Merge branch 'main' into PRMP-1559

steph-torres-nhs · web-flow · commit dccc4bcf2340 · 2025-03-06T16:55:34.000Z
diff --git a/infrastructure/cloudwatch_rum.tf b/infrastructure/cloudwatch_rum.tf
@@ -0,0 +1,83 @@
+locals {
+  cognito_role_name = "${terraform.workspace}-cognito-unauth-role"
+}
+
+resource "aws_iam_role" "cognito_unauthenticated" {
+  count = local.is_production ? 0 : 1
+  name  = local.cognito_role_name
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal : {
+          Federated : "cognito-identity.amazonaws.com"
+        },
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.cloudwatch_rum[0].id
+          },
+          "ForAnyValue:StringLike" = {
+            "cognito-identity.amazonaws.com:amr" = "unauthenticated"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "cloudwatch_rum_cognito_access" {
+  count       = local.is_production ? 0 : 1
+  name        = "${terraform.workspace}-cloudwatch-rum-cognito-access-policy"
+  description = "Policy for unauthenticated Cognito identities"
+
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Action" : "rum:PutRumEvents",
+          "Resource" : "arn:aws:rum:${local.current_region}:${local.current_account_id}:appmonitor/${aws_rum_app_monitor.ndr[0].id}"
+        }
+      ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_rum_cognito_unauth" {
+  count      = local.is_production ? 0 : 1
+  role       = aws_iam_role.cognito_unauthenticated[0].name
+  policy_arn = aws_iam_policy.cloudwatch_rum_cognito_access[0].arn
+}
+
+resource "aws_cognito_identity_pool_roles_attachment" "cloudwatch_rum" {
+  count            = local.is_production ? 0 : 1
+  identity_pool_id = aws_cognito_identity_pool.cloudwatch_rum[0].id
+
+  roles = {
+    unauthenticated = aws_iam_role.cognito_unauthenticated[0].arn
+  }
+}
+
+resource "aws_cognito_identity_pool" "cloudwatch_rum" {
+  count                            = local.is_production ? 0 : 1
+  identity_pool_name               = "${terraform.workspace}-cloudwatch-rum-identity-pool"
+  allow_unauthenticated_identities = true
+}
+
+resource "aws_rum_app_monitor" "ndr" {
+  count          = local.is_production ? 0 : 1
+  name           = "${terraform.workspace}-app-monitor"
+  domain         = "*.${var.domain}"
+  cw_log_enabled = false
+
+  app_monitor_configuration {
+    identity_pool_id    = aws_cognito_identity_pool.cloudwatch_rum[0].id
+    allow_cookies       = true
+    enable_xray         = false
+    session_sample_rate = 1.0
+    telemetries         = ["errors", "performance", "http"]
+  }
+}
diff --git a/infrastructure/lambda-bulk-upload.tf b/infrastructure/lambda-bulk-upload.tf
@@ -12,7 +12,7 @@ module "bulk-upload-lambda" {
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
     module.bulk_upload_report_dynamodb_table.dynamodb_read_policy_document,
     module.bulk_upload_report_dynamodb_table.dynamodb_write_policy_document,
-    module.sqs-nrl-queue.sqs_write_policy_document,
+    module.sqs-stitching-queue.sqs_write_policy_document,
     module.sqs-lg-bulk-upload-metadata-queue.sqs_read_policy_document,
     module.sqs-lg-bulk-upload-metadata-queue.sqs_write_policy_document,
     module.sqs-lg-bulk-upload-invalid-queue.sqs_read_policy_document,
@@ -35,7 +35,7 @@ module "bulk-upload-lambda" {
     METADATA_SQS_QUEUE_URL     = module.sqs-lg-bulk-upload-metadata-queue.sqs_url
     INVALID_SQS_QUEUE_URL      = module.sqs-lg-bulk-upload-invalid-queue.sqs_url
     PDS_FHIR_IS_STUBBED        = local.is_sandbox
-    NRL_SQS_URL                = module.sqs-nrl-queue.sqs_url
+    PDF_STITCHING_SQS_URL      = module.sqs-stitching-queue.sqs_url
     APIM_API_URL               = data.aws_ssm_parameter.apim_url.value
   }
 
diff --git a/infrastructure/lambda-pdf-stitching.tf b/infrastructure/lambda-pdf-stitching.tf
@@ -5,25 +5,27 @@ module "pdf-stitching-lambda" {
   memory_size    = 1769
   lambda_timeout = 900
   iam_role_policy_documents = [
-    module.ndr-lloyd-george-store.s3_read_policy_document,
     module.sqs-nrl-queue.sqs_read_policy_document,
     module.sqs-nrl-queue.sqs_write_policy_document,
     module.sqs-stitching-queue.sqs_read_policy_document,
     module.sqs-stitching-queue.sqs_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
     module.unstitched_lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
-    module.unstitched_lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document
+    module.unstitched_lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    module.ndr-lloyd-george-store.s3_write_policy_document,
   ]
   rest_api_id             = null
   api_execution_arn       = null
   is_invoked_from_gateway = false
   lambda_environment_variables = {
-    STITCH_SQS_QUEUE_URL          = module.sqs-stitching-queue.sqs_url
-    NRL_SQS_QUEUE_URL             = module.sqs-nrl-queue.sqs_url
-    LLOYD_GEORGE_DYNAMODB_NAME    = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
-    STITCH_METADATA_DYNAMODB_NAME = "${terraform.workspace}_${var.unstitched_lloyd_george_dynamodb_table_name}"
-    WORKSPACE                     = terraform.workspace
+    PDF_STITCHING_SQS_URL                 = module.sqs-stitching-queue.sqs_url
+    NRL_SQS_URL                           = module.sqs-nrl-queue.sqs_url
+    LLOYD_GEORGE_BUCKET_NAME              = "${terraform.workspace}-${var.lloyd_george_bucket_name}"
+    LLOYD_GEORGE_DYNAMODB_NAME            = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
+    UNSTITCHED_LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.unstitched_lloyd_george_dynamodb_table_name}"
+    WORKSPACE                             = terraform.workspace
   }
 }
 
diff --git a/infrastructure/modules/cloudwatch/main.tf b/infrastructure/modules/cloudwatch/main.tf
@@ -13,7 +13,6 @@ resource "aws_cloudwatch_log_group" "ndr_cloudwatch_log_group" {
 resource "aws_cloudwatch_log_stream" "log_stream" {
   name           = "${terraform.workspace}_${var.cloudwatch_log_stream_name}_log_Stream"
   log_group_name = "aws_cloudwatch_log_group.ndr_cloudwatch_log_group"
-
   tags = {
     Name        = "${terraform.workspace}_${var.cloudwatch_log_stream_name}_log_stream"
     Owner       = var.owner
