.get_document_reference_handler.lambda_handler"
+  iam_role_policy_documents = [
+    module.ndr-lloyd-george-store.s3_write_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-app-config.app_config_policy,
+  ]
+  kms_deletion_window = var.kms_deletion_window
+  rest_api_id         = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  resource_id         = module.document_reference_id_gateway.gateway_resource_id
+  http_methods        = ["GET"]
+  memory_size         = 512
+
+  api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION      = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT      = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION    = module.ndr-app-config.app_config_configuration_profile_id
+    LLOYD_GEORGE_DYNAMODB_NAME = module.lloyd_george_reference_dynamodb_table.table_name
+    PDS_FHIR_IS_STUBBED        = local.is_sandbox
+    WORKSPACE                  = terraform.workspace
+    PRESIGNED_ASSUME_ROLE      = aws_iam_role.get_doc_ref_presign_url_role.arn
+    EDGE_REFERENCE_TABLE       = module.cloudfront_edge_dynamodb_table.table_name
+    CLOUDFRONT_URL             = module.cloudfront-distribution-lg.cloudfront_url
+  }
+  depends_on = [
+    module.document_reference_gateway,
+    aws_api_gateway_rest_api.ndr_doc_store_api,
+    module.lloyd_george_reference_dynamodb_table,
+    module.ndr-lloyd-george-store,
+    module.ndr-app-config,
+    module.cloudfront-distribution-lg,
+    module.cloudfront_edge_dynamodb_table,
+    module.document_reference_id_gateway
+  ]
+}

infrastructure/modules/gateway/README.md

@@ -76,6 +76,7 @@ module "api_gateway_resource" {
 | <a name="input_http_methods"></a> [http\_methods](#input\_http\_methods) | List of allowed HTTP methods for the resource (e.g., ["GET", "POST"]). | `list(string)` | n/a | yes |
 | <a name="input_origin"></a> [origin](#input\_origin) | Allowed origin for CORS requests (e.g., '*', or specific domain). | `string` | `"'*'"` | no |
 | <a name="input_parent_id"></a> [parent\_id](#input\_parent\_id) | ID of the parent API Gateway resource (e.g., root path or another nested resource). | `string` | n/a | yes |
+| <a name="input_request_parameters"></a> [request\_parameters](#input\_request\_parameters) | Request parameters for the API Gateway method. | `map(string)` | `{}` | no |
 | <a name="input_require_credentials"></a> [require\_credentials](#input\_require\_credentials) | Sets the value of 'Access-Control-Allow-Credentials' which controls whether auth cookies are needed. | `bool` | n/a | yes |
 ## Outputs